Manual Chapter : Updating Attack and Bot Signatures

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Manual Chapter

Overview: Updating the signature pools

The system includes an attack signature pool and a bot signature pool. These pools include the system-supplied attack signatures and bot signatures, which are shipped with the Application Security Manager™, and any user-defined signatures. You can update both pools at once by using the Security Updates feature.

F5 develops new signatures to recognize the latest attacks and web robots, and you can schedule periodic security updates to the signature pool, or perform manual updates. You can also have the system send you an email when a security update is available.

Updating signatures automatically

Before you can update the signature pools (including both attack signatures and bot signatures), you must have a valid service agreement with F5 Networks, and a service check date within 7 days of the update request. The Application Security Manager™ (ASM) must also have external network access for the automatic update process to work.

For additional information regarding licensing requirements, allowing signature file updates through a firewall, and configuring signature file updates through an HTTPS proxy, refer to Solution 8217 in the AskF5™ knowledge base (https://support.f5.com/).

You can schedule automatic updates to the signature pools so that you always have the current security updates. Having an updated set of system-supplied attack signatures and bot signatures provides protection from the latest threats.
  1. On the Main tab, click Security > Security Updates > Application Security .
    The Security Updates: Application Security screen opens.
  2. To schedule automatic updates, for Update Mode, click Scheduled.
  3. From Update Interval, select how often to automatically download the signatures and perform an update.
  4. Click the Save Settings button to preserve your changes.
The system connects to the F5 server periodically to see if there are any new signatures or updates to existing attack signatures or bot signatures, and if there are, it downloads and includes them. Any user-defined signatures remain in the pools untouched.

After the update, the system places newly added and updated signatures in staging if they are specified in one or more security policies (for security policies with the staging feature enabled).

ASM records details about the most recent update activity, and displays this information on the Security Updates: Application Security screen. There you can review the last update time as well as the Readme file that pertains to the update.

Updating signatures manually

Before you can update the signature pools (including both attack signatures and bot signatures), you must have a valid service agreement with F5 Networks, and a service check date within 7 days of the update request. If you want the system to get the updates from the F5 server, the Application Security Manager™ (ASM) must have external network access. If the system does not have network access, you have to get the download from downloads.f5.com first, and the file must be accessible from your system.

For information regarding licensing requirements, allowing signature file updates through a firewall, and configuring signature file updates through an HTTPS proxy, refer to Solution 8217 in the AskF5™ web site (support.f5.com).

You can manually update the signature pools if you want to control when security updates take place.
  1. On the Main tab, click Security > Security Updates > Application Security .
    The Security Updates: Application Security screen opens.
  2. To determine whether an update is available, click Check for Updates .
    A popup screen indicates whether updates are available.
  3. Click Close to dismiss the popup screen when you are finished looking at it.
  4. If no updates are available, you are done. If updates are available, continue with the next steps.
  5. For the Update Mode setting, select Manual.
  6. For the Delivery Mode setting, select how to get the update:
    • If the system has Internet access and you want to get the update directly from F5, select Automatic.
    • To specify a previously downloaded security update file from F5, select Manual, then click Choose File and browse to the update file.
  7. Click the Save Settings button to preserve any changes you made to the configuration.
  8. Click Install Updates.
    The system installs the security update.
If you used the automatic delivery mode, the system connects to the F5 server to retrieve any available updates, then installs them. If you downloaded the update file manually, the system installs the updates from the file. The signature pools then include any new attack and bot signatures, and updates to any existing signatures. Any user-defined signatures remain in the pools untouched.

After the update, the system places newly added and updated signatures in staging if they are specified in one or more security policies (for security policies with the staging feature enabled).

ASM™ records details about the most recent update activity, and displays this information on the Security Updates: Application Security screen. There you can review the last update time as well as the readme file that pertains to the update.

Getting email about signature updates

If you want to receive notification from F5 Networks about signature updates available for download, you can sign up for the Security Updates mailing list.
  1. From a web browser, open the Search the AskF5™ Knowledge Base site, http://support.f5.com/.
  2. From the SELF-HELP menu, select Subscribe: Mailing Lists
    The AskF5 Publication Preference Center page opens.
  3. Provide the email address to which you want the notifications sent.
  4. Select the Security Updates list, as well as any others in which you are interested.
  5. Click Submit.
    Whenever F5 has signature updates available, or has information related to security, you will receive an email notification at the address you specified.

Viewing attack signature details

The attack signature pool contains all of the attack signatures that are on the system. You can view the attack signature pool contents, and see details about each signature.
  1. On the Main tab, click Security > Application Security > Attack Signatures .
    The Attack Signatures screen opens.
  2. If you are looking for specific signatures, use the filter to display the ones you are interested in.
    You can use one of the predefined filters, or click Show Filter Details to develop a custom filter.
  3. In the Signature Name column, click the signature for which you want to view information.
    The Policy Attack Signature Properties screen opens and shows details about that signature.
  4. For the Signature Name setting, click the signature name link.
    The Attack Signature Properties screen opens and shows additional details about that signature.
  5. In the Documentation setting (if available), click View to see additional information that applies to the selected attack signature.
    The Documentation for Attack Signature screen opens in a new browser window, and displays additional related documentation.
  6. On the Attack Signature Properties screen, click the References setting link to an external web site that describes the attack signature.
    If no additional documentation is available, you see N/A.
  7. When you finish reviewing the details, close the additional documentation screens and click Cancel to close the Attack Signature Properties screens.

Viewing bot signature details

The bot signature pool contains all of the bot signatures that are on the system. You can view the bot signature pool contents, and see details about each signature.
  1. On the Main tab, click Security > Options > DoS Protection > Bot Signatures > Bot Signatures List .
  2. If you are looking for specific signatures, use the filter to display the ones you are interested in.
    Click Show Filter Details to develop a custom filter.
  3. In the Signature Name column, click the signature for which you want to view information.
    The Bot Signature Properties screen opens and shows details about that signature including the category of bot, the level of risk, and specific domains associated with the bot, if any.
  4. When you finish reviewing the details, close the additional documentation screens and click Cancel to close the Bot Signature Properties screens.