Applies To:

Show Versions Show Versions

Manual Chapter: Working with Attack Signatures
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

10 
Attack signatures are the foundation of the Application Security Managers negative security logic. Attack signatures are rules or patterns that identify attacks or classes of attacks on a web application and its components. You can apply attack signatures to both requests and responses. Additionally, within the requests signatures pool, there are signatures that apply to alpha-numeric user-input parameters.
This chapter explains how to work with and maintain the system-level attack signatures pool. For details on working with attack signatures within the context of a security policy, refer to Working with attack signatures sets.
The general attack signatures pool contains all of the attack signatures that are part of the Application Security Manager configuration. This includes both system-supplied attack signatures and user-defined attack signatures.
The Application Security Manager ships with an extensive database of attack signatures. These are known as system-supplied attack signatures. You can disable system-supplied attack signatures, but you cannot delete system-supplied attack signatures.You can also update system-supplied attack signatures to ensure that you always have the most current protection against known attacks. For information on updating the attack signatures pool, refer to Updating the system-supplied attack signatures.
User-defined attack signatures are those that are written by users. User-defined attack signatures must follow the same syntax rules as the system-supplied attack signatures. For details on creating and managing user-defined attack signatures, see Managing user-defined attack signatures.
An attack signature set is a grouping of individual attack signatures. Rather than apply individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager ships with several system-supplied signature sets. By default, there is a generic attack signature set that is assigned to new security policies. Additionally, you can create your own attack signature sets. For information on creating and managing attack signature sets, refer to Working with attack signature sets. For information on using attack signature sets in security policies, see Working with attack signatures sets.
Attack signatures apply to requests, responses, and alpha-numeric user-input parameters. Request signatures apply to the entire request, or the elements of the request. Response signatures are similar to request signatures, and provide an additional level of security for attacks that may have avoided detection in the request. Parameter signatures, which are a subset of the request signatures, apply to the name and value pairs for the alpha-numeric user-input parameters that are defined in a security policy. These signatures attempt to identify classes of attacks, for example, SQL injection, command injection, cross-site scripting, and directory traversal. Refer to Types of attacks that the attack signatures detect, for specific information on the various attack types.
When the Application Security Manager receives a request, the system applies the attack signatures associated with the security policy to the request. If, in the request (or response), there is a matching pattern for one or more attack signatures, the system generates the Attack signature detected violation. If the enforcement mode is blocking, then the system also blocks the request and issues the Blocking Response Page to the offending client.
Table 10.1 describes common web application attacks that the attack signatures can detect.
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file is not present.
Authentication section covers attacks that target a web site's method of validating the identity of a user, service or application. Authorization section covers attacks that target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action.
Information leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
Command execution attacks are those where an attacker manipulates the data for a user-input field, by submitting commands with the intent of altering the web page content or web application.
A vulnerability scan is an attack technique that uses an automated security program to probe a web application for software vulnerabilities.
Denial of service (DoS) is an attack technique that overwhelms system resources to prevent a web site from serving normal user activity.
Attackers use Trojan horse, backdoor, and spyware attacks to try to circumvent a web servers or web application built-in security by masking the attack within a legitimate communication. For example, an attacker may include an attack in an email or Microsoft® Word document, and when a user opens the email or document, the attack launches.
Abuse of functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvent the applications access control mechanisms.
Cross-site scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user's browser.
SSI injection (server-side include) is a server-side exploit technique that allows an attacker to send code into a web application, which is then run locally by the web server.
The path traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
The attack signatures pool contains all of the attack signatures that are part of the configuration. The pool includes the system-supplied attack signatures, which are the attack signatures that are shipped with the Application Security Manager, and any user-defined attack signatures. You can perform the following tasks to manage and maintain the attack signatures pool:
The attack signatures pool is quite large, so there is a Filter that you can use to display only those signatures that you are interested in viewing. The Filter has several built-in filter options. You can also create a custom filter.
The built-in filter options reduce the viewable attack signatures to a subset that matches a specific characteristic of the attack signatures. Table 10.2 describes the built-in filters.
Show signatures of accuracy greater than/equal to
Use this built-in filter to display only signatures whose accuracy is rated greater than or equal to the accuracy that you select. The attack signature accuracy indicates the ability of the attack signature to identify the attack, including susceptibility to false positive alarms.
Use this built-in filter to display only signatures whose risk is rated greater than or equal to the accuracy that you select. The attack signature risk indicates the level of potential damage this attack may cause, if it were successful.
1.
On the Main tab of the Application Security navigation pane, click Options.
The Attack Signatures screen opens, where you can review the entire attack signatures pool.
2.
From the Filter list, select a built-in filter.
The screen refreshes, and displays either a text box or a select list for the selected filter.
3.
Provide the appropriate information, and click the Go button.
The screen refreshes, and displays only those attack signatures that match the criteria you selected.
If the built-in filter options are too broad in scope, you can configure a custom filter option to view signatures in the attack signatures pool. For example, you can create a custom filter that displays attack signatures that apply only to parameters, or you can create a custom filter that displays only attack signatures for a specific attack type. When you create a custom filter, you can use one or more of the filter options, as required. Table 10.3 describes the custom filter options.
Use this custom filter option to display only attack signatures that match a specific signature ID number. Signature ID numbers are system-supplied, and cannot be modified.
Use this custom filter option to display only attack signatures that match the selected attack type. See Table 10.1, for a description of the possible attack types.
Attack type
The attack type indicates the threat classification to which the attack signature applies. See Types of attacks that the attack signatures detect, for information on the specific types.
Accuracy
The attack signature accuracy indicates the ability of the attack signature to identify the attack, including susceptibility to false positive alarms.
Risk
The attack signature risk indicates the level of potential damage this attack might cause, if it is successful.
Last Updated
Last updated indicates the date and time at which the attack signature was most recently updated.
Revision
Revision indicates the version of the attack signature.
Documentation
Documentation indicates whether additional documentation is available for the attack signature. If there is, you see a View link for this setting.
1.
2.
In the Signature Name column, click the Show Details ( ) button next to the signature for which you want to view the signature details.
The screen refreshes, and displays the attack signature details.
3.
For the Documentation setting, click View to see additional information that applies to the selected attack signatures.
A new screen opens (Documentation for Attack Signature), and displays the additional documentation.
Note: Some attack signatures have no additional documentation. You see N/A for the Documentation setting if this is the case.
4.
When you have finished reviewing the additional documentation on the Documentation for Attack Signature screen, click the Close button.
The screen closes, and returns you to the Attack Signatures screen.
5.
When you have finished reviewing the attack signature details, click the Hide Details ( ) button next to the attack signature name.
The screen refreshes, and no longer displays the attack signature details.
You can update the system-supplied attack signatures on a regular basis to ensure that your applications are protected against new attacks and threats. When you update the system-supplied attack signatures, the update provides any new signatures that are available, and also updates any existing attack signatures that have been revised, including the signature documentation. You can configure automatic updates, or you can update the signatures manually.
Important: The Application Security Manager must have external network access for the update process to work. You must also have a valid service agreement with F5 Networks.
1.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
In the Attack Signatures Update area, for the Update Mode setting, click Scheduled.
The screen refreshes, and displays the Update Interval setting.
4.
For the Update Interval setting, select the rate at which the system updates the system-supplied attack signatures pool.
5.
Leave the Auto Apply Policy After Update box checked if you want the system to automatically apply the currently-active security policy once the system-supplied signatures database has been updated.
6.
Click the Save Settings button to preserve any changes you may have made to the configuration.
If you want to update the system-supplied attack signatures on an as needed basis, then you can use the manual update option. You can obtain the latest attack signatures update file from http://downloads.f5.com.
1.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
In the Attack Signatures Update area, for the Update Mode setting, click Manual.
The screen refreshes, and displays the Delivery Mode setting.
4.
For the Delivery Mode setting, select one of the following options:
Select Automatic if you want the system to immediately apply any updates to the database.
Select Manual if you want the system to save the updates in a file that you can apply at a later time.
5.
For the Upload File setting, specify a path for the file that contains the updates. Note that this setting is applicable only if you selected the manual delivery mode.
6.
Leave the Auto Apply Policy After Update box checked if you want the system to automatically apply the currently-active security policy once the system-supplied signatures database has been updated.
7.
Click the Save Settings to preserve any changes you may have made. Note that you can skip this step, and simply update the signatures using step 8.
8.
Click the Update Signatures button to start the update process.
The Application Security Manager records the logistical information about the most recent update activity, and displays this information on the Attack Signatures Update screen. You can review the last update time, as well as the readme file that pertains to the update.
1.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
In the Latest Update Details area, you can review the creation date and time for the database, as well as the date and time at which the database was most recently updated.
4.
For the Readme option, click View Readme to see the details regarding the update.
If you want to receive notification from F5 Networks that there are new attack signatures and attack signature updates available for download, you can sign up for the Security email distribution list on the AskF5SM web site. Once you sign up for the distribution list, you will receive an email whenever F5 updates the available attack signatures database.
Important: You must have a valid service contract, and an AskF5SM account, to receive the attack signatures notifications.
1.
Open a browser session, and log in to the AskF5SM web site at https://support.f5.com.
The AskF5 Knowledge Base screen opens.
2.
In the navigation pane, click the Mailing Lists button.
The TECHNEWS screen opens.
3.
In the Security area, click the security-subscribe@lists.f5.com link.
4.
Send the blank email message, as is.
The list manager adds your email address to the Security email distribution list.
Rather than assigning individual attack signatures to a security policy, you assign attack signature sets. By default, when you create a new security policy, the system automatically assigns the Generic Detection Signatures set to the security policy. In addition to the generic signatures set, you can assign one of the other system-supplied signatures sets to the security policy, and you can create a signature set and assign that to the security policy. You can also remove all signature set assignments from a security policy, although we do not recommend that you do this.
When you create an attack signature set, you can tailor the attack signatures to your specific systems and applications. Note that creating an attack signature set is the only way to incorporate any user-defined attack signatures into your security policy. (For more information on assigning an attack signature set to a security policy, see Working with attack signatures sets.)
The Application Security Manager ships with several system-supplied signature sets. By default, the Generic Detection Signatures system-supplied set is associated with all new security policies. Table 10.4 describes the system-supplied signature sets.
This set targets attacks against the Microsoft® Outlook Web Access (OWA) application.
There are two types of signature sets: filter-based and manual. Filter-based signature sets are based solely on criteria defined in the signatures filter. The advantage to filter-based signature sets is that you can focus on the criteria that define the attack signatures you are interested in, rather than trying to manage the attack signatures themselves. Another advantage to filter-based sets is that when you update the attack signatures database, the system also updates any signature sets to which the update applies.
1.
2.
3.
Above the Attack Signature Sets list, click Create.
The Create Signature Set screen opens.
4.
In the Create Signature Set area, in the Name box, type a unique name for the signature set.
5.
For the Type setting, select Filter-based.
6.
For the Default Blocking Actions setting, decide which blocking actions you want the system to enforce for the signature set when you assign the signature set to a new security policy.
7.
Check the Assign To Policy By Default setting if you want the system to automatically assign this signature set to any security policies created after you create this signature set.
8.
In the Signatures Filter area, select the filter options that apply to the signature set that you are creating. For descriptions of the individual filter options, see the online help.
9.
In the Signatures area, for the Signatures setting, you can review the signatures list that the filter settings generates.
10.
Click Create.
The screen refreshes, and you see the new signature set in the Signatures Set list.
Manual signature sets are composed of attack signatures that you individually select from the attack signatures pool. You can use the signatures filter to help narrow the scope of the available signatures in the pool, however, once the manual signature set is created, the system does not retain the filter criteria.
1.
2.
3.
Above the Attack Signature Sets list, click Create.
The Create Signature Set screen opens.
4.
In the Create Signature Set area, in the Name box, type a unique name for the signature set.
5.
For the Type setting, select Manual.
6.
For the Default Blocking Actions setting, decide which blocking actions you want the system to apply to the signature set when you assign the signature set to a new security policy.
7.
Check the Assign To Policy By Default setting if you want the system to automatically assign this signature set to any security policies created after you create this signature set.
8.
In the Signatures Filter area, you can use the filter options to reduce the scope of the Available signatures list (in the Signatures area). For descriptions of the individual filter options, see the online help.
9.
In the Signatures area, for the Signatures setting, use the Move (<< and >>) buttons to add signatures to the Assigned list as needed.
10.
Click Create.
The screen refreshes, and you see the new signature set in the Signatures Set list.
You can edit attack signature sets to update the set membership, or change the criteria that determines the set membership. When you update attack signature sets, the updates apply to all of the security policies to which the set is assigned. Additionally, filter-based signature sets automatically receive any applicable updates when you use the attack signature update feature. (For more information, see Updating the system-supplied attack signatures.)
1.
2.
3.
In the Name column, click the name of the signature set that you want to edit.
The Update Signature Set screen opens.
5.
Click the Update button below the Signatures area.
The system updates the configuration with any changes you may have made.
You can easily remove a signature set from the configuration. When you delete a signature set, you are not deleting the attack signatures that make up the set.
1.
2.
3.
In the Select column (far left), check the box next to the signature set that you want to remove, and click the Delete button below the list.
A confirmation popup screen displays.
4.
Click OK.
The system removes the selected signature set from the configuration.
User-defined attack signatures are those that the user creates and adds to the attack signature pool. User-defined attack signatures have the following attributes:
They are never updated by F5 Networks. All user-defined signatures are carried forward as-is whenever there is a software version upgrade.
1.
2.
Above the Attack Signatures list, click Create.
The Create Attack Signature screen opens.
3.
In the Name box, type a unique name for the new attack signature.
4.
In the Description box, type an optional description of the signature.
5.
For the Apply To setting, select whether the new signature applies to requests or responses.
6.
For the System setting, select from the Available Systems list any systems to which the new signature applies, and use the Move buttons (<< and >>) to add them to the Assigned Systems list.
7.
For the Attack Type setting, select the threat classification to which the new signature applies.
8.
For the Rule setting, type the rule syntax according to the syntax guidelines that are described in Appendix C, Syntax for Creating User-Defined Attack Signatures. This setting is required.
9.
For the Accuracy setting, select an accuracy level. The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false positive alarms.
10.
For the Risk setting, select a risk level. The risk level indicates the level of potential damage this attack may cause, if it were successful.
11.
Click the Create button.
The screen refreshes, and displays the Attack Signatures list.
Note: In the previous task, the only required settings are the Name and the Rule. All other settings are optional.
There may be occasions when you need to update a user-defined attack signature. For example, you may want to change the accuracy level after the signature has been in use for awhile, based on observed traffic.
1.
2.
In the Attack Signatures list, click the name of the user-defined attack signature that you want to modify.
The Update Attack Signature screen opens.
4.
Click Save to retain any changes you may have made.
You can permanently remove user-defined attack signatures from the attack signature pool. Note that when you delete a user-defined signature from the attack signature pool, the system removes that signature from any signature sets of which the attack signature is a member.
1.
2.
In the Attack Signatures list, in the Select column (far left), check the Select box next name of the user-defined attack signature that you want to delete.
3.
Below the Attack Signatures list, click the Delete button.
A confirmation popup screen displays.
4.
Click the OK button.
The system deletes the attack signature from the configuration, and displays the Attack Signatures list screen.
If you have a large number of user-defined attack signatures that you want to add to the configuration, you can import them in an XML-formatted file. You can also use the import functionality to import a previously-exported user-defined attack signature file. Figure 10.1 shows an example of the XML file format for the user-defined attack signatures file.
Specifies the rule that defines the attack signature. See Appendix C, Syntax for Creating User-Defined Attack Signatures, for more information on creating rules for user-defined attack signatures.
Specifies whether the attack signature applies to requests or responses. Valid values are Request or Response.
The <risk> value must be an integer:
Indicates the ability of the attack signature to identify the attack, including susceptibility to false positive alarms. The <accuracy> value must be an integer:
Specifies the name of the threat classification. The <attack_type> value must be one of the attack types listed in Table 10.1.
Warning: The sig_name attribute uniquely identifies a user-defined attack signature. Therefore, when you import an attack signature XML file, if there are any signatures in the XML file whose sig_name attribute matches that of any existing user-defined signatures, the system overwrites the existing definition with the imported definition.
1.
2.
Above the Attack Signatures list, click Import.
The Import Attack Signatures screen opens.
3.
In the Choose File box, type the path to the XML file that contains the user-defined attacks signatures. Alternately, click the Browse button and navigate to the XML file.
4.
Click the Import button.
The system imports the user-defined signatures, and issues either a success message or a failed message.
5.
If the import is successful, click the OK button.
The screen refreshes, and displays the Attack Signatures list with the additional user-defined signatures.
6.
If the import was not successful, make any required changes to the XML file, and then try to import the file again.
You can export user-defined attack signatures to transfer them to another system, or to save them in a remote location. When you export the user-defined attack signatures, the Application Security Manager saves them in an XML file that uses the format shown in Figure 10.1.
1.
2.
Below the Attack Signatures list, click Export.
The web browser opens a file download or a save file popup screen.
Note: Each web browser manages this functionality differently.
3.
Save the signatures file in a location that meets your requirements. Note that the Application Security Manager automatically generates the file name, in this format:
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)