Applies To:

Show Versions Show Versions

Manual Chapter: Working with Attack Signatures
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

12 
Attack signatures are the foundation of the Application Security Managers negative security logic. Attack signatures are rules or patterns that identify attacks or classes of attacks on a web application and its components. You can apply attack signatures to both requests and responses. Additionally, within the requests signatures pool, there are signatures that apply to alpha-numeric user-input parameters.
The global attack signatures pool contains all of the attack signatures that are part of the Application Security Manager configuration. This includes both system-supplied attack signatures, including XML signatures, and user-defined attack signatures.
The Application Security Manager ships with an extensive database of attack signatures. These are known as system-supplied attack signatures. You can disable system-supplied attack signatures, but you cannot delete system-supplied attack signatures.You can also update system-supplied attack signatures to ensure that you always have the most current protection against known attacks. For information on updating the attack signatures pool, refer to Updating the system-supplied attack signatures.
User-defined attack signatures are those that are written by users. User-defined attack signatures must follow the same syntax rules as the system-supplied attack signatures. For details on creating and managing user-defined attack signatures, see Managing user-defined attack signatures.
An attack signature set is a grouping of individual attack signatures. Rather than apply individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager ships with several system-supplied signature sets. By default, there is a generic attack signature set that is assigned to new security policies. Additionally, you can create your own attack signature sets. For information on creating and managing attack signature sets, refer to Working with attack signature sets.
Attack signatures apply to requests, responses, and alpha-numeric user-input parameters. Request signatures apply to the entire request, or the elements of the request. Response signatures are similar to request signatures, and provide an additional level of security for attacks that may have avoided detection in the request. Parameter signatures, which are a subset of the request signatures, apply to the name and value pairs for the alpha-numeric user-input parameters that are defined in a security policy. These signatures attempt to identify classes of attacks, for example, SQL injection, command injection, cross-site scripting, and directory traversal. Refer to Types of attacks that the attack signatures detect, for specific information on the various attack types.
When the Application Security Manager receives a request, the system applies the attack signatures associated with the security policy to the request. If, in the request (or response), there is a matching pattern for one or more attack signatures, the system generates the Attack signature detected violation. If the enforcement mode is blocking, then the system also blocks the request and issues the Blocking Response Page to the offending client.
Table 12.1 describes common web application attacks that the attack signatures can detect.
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file is not present.
Authentication section covers attacks that target a web site's method of validating the identity of a user, service or application. Authorization section covers attacks that target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action.
Information leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.
Command execution attacks are those where an attacker manipulates the data for a user-input field, by submitting commands with the intent of altering the web page content or web application with the intent of executing a shell command on a remote server to reveal sensitive datafor example, a list of users on a server.
A vulnerability scan is an attack technique that uses an automated security program to probe a web application for software vulnerabilities.
Brute force attack is an outside attempt by hackers to access post-logon pages of a website by guessing user names and passwords; brute force attacks are performed when a malicious user attempts to log on to a URL numerous times, running many combinations of user names and passwords until he successfully logs on.
Denial of service (DoS) is an attack technique that overwhelms system resources to prevent a web site from serving normal user activity.
Attackers use Trojan horse, backdoor, and spyware attacks to try to circumvent a web servers or web applications built-in security by masking the attack within a legitimate communication. For example, an attacker may include an attack in an email or Microsoft® Word document, and when a user opens the email or document, the attack launches.
Abuse of functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvent the applications access control mechanisms.
Cross-site scripting (XSS) is an attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user's browser.
SSI injection (server-side include) is a server-side exploit technique that allows an attacker to send code into a web application, which is then run locally by the web server.
The path traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
The attack signatures pool contains all of the attack signatures that are part of the configuration. The pool includes the system-supplied attack signatures, which are the attack signatures that are shipped with the Application Security Manager, and any user-defined attack signatures. You can perform the following tasks to manage and maintain the attack signatures pool:
The attack signatures pool is quite large, so there is a filter that you can use to display only those signatures that you are interested in viewing. The filter has several built-in filter options. You can also create a custom filter.
The built-in filter options reduce the viewable attack signatures to a subset that matches a specific characteristic of the attack signatures. Table 12.2 describes the built-in filters.
Show signatures of accuracy greater than/equal to
Use this built-in filter to display only signatures whose accuracy is rated greater than or equal to the accuracy that you select. The attack signature accuracy indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms.
Use this built-in filter to display only signatures whose risk is rated greater than or equal to the accuracy that you select. The attack signature risk indicates the level of potential damage this attack may cause, if it were successful.
1.
On the Main tab of the Application Security navigation pane, click Options.
The Attack Signatures screen opens, where you can review the entire attack signatures pool.
2.
From the Filter list, select a built-in filter.
The screen refreshes, and displays either a text box or a select list for the selected filter.
3.
Provide the appropriate information, and click the Go button.
The screen refreshes, and displays only those attack signatures that match the criteria you selected.
If the built-in filter options are too broad in scope, you can configure a custom filter option to view signatures in the attack signatures pool. For example, you can create a custom filter that displays attack signatures that apply only to parameters, or you can create a custom filter that displays only attack signatures for a specific attack type. When you create a custom filter, you can use one or more of the filter options, as required. Table 12.3 describes the custom filter options.
Use this custom filter option to display only attack signatures that match a specific signature ID number. Signature ID numbers are system-supplied, and cannot be modified.
Attack type
The attack type indicates the threat classification to which the attack signature applies. See Types of attacks that the attack signatures detect, for information on the specific types.
Accuracy
The attack signature accuracy indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms.
Risk
The attack signature risk indicates the level of potential damage this attack might cause, if it is successful.
Last Updated
Last updated indicates the date and time at which the attack signature was most recently updated.
Revision
Revision indicates the version of the attack signature.
Documentation
Documentation indicates whether additional documentation is available for the attack signature. If there is, you see a View link for this setting.
1.
2.
In the Signature Name column, click the signature for which you want to view the signature details.
The screen refreshes, and displays the attack signature details.
3.
For the Documentation setting, click View to see additional information that applies to the selected attack signatures.
A new screen opens (Documentation for Attack Signature), and displays the additional documentation.
Note: Some attack signatures have no additional documentation. You see N/A for the Documentation setting if this is the case.
4.
When you have finished reviewing the additional documentation on the Documentation for Attack Signature screen, click the Close button.
The screen closes, and returns you to the Attack Signatures screen.
5.
When you have finished reviewing the attack signature details, click the Cancel button.
The screen refreshes and no longer displays the attack signature details.
You can update the system-supplied attack signatures on a regular basis to ensure that your applications are protected against new attacks and threats.
When you update the system-supplied attack signatures, the update provides any new signatures that are available, and also updates any existing attack signatures that have been revised, including the signature documentation. You can configure automatic updates, or you can update the signatures manually.
Two conditions may cause the attack signature update to fail: insufficient network access, and duplicated attack signature names.
The Application Security Manager must have external network access for the update process to work. To obtain the updated signature files, you must also have 1) a valid service agreement with F5 Networks, and 2) a service check date within 18 months of the signature-file update request. If your license has lapsed, you must re-license the Application Security Manager. Contact F5 Networks Technical Support web site, https://support.f5.com, for additional assistance.
Do not use system-supplied attack signature names when you create a user-defined attack signature. Although the system does not prohibit duplicate attack signature names, future attack-signature updates will fail because of name conflicts. If you have inadvertently duplicated a system-supplied attack signature name, rename the user-defined attack signature (see Modifying a user-defined attack signature, for more information). After you rename the user-defined attack signature, you can retry the update process.
1.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
In the Attack Signatures Update area, for the Update Mode setting, click Scheduled.
The screen refreshes, and displays the Update Interval setting.
4.
For the Update Interval setting, select the rate at which the system updates the system-supplied attack signatures pool.
5.
Leave the Auto Apply Policy After Update box checked if you want the system to automatically apply the currently-active security policy once the system-supplied signatures database has been updated.
6.
Click the Save Settings button to preserve any changes you may have made to the configuration.
If you want to update the system-supplied attack signatures on an as needed basis, then you can use the manual update option. You can obtain the latest attack signatures update file from http://downloads.f5.com.
1.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
In the Attack Signatures Update area, for the Update Mode setting, click Manual.
The screen refreshes, and displays the Delivery Mode setting.
4.
For the Delivery Mode setting, select one of the following options:
Select Automatic if you want to go directly to the web server for the latest update file.
Select Manual if you want the system to save the updates in a file that you can apply at a later time. For the Upload File setting, specify a path for the file that contains the updates. Note that this setting is applicable only if you selected the manual delivery mode.
5.
Leave the Auto Apply Policy After Update box checked if you want the system to automatically apply the currently-active security policy once the system-supplied signatures database has been updated.
6.
Click the Save Settings to preserve any changes you may have made.
7.
Click the Update Signatures button to start the update process.
The Application Security Manager records the logistical information about the most recent update activity, and displays this information on the Attack Signatures Update screen. You can review the last update time, as well as the readme file that pertains to the update.
1.
2.
From the Attack Signatures menu, choose Attack Signatures Update.
The Attack Signatures Update screen opens.
3.
In the Latest Update Details area, you can review the creation date and time for the database, as well as the date and time at which the database was most recently updated.
4.
For the Readme option, click View Readme to see the details regarding the update.
If you want to receive notification from F5 Networks that there are new attack signatures and attack signature updates available for download, you can sign up for the Security email distribution list on the AskF5SM web site. Once you sign up for the distribution list, you will receive an email whenever F5 updates the available attack signatures database.
Important: You must have a valid service contract, and an AskF5SM account, to receive the attack signatures notifications.
1.
Open a browser session, and log in to the AskF5SM web site at https://support.f5.com.
The AskF5 Knowledge Base screen opens.
2.
In the navigation pane, click the Mailing Lists button.
The TECHNEWS screen opens.
3.
In the Security area, click the security-subscribe@lists.f5.com link.
4.
Send the blank email message, as is.
The list manager adds your email address to the Security email distribution list.
Rather than assigning individual attack signatures to a security policy, you assign attack signature sets. By default, when you create a new security policy, the system automatically assigns the Generic Detection Signatures set to the security policy. In addition to the generic signatures set, you can assign one of the other system-supplied signatures sets to the security policy, and you can create a signature set and assign that to the security policy. You can also remove all signature set assignments from a security policy, although we do not recommend that you do this.
When you create an attack signature set, you can tailor the attack signatures to your specific systems and applications. For more information on assigning an attack signature set to a security policy, see Assigning attack signature sets to a security policy.
The Application Security Manager ships with several system-supplied signature sets. By default, the Generic Detection Signatures system-supplied set is associated with all new security policies. Table 12.4 describes the superset of the system-supplied signature sets.
This set targets attacks against the Microsoft® Outlook Web Access (OWA) application.
There are two types of signature sets: filter-based and manual. Filter-based signature sets are based solely on criteria defined in the signatures filter. The advantage to filter-based signature sets is that you can focus on the criteria that define the attack signatures you are interested in, rather than trying to manage the attack signatures themselves. Another advantage to filter-based sets is that when you update the attack signatures database, the system also updates any signature sets to which the update applies.
1.
2.
3.
Above the Attack Signature Sets list, click Create.
The Create Signature Set screen opens.
4.
In the Create Signature Set area, in the Name box, type a unique name for the signature set.
5.
For the Type setting, select Filter-based.
6.
For the Default Blocking Actions setting, decide which blocking actions you want the system to enforce for the signature set when you assign the signature set to a new security policy.
7.
Check the Assign To Policy By Default setting if you want the system to automatically assign this signature set to any security policies created after you create this signature set.
8.
In the Signatures Filter area, select the filter options that apply to the signature set that you are creating. For descriptions of the individual filter options, see the online help.
9.
In the Signatures area, for the Signatures setting, you can review the signatures list that the filter settings generates.
The list content changes dynamically with the filter selection.
10.
Click Create.
The screen refreshes, and you see the new signature set in the Signatures Set list.
Manual signature sets are composed of attack signatures that you individually select from the attack signatures pool. You can use the signatures filter to help narrow the scope of the available signatures in the pool, however, once the manual signature set is created, the system does not retain the filter criteria.
1.
2.
3.
Above the Attack Signature Sets list, click Create.
The Create Signature Set screen opens.
4.
In the Create Signature Set area, in the Name box, type a unique name for the signature set.
5.
For the Type setting, select Manual.
6.
For the Default Blocking Actions setting, decide which blocking actions you want the system to apply to the signature set when you assign the signature set to a new security policy.
7.
Check the Assign To Policy By Default setting if you want the system to automatically assign this signature set to any security policies created after you create this signature set.
8.
In the Signatures Filter area, you can use the filter options to reduce the scope of the Available signatures list (in the Signatures area). For descriptions of the individual filter options, see the online help.
The list content changes dynamically with the filter selection.
9.
In the Signatures area, for the Signatures setting, use the Move (<< and >>) buttons to add signatures to the Assigned list as needed.
10.
Click Create.
The screen refreshes, and you see the new signature set in the Signatures Set list.
You can edit attack signature sets to add signatures to or remove signatures from a set, or to change the criteria that determine the set membership. When you edit attack signature sets, the changes apply to all of the security policies to which the set is assigned. Additionally, filter-based signature sets automatically receive any applicable updates when you use the attack signature update feature. (For more information, see Updating the system-supplied attack signatures.)
1.
2.
3.
In the Name column, click the name of the signature set that you want to edit.
The Update Signature Set screen opens.
5.
Click the Update button below the Signatures area.
The system updates the configuration with any changes you may have made.
You can easily remove a signature set from the configuration. When you delete a signature set, you are not deleting the attack signatures that make up the set. You are, however, removing the signature set from the security policy, which may have significant ramifications on the security policys effectiveness.
1.
2.
3.
In the Select column (far left), check the box next to the signature set that you want to remove, and click the Delete button below the list.
A confirmation popup screen displays.
4.
Click OK.
The system removes the selected signature set from the configuration.
Each security policy has its own attack signature sets. By default, the system assigns the Generic Attack Signatures to all security policies. In additions, you can assign any additional attack signature sets to a security policy, including any system-supplied set, or those that you may have created.
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
3.
In the Attack Signature Sets Assignment area, in Available Signature Sets list, click the name of the attack signature set that you want to assign to the security policy.
Tip: To select more than one set, hold the CTRL key and click the names.
5.
Click the Update button (below the Attack Signature Sets Assignment area) to save any changes you may have made.
6.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
You can review the attack signature sets that are associated with a security policy from the Signature Sets screen. By default, the system assigns the signature set, Generic Detection Signatures, to all new security policies. Additionally, the system assigns to the security policy any attack signature sets you selected with the Deployment Wizard.
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
3.
In the Attack Signature Sets Assignment area, in the Assigned Signature Sets list, you can review the signature sets that are associated with the security policy, as well as the blocking policy actions for signatures in the set.
When you assign an attack signature set to a security policy, the system builds a list of all of the attack signatures. You can review the signatures, their current blocking policy, and their state on the Policy Attack Signatures screen.
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
2.
On the menu bar, click Policy Attack Signatures.
The Policy Attack Signatures screen opens.
3.
Use the Filter option to display only those signatures that you want to review. See the online help for information on the filter settings.
The blocking policy defines how the Security Enforcer processes requests that trigger violations. For each attack signature set that is assigned to a security policy, you enable one or more of the blocking actions: Learn, Alarm, Block. Once the signatures have passed the staging period, the Security Enforcer applies the blocking actions whenever a signature in the set detects an attack pattern in a request. For more information on the Blocking Policy and the blocking actions, refer to Working with the blocking configuration.
Note: The blocking policy that you configure to the signature set applies to all of the member signatures. You cannot specify the blocking policy for individual signatures.
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
3.
In the Attack Signature Sets Assignment area, for each signature set in the Assigned Signature Sets list, check or clear the boxes in the Learn, Alarm, and Block columns as required.
Note: If the enforcement mode for the security policy is transparent, then the Block action is not configurable. You can enable or disable the Block action only when the enforcement mode is blocking.
4.
Click the Update button (below the Attack Signature Sets Assignment area) to save any changes you may have made.
5.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
When you first activate a security policy, the system puts the attack signatures in staging. Staging means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy (learn/alarm/block actions) to requests that trigger attack signatures. The default staging period is seven days. Whenever you add or change signatures in assigned sets, those are also put into staging. (For more information on updating signatures, see Updating the system-supplied attack signatures.)
1.
On the Main tab of the Application Security navigation pane, click Attack Signatures.
The Attack Signature Sets Assignment screen opens.
3.
On the menu bar, click Signature Staging Configuration.
The Signature Staging Configuration screen opens.
5.
For the Staging Period setting, type the number of days for which you want new or updated attack signatures to remain in staging.
6.
Click Save to retain any changes you may have made.
7.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
Staging new and updated attack signatures helps to reduce the number of violations triggered by false-positive matches. For signatures that detect attack patterns during the staging period, the system generates learning suggestions. You can view these attack signatures from the Attack Signature Staging screen. Upon evaluation, if the signature is a false-positive, then you can disable the signature, and the Security Enforcer no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature. Note that enabling the signature removes it from staging, and puts the blocking policy into effect.
1.
2.
In Negative Security Violations section of the Traffic Learning area, click the Attack signature staging link.
The Attack Signature Staging screen opens, where you can review the signatures that detected attack patterns in a request.
Tip: Use the Filter option to display only those attack signatures that you want to review.
If a new or updated attack signature in staging detects an attack pattern in the web application traffic, you should review the signature details and the requests that triggered the attack signature. If the detected attack pattern is not an actual threat, the signature has generated a false-positive alarm. If a particular attack signature triggers many false-positives, you may want to disable that particular attack signature.
In some situations, you may want to take action to enable or disable an attack signature immediately, rather than wait for the staging period to complete. For example, if a signature detects a legitimate attack pattern, you may want to enable that signature right away, instead of waiting for the staging period to end.
Another example is when a trusted-traffic signature match is detected but is considered to be legitimate. In such a case, it should be disabled immediately.
1.
2.
In the Negative Security Violations section of the Traffic Learning area, click the Attack signature staging link.
The Attack Signature Staging screen opens.
a)
In the Action column, select Enable or Disable from the list.
Tip: If you want to disable a signature for a specific parameter, select the Disable on parameter action.
6.
Below the Attack Signature Staging area, click the Apply button.
A confirmation popup screen opens.
7.
Click OK.
The popup screen closes, and displays the Traffic Learning screen.
8.
To put the security policy changes into effect immediately, click the Apply Policy button in the editing context area.
User-defined attack signatures are those that the user creates and adds to the attack signature pool. User-defined attack signatures have the following attributes:
They are never updated by F5 Networks. All user-defined signatures are carried forward as-is whenever there is a software version upgrade.
Warning: If you create a user-defined attack signature that has the same name as a system-supplied attack signature, the signature update process fails. Please review Resolving name duplication issues in user-defined attack signature names, before you name a new signature.
1.
2.
Above the Attack Signatures list, click Create.
The Create Attack Signature screen opens.
3.
In the Name box, type a unique name for the new attack signature.
4.
In the Description box, type an optional description of the signature.
5.
For the Apply To setting, select whether the new signature applies to requests or responses.
6.
For the System setting, select from the Available Systems list any systems to which the new signature applies, and use the Move buttons (<< and >>) to add them to the Assigned Systems list.
7.
For the Attack Type setting, select the threat classification to which the new signature applies.
8.
For the Rule setting, type the rule syntax according to the syntax guidelines that are described in Appendix C, Syntax for Creating User-Defined Attack Signatures. This setting is required.
9.
For the Accuracy setting, select an accuracy level. The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms.
10.
For the Risk setting, select a risk level. The risk level indicates the level of potential damage this attack may cause, if it were successful.
11.
Click the Create button.
The screen refreshes, and displays the Attack Signatures list.
Note: In the previous task, the only required settings are the Name and the Rule. All other settings are optional.
There may be occasions when you need to update a user-defined attack signature. For example, you may want to change the accuracy level after the signature has been in use for awhile, based on observed traffic.
1.
2.
In the Attack Signatures list, click the name of the user-defined attack signature that you want to modify.
The Update Attack Signature screen opens.
4.
Click Save to retain any changes you may have made.
You can permanently remove user-defined attack signatures from the attack signature pool. Note that when you delete a user-defined signature from the attack signature pool, the system removes that signature from any signature sets of which the attack signature is a member.
1.
2.
In the Attack Signatures list, in the Select column (far left), check the Select box next name of the user-defined attack signature that you want to delete.
3.
Below the Attack Signatures list, click the Delete button.
A confirmation popup screen displays.
4.
Click the OK button.
The system deletes the attack signature from the configuration, and displays the Attack Signatures list screen.
If you have a large number of user-defined attack signatures that you want to add to the configuration, you can import them in an XML-formatted file. You can also use the import functionality to import a previously-exported user-defined attack signature file from the same version of Application Security Manager. Figure 12.1, shows an example of the XML file format for the user-defined attack signatures file.
Warning: The sig_name attribute uniquely identifies a user-defined attack signature. Therefore, when you import an attack signature XML file, if there are any signatures in the XML file whose sig_name attribute matches that of any existing user-defined signatures, the system overwrites the existing definition with the imported definition.
1.
2.
Above the Attack Signatures list, click Import.
The Import Attack Signatures screen opens.
3.
In the Choose File box, type the path to the XML file that contains the user-defined attacks signatures. Alternately, click the Browse button and navigate to the XML file.
4.
Click the Import button.
The system imports the user-defined signatures, and issues either a success message or a failed message.
5.
If the import is successful, click the OK button.
The screen refreshes, and displays the Attack Signatures list with the additional user-defined signatures.
6.
If the import was not successful, make any required changes to the XML file, and then try to import the file again.
You can export user-defined attack signatures to transfer them to another system, or to save them in a remote location. When you export the user-defined attack signatures, the Application Security Manager saves them in an XML file that uses the format shown in Figure 12.1.
1.
2.
Above the Attack Signatures list, click Export.
The web browser opens a file download or a save file popup screen.
Note: Each web browser manages this functionality differently.
3.
Save the signatures file in a location that meets your requirements. Note that the Application Security Manager automatically generates the file name, in this format:
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)