Applies To:

Show Versions Show Versions

Manual Chapter: Managing Custom Attack Signatures and Custom Attack Signature Sets
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About custom attack signatures and custom attack signature sets

In BIG-IQ® Web Application Security, you can configure custom attack signatures and custom attack signature sets. You can create a custom attack signature set and assign it to a security policy.

An attack signature set is a group of attack signatures. Rather than applying individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager® system ships with several system-supplied attack signature sets.

You can develop custom attack signatures, if needed, for specific purposes in your environment. The signatures that you define are stored in the attack signatures pool along with the system-supplied signatures. You can combine your custom attack signatures with system-supplied signatures or system-supplied sets to create custom signature sets.

Note: Developing custom attack signatures is an advanced feature only needed in specific cases.

You can import system-supplied or custom attack signature sets through the device discovery process. You can assign these sets to ASM™ policies, and you can deploy those policies to BIG-IP® devices.

Each security policy has its own attack signature set assignments. By default, a generic attack signature set is assigned to new security policies. You can assign additional attack signature sets to the security policy. Certain sets are more applicable to certain types of applications or types of attack. The sets are named logically so you can tell which ones to choose.

Custom attack signatures must adhere to a specific rule syntax. They are never updated by F5 Networks. All user-defined attack signatures are carried forward as-is when the system is updated to a new software version.

To learn specifics about system-supplied attack signatures, custom attack signatures, and signature sets, consult the BIG-IP® documentation.

Creating custom attack signature sets

You can use the BIG-IQ® Web Application Security Signature Policy Editor to create custom attack signature sets.
Note: The Signature sets object is part of the Policy Editor
You can assign system-supplied or custom attack signature sets to new or existing application security policies.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor .
  3. Click Signature Sets.
    The default, system-supplied attack signature sets are displayed on the Signature Sets screen, along with any user-defined sets.
  4. Click Add and use the Signature Sets - New Item screen, to supply the required information.
  5. In the Properties tab:
    1. Type a unique name for the attack signature set.
    2. From the Type list, select Filter Based to create an attack signature set by using a filter only. (Currently, this is the only available option.)
    3. For Default Blocking Actions, select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
      Note: The Learn, Alarm, and Block actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
    4. If you want the system to automatically include this set in any new security policies you create, enable the Assign to Policy by Default setting.
  6. Click the Signatures Filter tab, and select the filter options to narrow the scope of the attack signatures to include in the new attack signature set:
    1. Select a Signature Type to include attack signatures that apply to all traffic, requests only, or responses only.
    2. For Attack Type, select the threat classifications for which to include attack signatures in the set.
    3. Select the Systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
    4. Select the Accuracy level that you want for the attack signatures in the set. Higher accuracy results in fewer false positives.
    5. For Risk, select the level of potential damage for attacks protected by the attack signatures in the set.
    6. For User-defined, specify whether to include attack signatures based on who created them (the user, system, or both).
    7. For Update Date, specify whether to include all attack signatures in the set based on the date the attack signature was changed, only signatures added before the date the signature was changed, or only attack signatures added after the attack signature was changed.

  7. Click the Signatures tab, and use the filter to review the attack signatures list that the filter settings generate to make sure it is correct.
  8. In the Included Policies tab, view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more attack signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional attack signature sets to the security policy.
  9. When you are finished, click Save to save the new custom attack signature set.
    Clicking Save and Close prompts the system to return to the Signature Sets screen and display the new set.
    Sets are listed in alphabetical order; custom sets appear in blue.
The new signature set is added to the bottom of the list of attack signature sets that are available on the system. You can assign attack signature sets to security policies. The signature set is also available to be applied when creating new security policies. If, in the future, you no longer need a user-defined signature set, you can delete it. When you delete a custom signature set, you are not deleting the attack signatures that make up the set, just the set.

Assigning custom attack signature sets to security policies

You use the BIG-IQ® Web Application Security Policy Editor to assign a custom attack signature set to a policy.

Each security policy enforces one or more attack signature sets. You can assign additional attack signature sets to the security policy.

  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor , select a policy name, and from the Policy objects list, select Attack Signatures.
  3. Click Edit.
    The policy is placed under administrative lock and fields become editable.
  4. From the Attack Signature Set Assignment list, select attack signature sets to assign to the policy.
    Any newly-created custom signature sets appear in the list.
  5. When finished, click Save to save the new assignment and unlock the policy.
The signature sets are assigned to the security policy, and the blocking policy applies to all of the signatures in the signature set. Any changes made are put into effect in the working configuration of the BIG-IQ system.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)