Applies To:

Show Versions Show Versions

Manual Chapter: Managing Custom Attack Signatures and Signature Sets
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About custom attack signatures

Attack signatures are rules or patterns that identify attacks on a web application. When Application Security Manager® (ASM) receives a client request (or a server response), the system compares the request or response against the attack signatures associated with the security policy. If a matching pattern is detected, ASM™ triggers an attack-signature-detected violation, and either alarms or blocks the request, based on the enforcement mode of the security policy.

An ideal security policy includes only the attack signatures needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.

There are system-supplied signatures and custom (user-defined) signatures.

  • System-supplied signatures enforce policies for best-known attacks. F5 Networks provides:
    • Over 2,500 signatures to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications.
    • Signatures that include rules of attack that are F5 intellectual property.
    • Signatures that you can view but not edit or remove. Also, you cannot view the rules governing these signatures.
    • Periodic updates.
    To learn more about system-supplied attack signatures, consult the BIG-IP® system documentation.
  • Custom (user-defined) signatures are created by your organization for specific purposes in your environment. These signatures:
    • Are added to the attack signatures pool where F5 Networks stores them along with the system-supplied signatures.
    • Must adhere to a specific rule syntax (like system-supplied signatures).
    • Can be combined with system-supplied signatures or system-supplied sets to create custom signature sets.
    • Are never updated by F5 Networks, but are carried forward as-is when the system is updated to a new software version.

In BIG-IQ® Web Application Security, you can obtain system-supplied or custom attack signatures through the device discovery process. These signatures are automatically deployed to all policies when the system performs a deployment.

Creating custom attack signatures

Custom (user-defined) attack signatures can handle security policy enforcement unique to your networking environment, emergency situations, or analysis of specific activity on the network. If your organization needs a custom attack signature, you can use the BIG-IQ® Web Application Security Policy Editor to create one. You can then assign the new signature to system-supplied or custom attack signature sets.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor .
  3. On the left, click Attack Signatures.
    The Attack Signatures screen opens and lists all signatures available to the BIG-IQ system. The system lists the system-supplied (factory) signatures in static black text, and lists any custom signatures in blue text. Blue indicates a hyperlink. System-supplied signatures are locked as indicated by a green padlock icon.

    Note that you can click anywhere in a row to display the Signature Properties tab and the Documentation tab for the signature.

  4. At the right of the screen, click Add and use the Attack Signatures - New Item screen to supply the required information.
    The screen displays a blank template for signature properties.
  5. On the Signature properties tab, fill in fields and select options to define the new custom signature:
    1. In the Name field, type a unique name.
      If you attempt to create a custom signature with the same name as a system-supplied signature, you will receive an error message and the system will not create the signature.
    2. In the Description field, type an (optional) description.
    3. From the Signature Type list, select what the signature should examine:
      • Request. Use this signature to examine requests only.
      • Response. Use this signature to examine responses only.
    4. For Attack Type, select the threat classification.
    5. Select the Systems that you want protected by the signature: use the Move button to shift your choices from the Available list to the Enabled list.
    6. For the Rule setting, type a rule, according to the syntax guidelines, to specify the content of the signature.
      The rule is the heart of the attack signature. All attack signatures must adhere to the F5 attack signature syntax. Refer to the BIG-IP® system documentation on signature options and signature syntax for details.
    7. For Accuracy, select the level that you want for the signature.
      The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms. Higher accuracy results in fewer false positives.
    8. For Risk, select the level of potential damage this attack might cause, if it were successful.
      • Low indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium indicates the attack may reveal sensitive data, or cause moderate damage.
      • High indicates the attack may cause a full system compromise, denial of service, and the like.
    9. The User-defined field specifies whether the screen displays signatures based on who created them. Currently, it defaults to Yes, indicating that the signature was created by a user. You cannot change the setting.
  6. When you are finished, click Save to save the new custom attack signature.
    Clicking Save and Close prompts the system to return to the Attack Signatures screen.
    Custom signatures appear in blue and are hyperlinks to an edit screen. Click anywhere on the row except the link to display Signature Properties at the bottom of the screen.
The system places the new custom attack signature into the attack signature pool, and adds it to the signature sets for the systems you specified. The custom signature is put in staging for all policies that have this signature in their assigned signature sets. It is a good idea to make sure that the system added the new signature to the appropriate security policies.

About signature staging

When you first activate a security policy, the system places the attack signatures into staging (if staging is enabled for the policy). Staging means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy action to requests that trigger those attack signatures. The default staging period is seven days.

Whenever you add or change signatures in assigned sets, those signatures are also placed in staging. You also have the option of placing updated signatures in staging.

Placing new and updated attack signatures in staging helps to reduce the number of violations triggered by false-positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. If you see that an attack signature violation has occurred, you can view and evaluate these attack signatures. After evaluation, if the signature is a false-positive, you can disable the signature, and the system no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature.
Note: Enabling the signature removes it from staging, and puts the blocking policy into effect.

About custom attack signature sets

An Attack signature set is a group of attack signatures. Rather than applying individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager™ ships with several system-supplied signature sets.

Each security policy has its own attack signature set assignments. By default, a generic signature set is assigned to new security policies. You can assign additional signature sets to the security policy. Sets are named logically so you can tell which ones to choose. Additionally, you can combine custom attack signatures with system-supplied signatures or system-supplied sets to create custom signature sets.

An ideal security policy includes only the attack signature sets needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.

In BIG-IQ® Web Application Security, you can obtain system-supplied or custom attack signature sets through the device discovery process. You can assign these sets to security policies. Then, you can deploy those policies to BIG-IP® devices.

Creating custom attack signature sets

You can use the BIG-IQ® Web Application Security Signature Policy Editor to create custom attack signature sets. Like system-supplied signature sets, custom signature sets contain signatures from the signature pool. Once you create a custom signature set, you can apply it to the security policy to protect web applications against known attacks.

You can assign system-supplied or custom signature sets to new or existing application security policies.

You can create attack signature sets:
  • By using a filter.
  • By manually selecting the signatures to include.
Currently, BIG-IQ Web Application Security supports creating filter-based signature sets only. Filter-based signature sets are based solely on criteria you define in the signatures filter presented in the screen.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor .
  3. Click Signature Sets.
    The default, system-supplied signature sets are displayed on the Signature Sets screen, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
  4. Click Add and use the Signature Sets - New Item screen to supply the required information.
  5. On the Properties tab, specify the basics for this new signature set:
    1. Type a unique name for the signature set.
    2. From the Type list, select Filter Based to create an attack signature set by using a filter only. (Currently, this is the only available option.)
      You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. Another when you update the signatures database, the system also updates any signature sets affected by the update.
    3. For Default Blocking Actions, select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
      The Learn, Alarm, and Block actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
    4. If you want the system to automatically include this set in any newly-created security policies, enable the Assign to Policy by Default setting.
  6. Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set:
    1. Select a Signature Type to include the type of signatures the system displays.
      • All traffic is the default.
      • Request only. Signatures that are configured to inspect the client request.
      • Response only. Signatures that are configured to inspect the server response.
    2. From the Attack Type list, specify the threat classifications for which to include signatures in the set.
      • Select All for signatures with all Attack Type values, which is the default.
      • Select an attack type for signatures configured to protect against that specific attack type.
    3. Use the Move button to transfer selected Systems to the Enabled list.
    4. From the Accuracy list, select the accuracy association.
      • All specifies signatures that match all accuracy levels, which is the default.
      • Equals specifies signatures whose accuracy levels exactly match the accuracy level you set.
      • Greater Than/Equal To specifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
      • Less Than/Equal To specifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
    5. From the resulting list, select the accuracy level.
      • Low indicates a high likelihood of false positives.
      • Medium indicates some likelihood of false positives.
      • High indicates a low likelihood of false positives.
    6. From the Risk list, select the risk association.
      • All specifies signatures that protect against attacks of all risk levels, which is the default.
      • Equals specifies signatures whose risk levels exactly match the risk level you set.
      • Greater Than/Equal To specifies signatures whose risk levels are higher than, or the same as, the risk level you set.
      • Less Than/Equal To specifies signatures whose risk levels are lower than, or the same as, the risk level you set.
    7. From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
      • Low indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium indicates the attack may reveal sensitive data, or cause moderate damage.
      • High indicates the attack may cause a full system compromise, denial of service, and the like.
    8. For User-defined, specify whether to include signatures based on who created them: the user (Yes), the system (No), or both (All).
    9. For Update Date, specify whether to include all signatures in the set based on the date the signature was changed (All), only signatures added before the date the signature was changed (Before), or only signatures added after the signature was changed (After).
      If specifying Before or After, use the calendar icon to specify a date.
  7. Click the Signatures tab.
    Because filter-based signature sets are currently the only option, the Signatures tab displays the signatures included in the signature set, based on the filter settings you configure.
  8. In the Included Policies tab, view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
  9. When you are finished, click Save to save the new custom attack signature set.
    Clicking Save and Close prompts the system to return to the Signature Sets screen and display the new set.
    Sets are listed in alphabetical order; custom sets appear in blue.
The new signature set is added to the list of signature sets that are available on the system, and is available to be applied when creating new security policies. If, in the future, you no longer need a custom signature set, you can delete it. Note that when you delete a custom signature set, you are deleting the set; you are not deleting the signatures that made up the set.

Editing custom attack signature sets

You can use the BIG-IQ® Web Application Security Signature Policy Editor to edit custom attack signature sets. Once you edit a custom signature set, you can apply it to the security policy to protect your web applications in ways that are unique to your needs.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor .
  3. On the left, click Signature Sets.
    The system displays the default, system-supplied signature sets, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
  4. Click the name of the signature set that you want to change and use the Signature Sets screen to modify the settings.
  5. On the Properties tab, revise the settings for this custom attack signature set, as needed:
    1. Note that Name and Category are not editable fields, and that the only option in the Type list is Filter Based.
    2. For Default Blocking Actions, select or modify the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
      The blocking actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
    3. For Assign to Policy by Default, if you want the system to automatically include this set in any newly-created security policies, select Yes from the list.
  6. Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set.
    1. Select a Signature Type to include the type of signatures the system displays.
      • All traffic is the default.
      • Requests only. Include signatures that are configured to inspect the client request.
      • Responses only. Include signatures that are configured to inspect the server response.
    2. From the Attack Type list, specify the threat classifications for which to include signatures in the set.
      • Select All for signatures with all Attack Type values, which is the default.
      • Select an attack type for signatures configured to protect against that specific attack type.
    3. Select the Systems that you want protected from the Available list, and use the Move button to transfer them to the Enabled list. You can also double-click to move a system from one list to the other.
    4. From the Accuracy list, select the accuracy association.
      • All specifies signatures that match all accuracy levels, which is the default.
      • Equals specifies signatures whose accuracy levels exactly match the accuracy level you set.
      • Greater Than/Equal To specifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
      • Less Than/Equal To specifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
    5. From the resulting list, select the accuracy level.
      • Low indicates a high likelihood of false positives.
      • Medium indicates some likelihood of false positives.
      • High indicates a low likelihood of false positives.
    6. From theRisk list, select the risk association.
      • All specifies signatures that protect against attacks of all risk levels, which is the default.
      • Equals specifies signatures whose risk levels exactly match the risk level you set.
      • Greater Than/Equal To specifies signatures whose risk levels are higher than, or the same as, the risk level you set.
      • Less Than/Equal To specifies signatures whose risk levels are lower than, or the same as, the risk level you set.
    7. From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
      • Low indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium indicates the attack may reveal sensitive data, or cause moderate damage.
      • High indicates the attack may cause a full system compromise, denial of service, and the like.
    8. For User-defined, specify whether to include signatures based on who created them: the user (Yes), the system (No), or both (All).
    9. For Update Date, specify whether to include all signatures in the set based on the date the signature was changed (All), only signatures added before the date the signature was changed (Before), or only signatures added after the signature was changed (After).
      If specifying Before or After, use the calendar icon to specify a date.
  7. Click the Signatures tab.
    Because filter-based signature sets are currently the only option, the Signatures tab displays the signatures included in the signature set, based on the filter settings you configured.
  8. Click the Included Policies tab, and view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
  9. When you are finished, click Save to save the new custom attack signature set.
    Clicking Save and Close prompts the system to return to the Signature Sets screen and display the new set.
    The system lists sets in alphabetical order.
The edited signature set is available for application when creating new security policies. If, in the future, you no longer need a custom signature set, you can delete it. Note that when you delete a custom signature set, you are deleting the set; you are not deleting the signatures that made up the set.

Assigning custom attack signature sets

You use the BIG-IQ® Web Application Security Policy Editor to assign a custom attack signature set to a policy.

Each security policy enforces one or more attack signature sets. You can assign additional attack signature sets to the security policy.

  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor , select a policy name, and from the Policy objects list, select Attack Signatures.
  3. Click Edit.
    The policy is placed under administrative lock and fields become editable.
  4. From the Attack Signature Set Assignment list, select attack signature sets to assign to the policy.
    Any newly-created custom signature sets appear in the list.
  5. When you are finished, click Save to save the new assignment and unlock the policy.
The system assigns the signature sets to the security policy, and the blocking policy applies to all of the signatures in the signature set. Any changes made subsequently are put into effect in the working configuration of the BIG-IQ system.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)