Manual Chapter : Managing Custom Attack Signatures and Signature Sets

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.1.0
Manual Chapter

About custom attack signatures

Attack signatures are rules or patterns that identify attacks on a web application. When Application Security Manager® (ASM) receives a client request (or a server response), the system compares the request or response against the attack signatures associated with the security policy. If a matching pattern is detected, ASM™ triggers an attack-signature-detected violation, and either alarms or blocks the request, based on the enforcement mode of the security policy.

An ideal security policy includes only the attack signatures needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.

There are system-supplied signatures and custom (user-defined) signatures.

  • System-supplied signatures enforce policies for best-known attacks. F5 Networks provides:
    • Over 2,500 signatures to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications.
    • Signatures that include rules of attack that are F5 intellectual property.
    • Signatures that you can view but not edit or remove. Also, you cannot view the rules governing these signatures.
    • Periodic updates.
    To learn more about system-supplied attack signatures, consult the BIG-IP® system documentation.
  • Custom (user-defined) signatures are created by your organization for specific purposes in your environment. These signatures:
    • Are added to the attack signatures pool where F5 Networks stores them along with the system-supplied signatures.
    • Must adhere to a specific rule syntax (like system-supplied signatures).
    • Can be combined with system-supplied signatures or system-supplied sets to create custom signature sets.
    • Are never updated by F5 Networks, but are carried forward as-is when the system is updated to a new software version.

In BIG-IQ® Web Application Security, you can obtain system-supplied or custom attack signatures through the device discovery process. These signatures are automatically deployed to all policies when the system performs a deployment.

Creating custom attack signatures

Custom (user-defined) attack signatures can handle security policy enforcement unique to your networking environment, emergency situations, or analysis of specific activity on the network. If your organization needs a custom attack signature, you can use the BIG-IQ® Web Application Security Policy Editor to create one. You can then assign the new signature to system-supplied or custom attack signature sets.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor .
  3. On the left, click Attack Signatures.
    The Attack Signatures screen opens and lists all signatures available to the BIG-IQ system. The system lists the system-supplied (factory) signatures in static black text, and lists any custom signatures in blue text. Blue indicates a hyperlink. System-supplied signatures are locked as indicated by a green padlock icon.

    Note that you can click anywhere in a row to display the Signature Properties tab and the Documentation tab for the signature.

  4. At the right of the screen, click Add and use the Attack Signatures - New Item screen to supply the required information.
    The screen displays a blank template for signature properties.
  5. On the Signature properties tab, fill in fields and select options to define the new custom signature:
    1. In the Name field, type a unique name.
      If you attempt to create a custom signature with the same name as a system-supplied signature, you will receive an error message and the system will not create the signature.
    2. In the Description field, type an (optional) description.
    3. From the Signature Type list, select what the signature should examine:
      • Request. Use this signature to examine requests only.
      • Response. Use this signature to examine responses only.
    4. For Attack Type, select the threat classification.
    5. Select the Systems that you want protected by the signature: use the Move button to shift your choices from the Available list to the Enabled list.
    6. For the Rule setting, type a rule, according to the syntax guidelines, to specify the content of the signature.
      The rule is the heart of the attack signature. All attack signatures must adhere to the F5 attack signature syntax. Refer to the BIG-IP® system documentation on signature options and signature syntax for details.
    7. For Accuracy, select the level that you want for the signature.
      The accuracy level indicates the ability of the attack signature to identify the attack, including susceptibility to false-positive alarms. Higher accuracy results in fewer false positives.
    8. For Risk, select the level of potential damage this attack might cause, if it were successful.
      • Low indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium indicates the attack may reveal sensitive data, or cause moderate damage.
      • High indicates the attack may cause a full system compromise, denial of service, and the like.
    9. The User-defined field specifies whether the screen displays signatures based on who created them. Currently, it defaults to Yes, indicating that the signature was created by a user. You cannot change the setting.
  6. When you are finished, click Save to save the new custom attack signature.
    Clicking Save and Close prompts the system to return to the Attack Signatures screen.
    Custom signatures appear in blue and are hyperlinks to an edit screen. Click anywhere on the row except the link to display Signature Properties at the bottom of the screen.
The system places the new custom attack signature into the attack signature pool, and adds it to the signature sets for the systems you specified. The custom signature is put in staging for all policies that have this signature in their assigned signature sets. It is a good idea to make sure that the system added the new signature to the appropriate security policies.

About signature staging

When you first activate a security policy, the system places the attack signatures into staging (if staging is enabled for the policy). Staging means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy action to requests that trigger those attack signatures. The default staging period is seven days.

Whenever you add or change signatures in assigned sets, those signatures are also placed in staging. You also have the option of placing updated signatures in staging.

Placing new and updated attack signatures in staging helps to reduce the number of violations triggered by false-positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. If you see that an attack signature violation has occurred, you can view and evaluate these attack signatures. After evaluation, if the signature is a false-positive, you can disable the signature, and the system no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature.
Note: Enabling the signature removes it from staging, and puts the blocking policy into effect.

About custom attack signature sets

An Attack signature set is a group of attack signatures. Rather than applying individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager™ ships with several system-supplied signature sets.

Each security policy has its own attack signature set assignments. By default, a generic signature set is assigned to new security policies. You can assign additional signature sets to the security policy. Sets are named logically so you can tell which ones to choose. Additionally, you can combine custom attack signatures with system-supplied signatures or system-supplied sets to create custom signature sets.

An ideal security policy includes only the attack signature sets needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.

In Web Application Security, you can obtain system-supplied or custom attack signature sets through the device discovery process. You can assign these sets to security policies. Then, you can deploy those policies to BIG-IP® devices.

Add custom attack signature sets

You can use the Web Application Security policy editor to add custom (user-defined) attack signature sets. Like system-supplied signature sets, custom signature sets contain signatures from the signature pool. Once you create a custom signature set, you can apply it to the security policy to protect web applications against known attacks.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. At the top left of the screen, select Web Application Security from the BIG-IQ menu.
    The Web Application Security Policy Editor screen opens.
  3. On the left, click SIGNATURE SETS.
    The default, system-supplied signature sets are displayed on the Signature Sets screen, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
  4. Click Add and use the Signature Sets - New Item screen to supply the required information.
  5. On the Properties tab, type a unique name for the signature set.
  6. From the Type list, select how to create the signature set.
    • Select Filter-based to create a signature set by using a filter only.
    • Select Manual to manually assign signatures to a signature set.
    Selecting Manual causes the Signatures Filter tab to be hidden, since it will not be used, and changes the fields displayed on the Signatures tab.
    You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. When you update the signatures database, the system also updates any signature sets affected by the update.
  7. For Default Blocking Actions, select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
    The Learn, Alarm, and Block actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
  8. If you want the system to automatically include this set in any newly-created security policies, enable the Assign to Policy by Default setting.
  9. Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set. This tab is only displayed when the signature set type is set to Filter-based.
    1. Select a Signature Type to include the type of signatures the system displays.
      • All traffic is the default.
      • Request only. Signatures that are configured to inspect the client request.
      • Response only. Signatures that are configured to inspect the server response.
    2. From the Attack Type list, specify the threat classifications for which to include signatures in the set.
      • Select All for signatures with all Attack Type values, which is the default.
      • Select an attack type for signatures configured to protect against that specific attack type.
    3. From the Systems lists, specify the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
    4. From the Accuracy list, select the accuracy association.
      • All specifies signatures that match all accuracy levels, which is the default.
      • Equals specifies signatures whose accuracy levels exactly match the accuracy level you set.
      • Greater Than/Equal To specifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
      • Less Than/Equal To specifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
    5. From the resulting list, select the accuracy level.
      • Low indicates a high likelihood of false positives.
      • Medium indicates some likelihood of false positives.
      • High indicates a low likelihood of false positives.
    6. From the Risk list, select the risk association.
      • All specifies signatures that protect against attacks of all risk levels, which is the default.
      • Equals specifies signatures whose risk levels exactly match the risk level you set.
      • Greater Than/Equal To specifies signatures whose risk levels are higher than, or the same as, the risk level you set.
      • Less Than/Equal To specifies signatures whose risk levels are lower than, or the same as, the risk level you set.
    7. From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
      • Low indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium indicates the attack may reveal sensitive data, or cause moderate damage.
      • High indicates the attack may cause a full system compromise, denial of service, and the like.
    8. For User-defined, specify whether to include signatures based on who created them: the user (Yes), the system (No), or both (All).
    9. For Update Date, specify whether to include all signatures in the set based on the date the signature was changed (All), only signatures added before the date the signature was changed (Before), or only signatures added after the signature was changed (After).
      If specifying Before or After, use the calendar icon to specify a date.
  10. Click the Signatures tab.
    The Signatures tab appears differently depending on whether the signature set is user-defined (also called custom) or system-supplied (also called a factory signature set), and if user-defined, then whether Type on the Properties tab is set to Filter-based or Manual.
    • If the signature set is system-supplied, the Signatures tab lists the signatures selected for the signature set.
    • If the signature set is user-defined and Type is set to Filter-based, the Signatures tab lists the signatures selected using the criteria set by the Signature Filters tab. The list content changes dynamically based on changes to the Signature Filters tab.
    • If the signature set is user-defined and Type is set to Manual, the Signatures tab lists a selectable list of signatures. If you want to view only a subset of the signatures, click Signatures Advanced Filter at the top of the Signatures tab to filter the signatures shown.
  11. In the Included Policies tab, view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
  12. When you are finished, click Save to save the new custom attack signature set.
    Clicking Save and Close prompts the system to return to the Signature Sets screen and display the new set.
    Sets are listed in alphabetical order; custom sets appear in blue.
The new signature set is added to the list of signature sets that are available on the system, and is available to be applied when creating new security policies. If, in the future, you no longer need a custom signature set, you can delete it. Note that when you delete a custom signature set, you are deleting the set; you are not deleting the signatures that made up the set.

Edit custom attack signature sets

You can use the Web Application Security policy editor to edit custom attack signature sets. Once you edit a custom signature set, you can apply it to the security policy to protect your web applications in ways that are unique to your needs.
  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. At the top left of the screen, select Web Application Security from the BIG-IQ menu.
    The Web Application Security Policy Editor screen opens.
  3. On the left, click Signature Sets.
    The system displays the default, system-supplied signature sets, along with any user-defined sets. By default, the system lists signature sets in alphabetical order by name.
  4. Click the name of the signature set that you want to change and use the Signature Sets screen to modify the settings.
  5. On the Properties tab, revise the settings for this custom attack signature set, as needed.
    Note that Name and Category are not editable fields.
  6. From the Type list, you can modify how to create the signature set.
    • Select Filter-based to create a signature set by using a filter only.
    • Select Manual to manually assign signatures to a signature set.
    Selecting Manual causes the Signatures Filter tab to be hidden since it will not be used, and changes the fields displayed on the Signatures tab.
    You can create or edit a signature set by configuring a filter to select from the signature pool signatures that meet specific criteria. Using a filter enables you to focus on the criteria that define the signatures you are interested in. When you update the signatures database, the system also updates any signature sets affected by the update.
  7. For Default Blocking Actions, select the blocking actions you want the system to enforce for the set when you associate it with a new security policy.
    The Learn, Alarm, and Block actions take effect only when you assign this set to a new security policy. If this set is already assigned to an existing security policy, these settings have no effect.
  8. If you want the system to automatically include this set in any newly-created security policies, enable the Assign to Policy by Default setting.
  9. Click the Signatures Filter tab, and select the filter options to narrow the scope of the signatures to include in the new signature set.
    This tab is only displayed when the signature set type is set to Filter-based.
    1. Select a Signature Type to include the type of signatures the system displays.
      • All traffic is the default.
      • Requests only. Include signatures that are configured to inspect the client request.
      • Responses only. Include signatures that are configured to inspect the server response.
    2. From the Attack Type list, specify the threat classifications for which to include signatures in the set.
      • Select All for signatures with all Attack Type values, which is the default.
      • Select an attack type for signatures configured to protect against that specific attack type.
    3. From the Systems lists, specify the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
    4. From the Accuracy list, select the accuracy association.
      • All specifies signatures that match all accuracy levels, which is the default.
      • Equals specifies signatures whose accuracy levels exactly match the accuracy level you set.
      • Greater Than/Equal To specifies signatures whose accuracy levels are more precise than, or the same as, the accuracy level you set.
      • Less Than/Equal To specifies signatures whose accuracy levels are less precise than, or the same as, the accuracy level you set.
    5. From the resulting list, select the accuracy level.
      • Low indicates a high likelihood of false positives.
      • Medium indicates some likelihood of false positives.
      • High indicates a low likelihood of false positives.
    6. From the Risk list, select the risk association.
      • All specifies signatures that protect against attacks of all risk levels, which is the default.
      • Equals specifies signatures whose risk levels exactly match the risk level you set.
      • Greater Than/Equal To specifies signatures whose risk levels are higher than, or the same as, the risk level you set.
      • Less Than/Equal To specifies signatures whose risk levels are lower than, or the same as, the risk level you set.
    7. From the resulting list, select the risk level; the level of potential damage for attacks protected by the signatures in the set.
      • Low indicates the attack may assist the user in gathering knowledge to perpetrate further attacks, but does not cause direct damage or reveal highly sensitive data.
      • Medium indicates the attack may reveal sensitive data, or cause moderate damage.
      • High indicates the attack may cause a full system compromise, denial of service, and the like.
    8. For User-defined, specify whether to include signatures based on who created them: the user (Yes), the system (No), or both (All).
    9. For Update Date, specify whether to include all signatures in the set based on the date the signature was changed (All), only signatures added before the date the signature was changed (Before), or only signatures added after the signature was changed (After).
      If specifying Before or After, use the calendar icon to specify a date.
  10. Click the Signatures tab.
    The Signatures tab appears differently depending on whether the signature set is user-defined (also called custom) or system-supplied (also called a factory signature set), and if user-defined, then whether Type on the Properties tab is set to Filter-based or Manual.
    • If the signature set is system-supplied, the Signatures tab lists the signatures selected for the signature set.
    • If the signature set is user-defined and Type is set to Filter-based, the Signatures tab lists the signatures selected using the criteria set by the Signature Filters tab. The list content changes dynamically based on changes to the Signature Filters tab.
    • If the signature set is user-defined and Type is set to Manual, the Signatures tab lists a selectable list of signatures. If you want to view only a subset of the signatures, click Signatures Advanced Filter at the top of the Signatures tab to filter the signatures shown.
  11. Click the Included Policies tab, and view the policies (if any) that enforce this signature set.
    Each security policy enforces one or more signature sets. The decision about which signature sets to include occurs when creating a security policy. You can assign additional signature sets to the security policy.
  12. When you are finished, click Save to save the new custom attack signature set.
    Clicking Save and Close prompts the system to return to the Signature Sets screen and display the new set.
    The system lists sets in alphabetical order, custom sets appear in blue
The edited signature set is available for application when creating new security policies. If, in the future, you no longer need a custom signature set, you can delete it. Note that when you delete a custom signature set, you are deleting the set; you are not deleting the signatures that made up the set.

Signatures advanced filter properties

The Signatures Advanced Filter option and properties are only available on the Signatures tab when the signature set type is manual.

Signatures Advanced Filter Property Description
Signature Type Specifies what type of signatures to include in the signature set.
  • Select All to include both requests and responses.
  • Select Request to include only requests.
  • Select Response to include only responses.
Signature Scope Specifies whether the system displays all signatures, or only those that do, or do not, apply to parameters, cookies, XML documents, JSON data, GWT data, headers, URI content, and request or response content.
  • Select All to include all signatures, which is the default.
  • Select Parameter to specify whether the system displays signatures that apply to alpha-numeric user-input parameters. Then select No or Yes.
    • No specifies only signatures that do not apply to parameters.
    • Yes specifies only signatures that apply to parameters.
  • Select Cookie to specify whether the system displays signatures that apply to allowed cookies. Then select No or Yes.
    • No specifies only signatures that do not apply to allowed cookies.
    • Yes specifies only signatures that apply to allowed cookies.
  • Select XML to specify whether the system displays signatures that apply to XML documents. XML documents may appear as the values of XML parameters defined in the security policy, or as the body of requests to URLs to be parsed as XML, as defined in the security policy. Then select No or Yes.
    • No specifies only signatures that do not apply to XML documents.
    • Yes specifies only signatures that apply to XML documents.
  • Select JSON to specify whether the system displays signatures that apply to JSON data. JSON data may appear as the values of JSON parameters defined in the security policy, or as the body of requests to URLs to be parsed as JSON, as defined in the security policy. Then select No or Yes.
    • No specifies only signatures that do not apply to JSON data.
    • Yes specifies only signatures that apply to JSON data.
  • Select GWT to specify whether the system displays signatures that apply to GWT data. GWT data may appear as the body of requests to URLs to be parsed as GWT, as defined in the security policy. Then select No or Yes.
    • No specifies only signatures that do not apply to GWT data.
    • Yes specifies only signatures that apply to GWT data.
  • Select Header to specify whether the system displays signatures that apply to headers. Then select No or Yes.
    • No specifies only signatures that do not apply to headers.
    • Yes specifies only signatures that apply to headers.
  • Select URI to specify whether the system displays signatures that apply to URI content. Then select No or Yes.
    • No specifies only signatures that do not apply to URI content.
    • Yes specifies only signatures that apply to URI content.
  • Select Request Content to specify whether the system displays signatures that apply to the entire request content. Then select No or Yes.
    • No specifies only signatures that do not apply to the entire request content.
    • Yes specifies only signatures that apply to the entire request content.
  • Select Response Content to specify whether the system displays signatures that apply to the entire response content. Then select No or Yes.
    • No specifies only signatures that do not apply to the entire response content.
    • Yes specifies only signatures that apply to the entire response content.
Attack Type Specifies which attack type should be included in the set. Select All to include all attack types.
Systems Specifies the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.
Accuracy Specifies the accuracy level of the signature. Higher accuracy results in fewer false positives.
  • Select All to specify that all signatures should be included, regardless of accuracy level.
  • Select Equals to specify signatures with a single accuracy level, then select the accuracy level to be Low, Medium, or High.
  • Select Greater Than/Equal To to specify that the accuracy level of the signatures should be greater than or equal to the specified accuracy level, then select the level to be Low, Medium, or High.
  • Select Less Than/Equal To to specify that the accuracy level of the signatures should be less than or equal to the specified accuracy level, then select the level to be Low, Medium, or High.
Risk Specifies the level of potential damage that the signature protects against.
  • Select All to specify that all signatures should be included, regardless of risk level.
  • Select Equals to specify a single risk level, then select the risk level to be Low, Medium, or High.
  • Select Greater Than/Equal To to specify that the risk level should be greater than or equal to the specified risk level, then select the level to be Low, Medium, or High.
  • Select Less Than/Equal To to specify that the risk level should be less than or equal to the specified risk level, then select the level to be Low, Medium, or High.
User-defined Specifies whether to include attack signatures based on who created them.
  • Select All to specify that all signatures should be included, including those defined by the system and by users.
  • Select Yes to specify that only user-defined signatures should be included.
  • Select No to specify that only system-defined signatures should be included.
Update Date Specifies whether to include signatures in the set based on when the signature was last updated or added.
  • Select All to include all signatures, regardless of when they were last updated.
  • Select Before to include all signatures updated before a specified date, and then select the date using the displayed Select Date button.
  • Select After to include all signatures updated after a specified date, and then select the date using the displayed Select Date button.
Signatures Specifies the signatures that should be included in the signature set. The available signatures list displayed changes based on the Signatures Advanced Filter settings. You can use the Filter field above the Available list to search for particular signatures. Add signatures to the signature list by moving them from the Available list to the Selected list.

Assign custom attack signature sets

You use the Web Application Security policy editor to assign a custom attack signature set to a policy.

Each security policy enforces one or more attack signature sets. You can assign additional attack signature sets to the security policy.

  1. Log in with Administrator, Security Manager, or Web App Security Manager credentials.
  2. Navigate to the Policy Editor screen: click Web Application Security > Policy Editor , select a policy name, and from the Policy objects list, select Attack Signatures Configuration.
  3. Click Edit.
    The policy is placed under administrative lock and fields become editable.
  4. From the Attack Signature Set Assignment list, select attack signature sets to assign to the policy.
    Any newly-created custom signature sets appear in the list.
  5. When you are finished, click Save to save the new assignment and unlock the policy.
The system assigns the signature sets to the security policy, and the blocking policy applies to all of the signatures in the signature set. Any changes made subsequently are put into effect in the working configuration of the BIG-IQ Centralized Management system.