Attack signatures are rules or patterns that identify attacks on a web application. When Application Security Manager® (ASM) receives a client request (or a server response), the system compares the request or response against the attack signatures associated with the security policy. If a matching pattern is detected, ASM™ triggers an attack-signature-detected violation, and either alarms or blocks the request, based on the enforcement mode of the security policy.
An ideal security policy includes only the attack signatures needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.
There are system-supplied signatures and custom (user-defined) signatures.
In BIG-IQ® Web Application Security, you can obtain system-supplied or custom attack signatures through the device discovery process. These signatures are automatically deployed to all policies when the system performs a deployment.
Note that you can click anywhere in a row to display the Signature Properties tab and the Documentation tab for the signature.
When you first activate a security policy, the system places the attack signatures into staging (if staging is enabled for the policy). Staging means that the system applies the attack signatures to the web application traffic, but does not apply the blocking policy action to requests that trigger those attack signatures. The default staging period is seven days.
Whenever you add or change signatures in assigned sets, those signatures are also placed in staging. You also have the option of placing updated signatures in staging.
An Attack signature set is a group of attack signatures. Rather than applying individual attack signatures to a security policy, you can apply one or more attack signature sets. The Application Security Manager™ ships with several system-supplied signature sets.
Each security policy has its own attack signature set assignments. By default, a generic signature set is assigned to new security policies. You can assign additional signature sets to the security policy. Sets are named logically so you can tell which ones to choose. Additionally, you can combine custom attack signatures with system-supplied signatures or system-supplied sets to create custom signature sets.
An ideal security policy includes only the attack signature sets needed to defend the application. If too many are included, you waste resources on keeping up with signatures that you do not need. On the other hand, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than to omit it.
In Web Application Security, you can obtain system-supplied or custom attack signature sets through the device discovery process. You can assign these sets to security policies. Then, you can deploy those policies to BIG-IP® devices.
The Signatures Advanced Filter option and properties are only available on the Signatures tab when the signature set type is manual.
|Signatures Advanced Filter Property||Description|
|Signature Type||Specifies what type of signatures to include in the signature set.
|Signature Scope||Specifies whether the system displays all signatures, or only those that do, or
do not, apply to parameters, cookies, XML documents, JSON data, GWT data, headers, URI
content, and request or response content.
|Attack Type||Specifies which attack type should be included in the set. Select All to include all attack types.|
|Systems||Specifies the systems (for example web applications, web server databases, and application frameworks) that you want protected by the set.|
|Accuracy||Specifies the accuracy level of the signature. Higher accuracy results in fewer
|Risk||Specifies the level of potential damage that the signature protects against.
|User-defined||Specifies whether to include attack signatures based on who created them.
|Update Date||Specifies whether to include signatures in the set based on when the signature
was last updated or added.
|Signatures||Specifies the signatures that should be included in the signature set. The available signatures list displayed changes based on the Signatures Advanced Filter settings. You can use the Filter field above the Available list to search for particular signatures. Add signatures to the signature list by moving them from the Available list to the Selected list.|
Each security policy enforces one or more attack signature sets. You can assign additional attack signature sets to the security policy.