Forum Discussion

jlsantini's avatar
Icon for Altocumulus rankAltocumulus
May 09, 2024

API feed for WAF Attack Signatures

Hi again!

This is my 3rd question post today and I'll try to make it my last for today.  😄  I'm a project manager responsible for our WAF implementation and I'm more involved in WAF care and feeding than a project manager should be.


Is there an API feed available for WAF attack signatures both current and staged? 

Our WAF logs are fed into Splunk and Oracle.  In Splunk, I built an Excel spreadsheet that I use as a lookup table that has current and staged attack signatures.  I had help pulling the JSON feed from the F5 attack signatures database.  I have to manually add to this file as I suspect our logging activity is causing additional characters such as percent signs to show up in the sig_ids field for my Splunk reports.

As mentioned in one of my other posts, my manager wants to move over to an Apex application that one of the application developers on our WAF team has been building.  The goal is to allow our business owners to authenticate and view WAF related reports that we develop for their organization.  If we move to Apex, this renders the Splunk lookup table I've built and maintain useless, thus, I'm on a hunt for an API.

If anyone has suggestions for staged attack signature management, I'll take those as well.  I was told that I should monitor them which I am but our tuning and remediation processes are so tedious that I'm not sure how to work in yet another meeting to review and discuss staged attack signatures. 😒

Thank you!


No RepliesBe the first to reply