Forum Discussion
NimbostratusASM built-in Attack Signatures Details Questions
I have 2 questions on ASM Attack Signatures Definitions.
1) I found the attack signatures in 2 places but I cannot tell the differences: Security->Application Security->Attack Signatures, and Options->Application Security->Attack Signatures. However, there is no detailed information such as the regular expression of each attack signature. Where can I get the details?
2) The ASM Signature Update also has similar problems, in README only shows "Attack Signature Database packaged with version 12.0.0" and no detailed definitions. If I want to test out the new signatures in production with simulation mode to see if any events, can I put in simulation mode for each individual signature first? Assume the enforcement mode in the policy is in blocking mode.
Any advice are appreciated and thanks so much!!
1 Reply
Hi, 1) The signatures you see at Security->Application Security->Attack Signatures are the signatures that were selected for the specific policy you are looking at. Options->Application Security->Attack Signatures contains the complete list of attack signatures the unit was loaded with. F5 does not expose the RegEx that the signature contains.
2) What you are looking for is called Staging. With ASM, every new signature that is introduced into the policy (whether by and automated signature updated, a manual addition, adding new signature types to the policy, etc.) is running in staging mode. This gives you the ability to check it against real time production traffic and see whether it's safe to enable, or is it causing false positives. Policy Builder can enforce (remove Staging) from a signature automatically, or an admin can do it manually. The default staging period is 7 days, after which, if no false positives were detected on a signature, it is safe to disable the staging checkbox.
