For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Goran_Blomquis1's avatar
Goran_Blomquis1
Icon for Nimbostratus rankNimbostratus
Nov 01, 2011

ASM custom attack signature filter set

Hi All,

 

Try to figure out if it´s possible to create a customized "Signature Filter". We use quite a lot of virtual servers with same backend (UNIX, Apache and some more). And if we use UNIX from available Systems in signatur set. It´s always block on "commande execution" and vi (It´s we in Swedish and occure quite often in "free text" posts) and some other.

 

 

Yes, I know that I can go in in learning and disable that "attack signature" but it would be nice if we could create our own "attack signatur system" and use that when we create our "signature filter set" insted of finetune every time we add a new "Web Policy"

 

 

Best regards

 

 

Goranb

 

app sec
BIG-IP Access Policy Manager (APM)
security

8 Replies

  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2011
    Goranb,

     

     

    What version are your currently running on?

     

    It may be possible to create a custom attack signature set, that contains all the signatures of the "unix" set, minus the undesired signature.

     

     

    -> Josh
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Nov 01, 2011
    Goran

     

     

    To create a custom Attack Signature Set in the GUI under Application Security click on Options. Select Attack Signatures - Attack Signature Sets and then select Create. you can then filter in, or out, attack signatures.

     

     

    Is this what you're after?

     

     

    Rgds

     

    N
  • Goran_Blomquis1's avatar
    Goran_Blomquis1
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Thank you Nathan for your feedback.

     

     

    Mmm...

     

     

    I can select a "system" and create a "Attack Signature Set" with for example "UNIX". But what I want to achive is an modified "UNIX" Attacksignture set. Is that possible in 10.2.0... If not It is possible in version 11.*.* ? Or can I modify and copy "system set" in cli?

     

     

    Best regards

     

     

    Göran Blomquist

     

     

  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Göran,

     

     

    Make sure at the very top you select Type: Manual. This will give you the option to individually select signatures that belong to the unix/linux set to make active in your custom signature set.

     

     

    -> Josh

     

  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Example:

     

    access Options -> Attack signatures -> Attack Signature Sets

     

     

    Click Create

     

     

    Name: Awesomesetofawesomeness

     

    Type: Manual

     

    Assigned Systems: Unix/Linux

     

     

    Signatures: Assign whatever signatures you wish from the Unix/linux set.

     

     

    Click Create and bam, should be good.

     

     

    -> Josh
  • Goran_Blomquis1's avatar
    Goran_Blomquis1
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Ah!!!!

     

     

    :-)

     

     

    Manual! I did not see that! Thanks for pointing that out! You maked my day....

     

     

    Thanks a lot

     

     

    Goran
  • jwham20's avatar
    jwham20
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2011
    Goran,

     

     

    No worries mate, glad to help!

     

     

    ->josh