Attack signature updates.

Question

can anyone confirm best practices for Attack Signature updates? I would like to know if when working with a production environment if it would be safer to implement in the below stated layout as opposed to just importing it in to production. the retailer that I am doing this work for has fears that it may block traffic after the signature update. does anyone have insight into this?&nbsp;
•Export Attack Signature Policy from production
•Import production Attack Signature Policy into TEST environment
•Update Attack Signatures in TEST
•Clear Traffic Learnings in TEST
•Evaluate and Modify Attack Signatures if site functionality is impaired (Disablement method based on severity of attack signature type)
•Export Attack Signature Policy from TEST
•Update Attack Signatures in PROD
•Import TEST Attack Signature Policy into PROD&nbsp;
This seems to be the least riskiest way to do this, though in my opinion with the updates being so frequent I cant see this being rational in order to maintain the updates every six weeks. &nbsp;

jinshu · Answer

Yes. It is safe to update attack signatures. The new attack signarures or the modified one's will  move to staging automatically. This means, it can still detect and alert but doesnt block it. &nbsp;
Placing new and updated attack signatures in staging helps to reduce the number of violations triggered by false-positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. From Manual Traffic Learning, if you see that an attack signature violation has occurred, you can view these attack signatures from the Attack Signature Detected screen.&nbsp;
Upon evaluation, if the signature is a false-positive, you can disable the signature, and the system no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature. Note that enabling the signature removes it from staging, and puts the blocking policy into effect.&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/39.html &nbsp;
-Jinshu &nbsp;

boneyard · Answer

false positives with (attack) signatures is an issue with any type of device, a WAF like the ASM module or a firewall IPS module. be honest against your customer and explain that some requests might be blocked which were no attacks. if you want security and use attack signatures you will need to accept that.&nbsp;
but you can make the risk smaller as explained by Jinshum, of course putting them trough testing is nicer, but can you test well enough?&nbsp;

Forum Discussion

Attack signature updates.

2 Replies

Recent Discussions

rSeries and tenant upgrades

redirect not working

cat and grep command for rst messages

iRule resulting in too many redirects

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

Related Content

Live Update- ASM attack signatures

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Are ASM Attack Signature Updates Cummulative?

Wildcard Parameter signature attack

Is the update and application of new AWAF attack signatures "Service Affecting"?