Forum Discussion

jerm1020_254086's avatar
jerm1020_254086
Icon for Nimbostratus rankNimbostratus
Aug 03, 2016

Attack signature updates.

can anyone confirm best practices for Attack Signature updates? I would like to know if when working with a production environment if it would be safer to implement in the below stated layout as opposed to just importing it in to production. the retailer that I am doing this work for has fears that it may block traffic after the signature update. does anyone have insight into this?

 

•Export Attack Signature Policy from production •Import production Attack Signature Policy into TEST environment •Update Attack Signatures in TEST •Clear Traffic Learnings in TEST •Evaluate and Modify Attack Signatures if site functionality is impaired (Disablement method based on severity of attack signature type) •Export Attack Signature Policy from TEST •Update Attack Signatures in PROD •Import TEST Attack Signature Policy into PROD

 

This seems to be the least riskiest way to do this, though in my opinion with the updates being so frequent I cant see this being rational in order to maintain the updates every six weeks.

 

  • false positives with (attack) signatures is an issue with any type of device, a WAF like the ASM module or a firewall IPS module. be honest against your customer and explain that some requests might be blocked which were no attacks. if you want security and use attack signatures you will need to accept that.

     

    but you can make the risk smaller as explained by Jinshum, of course putting them trough testing is nicer, but can you test well enough?

     

  • Yes. It is safe to update attack signatures. The new attack signarures or the modified one's will move to staging automatically. This means, it can still detect and alert but doesnt block it.

     

    Placing new and updated attack signatures in staging helps to reduce the number of violations triggered by false-positive matches. When signatures match attack patterns during the staging period, the system generates learning suggestions. From Manual Traffic Learning, if you see that an attack signature violation has occurred, you can view these attack signatures from the Attack Signature Detected screen.

     

    Upon evaluation, if the signature is a false-positive, you can disable the signature, and the system no longer applies that signature to traffic for the corresponding web application. Alternately, if the detected signature match is legitimate, you can enable the corresponding attack signature. Note that enabling the signature removes it from staging, and puts the blocking policy into effect.

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/39.html

     

    -Jinshu