Forum Discussion
Automate ASM "Ready to Be Enforced" Attack Signatures
- Feb 07, 2023
In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:
- It checks the HA status, and exits the script if the HA status is Standby
- It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
- It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy
This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.
------------------------------------------------------------------------------------------------------------------------
# Determines HA Status, creates variable, then loops through it on Active devices
bash
cd /var/tmp/# Static Variables
CREDS=admin# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[]
printf "$FILENAME\n" > /var/tmp/policy-hashes.txtFILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)# ASM - Enforces Ready Entities and Applies Policies - All Policies
for LINE in $LINES
do
curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done------------------------------------------------------------------------------------------------------------------------
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
Hello,
its awesome :). Could it be please extended a little bit? Because you need to also know which signatures were not ready for enforcement and review those. Those are possible attacks and you do not consider such situation.
Thank you
Best regards
I'm glad the script works for you 🙂
When a new batch of signatures is released, they should be reviewed to determine if there's a reason to enforce them before they complete their staging period. For example, when the Log4j and most other critical signatures are released, I've followed a different process.
First of all, my environment has a separate Signature Set named "Immediate Enforcement Signatures (Critical Sigs)". This Signature Set is attached to all policies.
Then when I want to enforce a new signature that hasn't completed it's staging period, I manually add that signature to the Signature Set using the GUI, then run this script from the Big-IQ:
---------------------------------------------------------------------------------------------------
# This script skips Standby devices, then creates a list of all ASM policy hashes, then finds the ID of the Immediate Enforcement Signatures (Critical Sigs) signature set, and enforces the signatures in that signature set for all ASM policies that have the signature set attached.
# In ASM GUI, add new signature(s) to the Immediate Enforcement Signatures (Critical Sigs) signature set, then run this script to enforce the set on all policies
bash
cd /var/tmp
CREDS=admin
# Writes HA Status to a file
tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
chmod 755 /var/tmp/ha-status.txt
# Exits script if the HA Status file contains the string STANDBY
if grep -q STANDBY /var/tmp/ha-status.txt; then
exit
fi
# Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | .id')
printf "$FILENAME\n" > /var/tmp/policy-hashes.txt
FILENAME="policy-hashes.txt"
LINES=$(cat $FILENAME)
# ASM - Enable and Enforce Signatures in Signature Set on all policies, and Applies Policies - All Policies
for LINE in $LINES
do
SETID=$(curl -kvu $CREDS -X GET "https://localhost/mgmt/tm/asm/policies/$LINE/signature-sets" -u $CREDS -k -v -H "Content-Type: application/json" | jq -r '.items[] | select(.signatureSetReference.name=="Immediate Enforcement Signatures (Critical Sigs)") | .id')
DATA='{"commands":[{"method":"PATCH","uri":"/mgmt/tm/asm/policies/'$LINE'/signatures?$filter=signatureSets/id+eq+'\'$SETID\''","body":{"performStaging":false,"enabled":true}}]}'
curl -kvu $CREDS -X POST "https://localhost/mgmt/tm/asm/tasks/bulk" -u $CREDS -k -v -H "Content-Type: application/json" -d $DATA | jq .
LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
sleep 10s
done
---------------------------------------------------------------------------------------------------
This script does the equivilent of going to Security > Application Security > Policy Building > Learning and Blocking Settings, then under the Attack Signatures section, clicking "Enforce and Enable all Attack Signatures in the Signature Set" for Signature Set "Immediate Enforcement Signatures (Critical Sigs)", then it applies the policy.
The script automatically loops through all of your policies to enforce the Signature Set and apply the policy on all of them one-at-a-time. If you already have a Signature Set for this purpose, you can change the name in the script to match your Signature Set.
If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:
FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com