For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

danielpenna's avatar
danielpenna
Icon for Cirrus rankCirrus
Sep 01, 2021
Solved

Automate ASM "Ready to Be Enforced" Attack Signatures

Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up t...
ASM Advanced WAF
automation
security
  • DanSkow's avatar
    DanSkow
    Feb 07, 2023

    In case anyone is still looking for a way to do this, I created a Big-IQ script that can be pushed to your ASM devices. Here's what it does:

    1. It checks the HA status, and exits the script if the HA status is Standby
    2. It uses iControl REST to create a file that lists the policy hashes for each of your ASM policies
    3. It uses a bash for loop to loop through each of your ASM policy hashes, and Enforces Ready Signatures for each policy, and apply each policy

    This is a plug-n-play script, so you shouldn't need to modify it at all. I've used it on v15.1.5 and v15.1.8.

    ------------------------------------------------------------------------------------------------------------------------

    # Determines HA Status, creates variable, then loops through it on Active devices

    bash
    cd /var/tmp/

    # Static Variables
    CREDS=admin

    # Writes HA Status to a file
    tmsh show /cm failover-status | grep Status > /var/tmp/ha-status.txt
    chmod 755 /var/tmp/ha-status.txt

    # Exits script if the HA Status file contains the string STANDBY
    if grep -q STANDBY /var/tmp/ha-status.txt; then
    exit
    fi

    # Creates variable with list of policy hashes, then prints variable contents to txt file (excluding parent and default policies)
    FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] 
    printf "$FILENAME\n" > /var/tmp/policy-hashes.txt

    FILENAME="policy-hashes.txt"
    LINES=$(cat $FILENAME)

    # ASM - Enforces Ready Entities and Applies Policies - All Policies
    for LINE in $LINES
    do
      curl -kvu $CREDS -X PATCH "https://localhost/mgmt/tm/asm/policies/$LINE/signatures?\$select=&\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false+and+performStaging+eq+true" -u $CREDS -k -v -H "Content-Type: application/json" -d '{"performStaging":false}' | jq .
      LINK=\"https://localhost/mgmt/tm/asm/policies/$LINE\"
      curl -kvu $CREDS POST https://localhost/mgmt/tm/asm/tasks/apply-policy -k -v -H "Content-Type: application/json" -d "{\"policyReference\": {\"link\": $LINK }}" | jq .
    sleep 10s
    done

    ------------------------------------------------------------------------------------------------------------------------

    If you want to exclude specific policies, such as a Parent or Template policy, you can change the line where the FILENAME variable is created to exclude those policies like this:

    FILENAME=$(curl -kvu $CREDS http://localhost/mgmt/tm/asm/policies | jq -r '.items[] | select(.name!="asm_parent") | select(.name!="asm_template") | .id')

Holy64's avatar
Holy64
Icon for Altostratus rankAltostratus
Jan 31, 2025

Hello,

If you use 
https://localhost/mgmt/tm/asm/policies/[policy-id]/signatures?\$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+true&\$top=1 
You will see the first signature result showed as something like :
   {
      "hasSuggestions": false,
      "isInherited": true,
      "lastUpdateMicros": 1.738315306e+15,
      "kind": "tm:asm:policies:signatures:signaturestate",
      "selfLink": "https://localhost/mgmt/tm/asm/policies/3QzapERGGfTUVBI6Hxs-qg/signatures/amSV16c_VltvPV2ipzycCw?ver\u003d17.1.2",
      "signatureReference": {
        "link": "https://localhost/mgmt/tm/asm/signatures/iSs1nGK_jlGi14pryZi0qA?ver\u003d17.1.2",
        "isUserDefined": false,
        "name": "Unicode Fullwidth ASCII variant",
        "signatureId": 299999999
      },
      "wasUpdatedWithinEnforcementReadinessPeriod": true,
      "isPriorRuleEnforced": false,
      "performStaging": false,
      "id": "amSV16c_VltvPV2ipzycCw",
      "alarm": true,
      "block": true,
      "enabled": true,
      "learn": true
    }

That show the items "hasSuggestions" and "wasUpdatedWithinEnforcementReadinessPeriod" and their value .

JamesWi's avatar
JamesWi
Icon for Nimbostratus rankNimbostratus
Jan 31, 2025

Thank you i just found out this morning myself also how the $filter is working exactly.
I did the exact same thing your telling and got it working in my ansible task now (something i forgot the mention)

- name: reporting_attack_signatures | Get Attack Signatures that are Ready to be Enforced
  ansible.builtin.uri:
    url: >
      https://{{ inventory_hostname }}/mgmt/tm/asm/policies/{{ list_policy_asm_item.id }}/signatures/
      ?$filter=hasSuggestions+eq+false+AND+wasUpdatedWithinEnforcementReadinessPeriod+eq+false
    method: GET
    user: "{{ ansible_user }}"
    password: "{{ ansible_password }}"
    force_basic_auth: true
    status_code: 200
  register: results_policy_signatures
  delegate_to: localhost
  loop: "{{ list_policy_asm }}"
  loop_control:
    loop_var: list_policy_asm_item