For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mkeenan_289714's avatar
mkeenan_289714
Icon for Nimbostratus rankNimbostratus
Oct 09, 2016

Copying System-Supplied Attack Signatures for Modification

Is it possible to copy a System-Supplied Attack Signature so that I can modify the copied signature and apply it to a custom Signature Set?

 

For example - While in staging, a System-Supplied Attack Signature gets tripped that turns out to be a false positive. We would still like to use the signature but just a customized version of it.

 

Also, where are the System-Supplied Attack Signatures stored on the F5?

 

ASM Advanced WAF
security

3 Replies

  • Leonardo_Souza's avatar
    Leonardo_Souza
    Icon for Cirrocumulus rankCirrocumulus
    Oct 09, 2016

    I don't think you will be able to view the content of the signatures. If you download the signature from downloads.f5.com, you will see that the signatures are encrypted. If you open the file with a zip software, and you find the file /RPMS/packages/current_sigfile.enc.

     

    Not sure if the signatures are saved in the /usr/shared/ts, or in the mysql database. Anyway, if the file is encrypted in downloads.f5.com, I doubt it will be in clear text in the system. It will probably be in clear text in RAM, but that is too advanced to get. :P

     

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 11, 2016

    F5 ASM stores the attack signatures in the internal MySQL database on the box.

    There is an AskF5 KnowledgeBase solution SOL11680 which tells you how to dump the signatures from the database into a text file:

    https://support.f5.com/kb/en-us/solutions/public/11000/600/sol11680.html?

    However this command only dumps the signature ID and name, which is helpful if you want to compare two sets.

    There is a little trick which allows you to actually extract the signature rules from the MySQL database if you add:

    ,PLC.NEGSIG_SIGNATURES.rule

    just before the " from" command in the SQL query, so for example if you are a BIG-IP version 11.6 or higher you can run this command from the bash shell:

    mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "select PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SETS.set_id,PLC.NEGSIG_SIGNATURES.sig_id,
PLC.NEGSIG_SIGNATURES.sig_name,PLC.NEGSIG_SIGNATURES.rule  from PLC.NEGSIG_SETS,
PLC.NEGSIG_SIGNATURES order by set_name,sig_id;" > /var/tmp/unit1_sig_sets.out

    Then download this file from the box (e.g. using scp): /var/tmp/unit1_sig_sets.out

    It will have the signature rules in it. The rules will be in standard ASM signature syntax described in the ASM guide here:

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signature-reference-12-0-0/4.html

    Hope this is useful (I get this question asked a lot).

    Sam

  • aswinnen_6967's avatar
    aswinnen_6967
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2018

    I think the following query is more useful, as it lists which signatures are assigned to which signature set:

    mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "
select 
PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SET_SIGNATURES.set_id,
PLC.NEGSIG_SET_SIGNATURES.sig_id,PLC.NEGSIG_SIGNATURES.sig_name, 
from 
PLC.NEGSIG_SETS,PLC.NEGSIG_SIGNATURES,PLC.NEGSIG_SET_SIGNATURES 
where
PLC.NEGSIG_SETS.set_id = PLC.NEGSIG_SET_SIGNATURES.set_id 
and PLC.NEGSIG_SET_SIGNATURES.sig_id = PLC.NEGSIG_SIGNATURES.sig_id 
order by 
set_name,PLC.NEGSIG_SIGNATURES.sig_id ;"
 > /var/tmp/device-signature-set.out