Exporting a full list of Attack Sigantures

Question

Hi. I am looking to export a full list of the current signatures I have in blocking mode.
If possible, I would like to separate these lists in to their signature sets.&nbsp;
If I navigate to "Security  ››  Options : Application Security : Attack Signatures : Attack Signature Sets" then I can view the different signature set types. Let's take the High Accuracy Signatures for instance. If I click on those, I get a list of signatures that are a part of that set, but I cannot copy and paste them.&nbsp;
I have people asking me for a list of these signatures so I am hoping there is an easy way to extract these. They want to be able to share it within their team to show what the WAF is doing for them, and what it is blocking so they can test it out for themselves.&nbsp;
Is it a possibility that a file exists in the console that I can pull down through WinSCP that has a list of these?&nbsp;
Similarly if I go to "Security  ››  Application Security : Attack Signatures" I would like to be able to export the full list of 2857 signatures I have for this policy.&nbsp;
Thanks.&nbsp;

peter_silva_123 · Answer

Hi Nick~&nbsp;
I believe you can only export user-defined attack signatures.&nbsp;
Here's the chapter on Importing and Exporting Security Policies (not sure of your version):&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/5.html&nbsp;
and&nbsp;
The chapter on Working with Attack Signatures: &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_attack_sigs.html&nbsp;
In the 2nd link, at the bottom of the page it gives the steps to export all user-defined attack signatures. &nbsp;
I know not exactly what you need but hope it helps.&nbsp;
ps&nbsp;

suttonsc · Answer

I've used a similar export in v13 via the Rest API. Not to get the signatures per signature set, but all signatures from policies in blocking.&nbsp;
Specifically getting the attack signature sets to correlate to the signatures assigned to the blocking policy would require some additional logic and leg work.&nbsp;
API endpoints:&nbsp;

You can find policies in Blocking:&nbsp;
API endpoint: https://$target_ip/mgmt/tm/asm/policies&nbsp;

Signature sets for those policies:&nbsp;
API endpoint: https://$target_ip/mgmt/tm/asm/policies//signature-sets&nbsp;

Signatures for the policies:&nbsp;
API endpoint: https://$target_ip/mgmt/tm/asm/policies//signatures?\$expand=signatureReference&nbsp;

Forum Discussion

Exporting a full list of Attack Sigantures

2 Replies

Recent Discussions

Maximum throughput of f5 ltm

Issue on license renewal

iRule cookie persistence and pool redirect

redirect not working

Access azure app service using f5 LTM

Related Content

The HTTP/2 CONTINUATION frame attack

ESRP Strategies: DNS Water Torture Attack

Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security

Insights of F5 Distributed Cloud WAAP Events Export, New Operators and Trends features

Real Attack Stories: Bank Gets DDoS Attacked