Forum Discussion
mister_paul_717
Nimbostratus
Nimbostratusmanaging signatures
Hey everyone,
I'm trying to find a way to manage our signatures better, because the way I'm currently trying to do it seems wrong.
Background: We currently have 2 signature sets we use - Generic Detection Signatures & a custom one that filters for our OS, App Server, Web Server, etc. Also, this is a web site that gets millions of requests a day.
Here's the basic problem I'm trying to resolve: We have a bunch of signatures that are blocking, and a handful that are still staging. I would like to break my signatures into 3 sets: ones being blocked that I'm confident are fine (and don't want to show up as I work with the signatures that are in learning mode), ones being blocked, but still in learning mode b/c I want to monitor them closely, and ones that I've disabled and never want to see or hear from again. Over time, I want to be able to migrate rules from the learning group into the blocking or disabled groups.
I can manually go through and create these groups, but it is painful. But that's okay. My real concern is how will I effectively move signatures from the learning group to a different group when I know what I want to do with it. Furthermore, as new signatures are created, and added to one of the Systems groups, how will I know about them and efficiently get them into the right group.
So - I'm curious how others are managing the signatures, particularly moving them in and out of staging and addressing new ones that arrive with a signature update.
Thanks,
Paul
hoolioCirrostratus
Hi Paul,
That's an interesting methodology. In ASM policies for large applications, we typically keep all of the attack signatures in a single set and just enable those that don't generate any false positives in the initial period the policy is in transparent mode in the live environment.
I don't think there is a simple, supported way to move attack sigs from one set to another other than via the GUI. You might be able to do this (easily?) by modifying the MySQL database, but that would be unsupported and could be very specific to each ASM version.
How would you ideally like to be able to "move" a group of signatures from one set to another? You could open a case with F5 Support and describe this use case.
Aaron
Jeremy_18125Cant move signature as you said, however, through the gui you can have partial control signature selection by editing the Signature set through the selection of Attack type & Assigned systems of the signature.
once you enable the staged signature, it automatically updates the policy & goes blocking mode for that particular signature,even before the staging period has expired..- mister_paul_717Indeed, I have noticed exactly that.
The big problem I face is that, of the 1400+ signatures in our two signature sets (one is predefined, the other is based on a filter), there are a handful that trigger false positives on nearly every request on our site. So, I clearly need to disable them. But, because they are in our signature set, they keep generating entries in our logs, and showing up in the learning results (while we're still learning things). With millions of requests a day, that is a lot of chaffe hiding the wheat. So - I need to take them out of the signature set. So I'm now venturing into custom signature sets - which means maintenance.
I'm really hoping there are others out there have similar experiences and can share how you are handling it.
In the meantime, yesterday I used a client side proxy to create a log of the full response information as I clicked through the 73 pages of signatures, then wrote a perl script to parse that log into a tab-delimited file that shows the following for each signature:
ID, NAME, ENABLED, STAGING, LEARN, ALARM, BLOCK, PARAM_OVERRIDE, APPLIES_TO, ATTACK_TYPE, RISK, ACCURACY, SETS, USER_DEFINED, LAST_UPDATED
Now at least I have a file of the signatures and their states that I can sort and filter in Excel... - Hi Paul,
You can disable signatures that generate false positives on Policy level. There is no need to remove them from signature sets. Simply go to ASM GUI -> Attack Signatures -> Policy Attack Signatures. There will be a filter there so you can find signatures that you want to disable by signature ID and then uncheck the Enabled check box for the signatures you want disabled. You can also disable them through learning.
Let me know if this helped. - mister_paul_717Sorry I haven't replied earlier! Yes, disabling them works fine, but it doesn't address the need to have some signatures with Learning on and some with it off. The multiple signature sets handles that. You are right that my extra signature set with disabled signatures is unneeded. If managing signature sets were easy, it might be worthwhile simply for clerical reasons (eg to confirm that I really wanted that signature set off), but signature sets are currently rather clunky.
