Forum Discussion
Multiple ASM Attack Signature Sets Applied to a Policy
I have multiple attack signature sets applied to a policy.
1) When I look at the list of all the signatures applied to a specific policy, is there a way of telling which "attack signature set" an individual attack signature belongs to?
2) If an attack signature belongs to two signature sets which are applied to my policy, is it possible that a specific signature is in one state in attack signature set "A" and another state in attack signature set "B"? As an example if an attack signature is set to staging in set "A" and set to enforced in set "B", what happens? If that is possible, which setting takes precedence?
3) Is there an easy way to identify those attack signatures that are assigned to two or more signature sets within the policy? Is there a filter that can identify those?
- Bob_PoramboNimbostratus
Support has identified another method for me to dump the contents of a Signature Set.
curl -sk -u admin:git3Rdone -H "Content-Type: application/json" "https://172.24.134.198/mgmt/tm/asm/signature-sets/?\$filter=name+eq+Fireye-Mitigation&\$select=signatureReferences" | jq -r '.items[]'
This works well, however when I try to dump the contents of a signature set name with spaces and other characters i get a failure. For example, to try and list "OWA Signatures" we get the following message:
curl -sk -u admin:git3Rdone -H "Content-Type: application/json" "https://172.24.134.198/m
gmt/tm/asm/signature-sets/?\$filter=name+eq+OWA Signatures&\$select=signatureReferences" | jq -r '.items[]'
parse error: Invalid numeric literal at line 1, column 10
- Bob_PoramboNimbostratus
With regards to K11680, I ran into an issue that is confusing to me. I created a custom attack signature set with 8 signatures. When I ran the mysql command below, that list had 6925 signatures in the set. It did not indicate which of those in the set were "assigned" vs "available".
mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "select PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SETS.set_id,PLC.NEGSIG_SIGNATURES.sig_id,PLC.NEGSIG_SIGNATURES.sig_name from PLC.NEGSIG_SETS,PLC.NEGSIG_SIGNATURES order by set_name,sig_id;" > /var/tmp/unit1_sig_sets.out
Thanks
- Simon_BlakelyEmployee
On 14.1.2.6, go to
Security ›› Application Security : Attack Signatures
On the left hand side of each signature name is a grey triangle.
Click that to expand the signature details:
If you are a SQL guru or a JSON/rest API wizard should be able to use the details in K11680 to filter out the information you require.
- Bob_PoramboNimbostratus
Simon,
"If you expand the Signature, you can see the Set it has been assigned from"
What version of ASM are you demonstrating? I am running 14.1.2.6 and do not get the detailed printout that you listed.
K11680: Displaying attack signature sets on BIG-IP ASM systems
has interesting information on how to dump the mysql database to reveal attack signature information.
Thanks,
Bob
- Simon_BlakelyEmployee
> When I look at the list of all the signatures applied to a specific policy, is there a way of telling which "attack signature set" an individual attack signature belongs to?
If you expand the Signature, you can see the Set it has been assigned from:
> If an attack signature belongs to two signature sets which are applied to my policy, is it possible that a specific signature is in one state in attack signature set "A" and another state in attack signature set "B"? As an example if an attack signature is set to staging in set "A" and set to enforced in set "B", what happens? If that is possible, which setting takes precedence?
The most restrictive setting applies - in the above, *High Accuracy Signatures* is set to **Learn**, while *Generic Detection Signatures* is set to **Learn, Alarm and Block**.
You can see that the signature has the most restrictive setting **Learn, Alarm, and Block**.
> Is there an easy way to identify those attack signatures that are assigned to two or more signature sets within the policy? Is there a filter that can identify those?
Not that I can find.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com