Forum Discussion

Bob_Porambo's avatar
Bob_Porambo
Icon for Nimbostratus rankNimbostratus
Jan 30, 2021

Multiple ASM Attack Signature Sets Applied to a Policy

I have multiple attack signature sets applied to a policy. 

 

1) When I look at the list of all the signatures applied to a specific policy, is there a way of telling which "attack signature set" an individual attack signature belongs to?

 

 

2) If an attack signature belongs to two signature sets which are applied to my policy, is it possible that a specific signature is in one state in attack signature set "A" and another state in attack signature set "B"? As an example if an attack signature is set to staging in set "A" and set to enforced in set "B", what happens? If that is possible, which setting takes precedence? 

 

3) Is there an easy way to identify those attack signatures that are assigned to two or more signature sets within the policy? Is there a filter that can identify those?

 

 

  • Support has identified another method for me to dump the contents of a Signature Set.

     

    curl -sk -u admin:git3Rdone -H "Content-Type: application/json" "https://172.24.134.198/mgmt/tm/asm/signature-sets/?\$filter=name+eq+Fireye-Mitigation&\$select=signatureReferences" | jq -r '.items[]'

     

    This works well, however when I try to dump the contents of a signature set name with spaces and other characters i get a failure. For example, to try and list "OWA Signatures" we get the following message:

     

     

    curl -sk -u admin:git3Rdone -H "Content-Type: application/json" "https://172.24.134.198/m

    gmt/tm/asm/signature-sets/?\$filter=name+eq+OWA Signatures&\$select=signatureReferences" | jq -r '.items[]'

     

    parse error: Invalid numeric literal at line 1, column 10

     

     

  • With regards to K11680, I ran into an issue that is confusing to me. I created a custom attack signature set with 8 signatures. When I ran the mysql command below, that list had 6925 signatures in the set. It did not indicate which of those in the set were "assigned" vs "available".

     

    mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "select PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SETS.set_id,PLC.NEGSIG_SIGNATURES.sig_id,PLC.NEGSIG_SIGNATURES.sig_name from PLC.NEGSIG_SETS,PLC.NEGSIG_SIGNATURES order by set_name,sig_id;" > /var/tmp/unit1_sig_sets.out

     

    Thanks

     

  • On 14.1.2.6, go to

     

    Security  ››  Application Security : Attack Signatures

     

    On the left hand side of each signature name is a grey triangle.

    Click that to expand the signature details:

     

     

    If you are a SQL guru or a JSON/rest API wizard should be able to use the details in K11680 to filter out the information you require.

  • Simon,

     

    "If you expand the Signature, you can see the Set it has been assigned from"

    What version of ASM are you demonstrating? I am running 14.1.2.6 and do not get the detailed printout that you listed.

     

    K11680: Displaying attack signature sets on BIG-IP ASM systems

    has interesting information on how to dump the mysql database to reveal attack signature information.

     

    Thanks,

    Bob

  • > When I look at the list of all the signatures applied to a specific policy, is there a way of telling which "attack signature set" an individual attack signature belongs to?

     

    If you expand the Signature, you can see the Set it has been assigned from:

     

     

    > If an attack signature belongs to two signature sets which are applied to my policy, is it possible that a specific signature is in one state in attack signature set "A" and another state in attack signature set "B"? As an example if an attack signature is set to staging in set "A" and set to enforced in set "B", what happens? If that is possible, which setting takes precedence?

     

    The most restrictive setting applies - in the above, *High Accuracy Signatures* is set to **Learn**, while *Generic Detection Signatures* is set to **Learn, Alarm and Block**.

    You can see that the signature has the most restrictive setting **Learn, Alarm, and Block**.

     

    > Is there an easy way to identify those attack signatures that are assigned to two or more signature sets within the policy? Is there a filter that can identify those?

     

    Not that I can find.