table name for signature set.

...

Allow me to rephrase: I am after the signatures themselfs (e.g. SQL-INJ Execute) & how these signatures relate to the Assigned systems & signature set.

 

 

where's the Systems vs actual signature table? Where is the table that defines what signature will be used for say Systtems:MS, IIS, ASP...

 

 

For instance if the assigned systems is empty, what'll be the significance of that to the signatures assigned.

 

 

I need be able to explain these things....

 

...

wow! very good! complex statement, thanks, almost, one last thing, I am trying to retrieve the signature (e.g .creatDocument ... )contained within the "Generic Detecttion Systems" set, which table would i find it.

 

 

 

the fact that Generic Detecttion Systems contains SQL-ING and so does the 'Systems: ms IIS , ASP' set, does that mean the asm scan each request through these sigs twice if both signatue sets are used within a policy?

 

 

crypt.

I'm fairly certain that if a signature is added to the policy multiple times it's only enforced once. But that might be good to double check in a case to F5 Support. Ideally, you'd only add each signature once though.

 

 

The output from the SQL query will show you each signature name, signature definition and signature set name. There are three instances of the .createDocument signature. The signature does a case insensitive search for the string ".createDocument". One instance is applied to the request headers, parameters and URI:

 

 

.createDocument (Headers)

 

.createDocument (Parameter)

 

.createDocument (URI)

 

 

Aaron

Thanks, for some reason, the "Generic Detection Signature" set appears to be missing, i suppose its to be expected, since there is no coloum called set_name within the generated table.

Sorry, I think I left out the set name. The first column has the system name. I'll try to update the query tomorrow.

 

 

Aaron

Please do update the query.

 

 

 

Do you know under which signature set the following attacks would be prevented in the rapid deployment security policy list of set.

 

 

1.Prevention of OS and web server fingerprinting

 

2.Protection against denial of service attacks

 

 

many thanks

Sorry, that got lost in the shuffle. I was having trouble connecting to the MySQL instance remotely. I'll try to do this in the next few days.

 

 

1. Not sure if these exist, but I'll see if I can find any.

 

2. I don't think this is (or can be?) done with attack signatures. In v10, there are anomaly detection routines which try to block DDOS and brute force attacks. Try searching on AskF5 or the 10.x ASM config guide for DDOS or 'brute force' for details.

 

 

Aaron

...