Viewing F5 provided ASM attack signature

Question

Hi experts.&nbsp;
I noticed signatures that are matching certain strings (e.g. "more", "at", "id", "tar") in HTTP transactions may be quite dangerous in terms of false positives. There are many occurrences in our environment where legitimate user traffic carries such "words" in parameter values or URL paths.&nbsp;
Does F5 ASM allow one to validate (read, analyze) the F5 provided signatures syntax (regex ...) in order to understand, how they are being triggered? Please note that I am only asking about F5 default signature sets, not user-defined ones (those I know one is allowed to edit and export).&nbsp;
Regards,
mm&nbsp;

boneyard · Answer

i believe officially F5 states they are not accessible. but there are knowledge base articles that explain how to examine the databases ASM uses and those signatures are in one of those.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6979.html&nbsp;

erik_novak · Answer

Boneyard is correct. Attack signatures are intellectual property:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/8000/700/sol8771.html&nbsp;

Forum Discussion

Viewing F5 provided ASM attack signature

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

UCS Encryption Question

Unblock Request WAF

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

VIP in https that redirect to another vip in https

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

November Security Research Update: Newly Released Attack Signatures

F5 APM as Service Provider (SP) and Microsoft AzureAD as Identity Provider (IDP)

NGINX App Protect v5 Signature Notifications

Enable SAML Service Provider on F5 Distributed Cloud Application

ASM provided signatures rules text

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS