YARA and SNORT Conversion to ASM/AWAF Custom Signatures

Question

Hi,Does anyone have any links or knowledge around converting YARA and/or SNORT rules into ASM/AWAF custom signatures?&nbsp; Using 15.1.5 at the moment but was curious if this has been successful.&nbsp; I've seen this with AFM but not with ASM/AWAF:https://community.f5.com/t5/technical-articles/converting-a-snort-rule-to-an-afm-protocol-inspection-custom/ta-p/284352Any help is greatly appreciated!

ca_valli · Answer

Hi, there's a section in "Attack Signatures" database menu that allows you to create default WAF signatures. From "Advanced" options you can use SNORT syntax as well.

I'm going by memory, but it should be something like Security/Options/Application Security/Attack Singatures/Attack Signature List , then "create". (from the environents I manage I see that this menu keeps changing position in major versions ... hope I'm right 😄 )

lidev · Answer

Hi,
You can use ipp option to create custom bot signature&nbsp;(The ipp option is analogous to the Snort keyword pcre)more details here : Asm Attack and bot signatures syntax&nbsp;Regards

Forum Discussion

YARA and SNORT Conversion to ASM/AWAF Custom Signatures

Recent Discussions

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

ports are showing open on online scanning tool

Related Content

F5 AWAF/ASM Bot protection custom signature does not allow the traffic

F5 BIG-IP Automatic email notification for system update events (ASM/AWAF)

F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature

F5 ASM/AWAF Remote File Inclusion signatures do not block http:// or https:// in the form parameter

Conversion license

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS