cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple ASM Attack Signature Sets Applied to a Policy

Bob_Porambo
Nimbostratus
Nimbostratus

I have multiple attack signature sets applied to a policy. 

 

1) When I look at the list of all the signatures applied to a specific policy, is there a way of telling which "attack signature set" an individual attack signature belongs to?

 

 

2) If an attack signature belongs to two signature sets which are applied to my policy, is it possible that a specific signature is in one state in attack signature set "A" and another state in attack signature set "B"? As an example if an attack signature is set to staging in set "A" and set to enforced in set "B", what happens? If that is possible, which setting takes precedence? 

 

3) Is there an easy way to identify those attack signatures that are assigned to two or more signature sets within the policy? Is there a filter that can identify those?

 

 

5 REPLIES 5

Simon_Blakely
F5 Employee
F5 Employee

> When I look at the list of all the signatures applied to a specific policy, is there a way of telling which "attack signature set" an individual attack signature belongs to?

 

If you expand the Signature, you can see the Set it has been assigned from:

 

0691T00000BUsa2QAD.jpg 

> If an attack signature belongs to two signature sets which are applied to my policy, is it possible that a specific signature is in one state in attack signature set "A" and another state in attack signature set "B"? As an example if an attack signature is set to staging in set "A" and set to enforced in set "B", what happens? If that is possible, which setting takes precedence?

 

The most restrictive setting applies - in the above, *High Accuracy Signatures* is set to **Learn**, while *Generic Detection Signatures* is set to **Learn, Alarm and Block**.

You can see that the signature has the most restrictive setting **Learn, Alarm, and Block**.

 

> Is there an easy way to identify those attack signatures that are assigned to two or more signature sets within the policy? Is there a filter that can identify those?

 

Not that I can find.

Bob_Porambo
Nimbostratus
Nimbostratus

Simon,

 

"If you expand the Signature, you can see the Set it has been assigned from"

What version of ASM are you demonstrating? I am running 14.1.2.6 and do not get the detailed printout that you listed.

 

K11680: Displaying attack signature sets on BIG-IP ASM systems

has interesting information on how to dump the mysql database to reveal attack signature information.

 

Thanks,

Bob

Simon_Blakely
F5 Employee
F5 Employee

On 14.1.2.6, go to

 

Security  ››  Application Security : Attack Signatures

 

On the left hand side of each signature name is a grey triangle.

Click that to expand the signature details:

 

0691T00000BUvMSQA1.png 

If you are a SQL guru or a JSON/rest API wizard should be able to use the details in K11680 to filter out the information you require.

Bob_Porambo
Nimbostratus
Nimbostratus

With regards to K11680, I ran into an issue that is confusing to me. I created a custom attack signature set with 8 signatures. When I ran the mysql command below, that list had 6925 signatures in the set. It did not indicate which of those in the set were "assigned" vs "available".

 

mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "select PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SETS.set_id,PLC.NEGSIG_SIGNATURES.sig_id,PLC.NEGSIG_SIGNATURES.sig_name from PLC.NEGSIG_SETS,PLC.NEGSIG_SIGNATURES order by set_name,sig_id;" > /var/tmp/unit1_sig_sets.out

 

Thanks

 

Bob_Porambo
Nimbostratus
Nimbostratus

Support has identified another method for me to dump the contents of a Signature Set.

 

curl -sk -u admin:git3Rdone -H "Content-Type: application/json" "https://172.24.134.198/mgmt/tm/asm/signature-sets/?\$filter=name+eq+Fireye-Mitigation&\$select=signatureReferences" | jq -r '.items[]'

 

This works well, however when I try to dump the contents of a signature set name with spaces and other characters i get a failure. For example, to try and list "OWA Signatures" we get the following message:

 

 

curl -sk -u admin:git3Rdone -H "Content-Type: application/json" "https://172.24.134.198/m

gmt/tm/asm/signature-sets/?\$filter=name+eq+OWA Signatures&\$select=signatureReferences" | jq -r '.items[]'

 

parse error: Invalid numeric literal at line 1, column 10