WAF generic detection signatures
Hi All, I found something strange with the signature setGeneric Detection Signatures (High/Medium Accuracy) assigned to the ASM policies. This signature sets claims to include the following systems. Systems:General Database,Various systems,System Independent,JavaScript However when I compare the total of signatures of each system in the attack signature list available on the system it does not match the total of the signatures assigned to the ASM policy. For example 2556 System Independent 1932 on ASM policy 24 Various systems same on ASM policy 708 general database 391 on ASM policy Strange thing that for example signature200022004 was assigned to the ASM policy but after live update of the signatures not anymore. Could someone clarify the content of the generic signature set and why arent all the signatures of sytem independent, various systems and general database included?
ASM Signatures Learning
Dears, I have a question regarding the ASM Signatures learning. On a box, the signatures are not enforced. They are in staging only. The enforcement period is set to 7 days, and learning mode to manual. Upon performing a security audit, it was found that the application is exposed to number of attacks due to this. Can someone explain how to resolve this, and ensure that the signatures are enforced with minimal admin intervention?
REST - List enforcement readiness
Hi, is it possible to use REST to retrieve the status of enforcement readiness? I mean, a list of signatures in stage (not enforced), a list of signatures with suggestions and a list of signatures ready to be enforced? I tried to search this information on the icontrol-rest-api-user-guide-12-1-0.pdf, but I haven't found anything like this.
Identifying ASM signatures affecting responses?
Env: LTM 11.5.2 with ASM We have a security profile which appears to be affecting responses for a small set of requests, without reporting any error or block in the ASM event log. This is a REST call that accespts JSON input data, retreieves data from a database, and returns the data results as JSON. When we run the query for a userid that returns a small result, there is no issue. But when we use a different userid that has more data, the client never receives the response (not a single byte gets returned, at the network level). Nevertheless, the response appears in the ASM event log (though at the top of the response content display it says "Response was truncated"), and I see content displayed, as if it had been sent back. The size of the response that has an issue isn't huge (about 15K). We have only one entry in our Parameter List for this policy, "*" of type User-input value. We turned off both Value and Name meta-characters checks, just in case, with no effect. However, when we turn off signature checks for the parameter, the problem goes away. So, our assumption is that some signature is processing the response, and freezing, or some other way affecting the stream going back to the client, such that bytes never get sent. But it's happening with no indication in the ASM event log. How can we identify what signature is the culprit? Is there a way to search just the signatures that parse responses, vs. request data? (the Advanced filter lumps Request/Response together). Is there any advanced ASM signature processing logging that we can turn on, anything like that? And any other thoughts on what the cause might be would be appreciated. I don't think it's size related, as the max_html setting in advanced. I thought maybe chunking, but Transfer-Encoding: chunked is appearing in both working and non-working responses. Hmm ....
Exporting a full list of Attack Sigantures
Hi. I am looking to export a full list of the current signatures I have in blocking mode. If possible, I would like to separate these lists in to their signature sets. If I navigate to "Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets" then I can view the different signature set types. Let's take the High Accuracy Signatures for instance. If I click on those, I get a list of signatures that are a part of that set, but I cannot copy and paste them. I have people asking me for a list of these signatures so I am hoping there is an easy way to extract these. They want to be able to share it within their team to show what the WAF is doing for them, and what it is blocking so they can test it out for themselves. Is it a possibility that a file exists in the console that I can pull down through WinSCP that has a list of these? Similarly if I go to "Security ›› Application Security : Attack Signatures" I would like to be able to export the full list of 2857 signatures I have for this policy. Thanks.