Overview: Attack Signatures¶
Attack signatures are rules or patterns that identify attacks on a web application. When WAF receives a client request (or a server response), the system compares the request or response against the attack signatures associated with your security policy. If a matching pattern is detected, WAF triggers an attack signature detected violation, and either alarms or blocks based on the enforcement mode of your security policy.
For example, the SQL injection attack signature looks for certain expressions like ‘ or 1=1, and if a user enters that string into a field (such as the username field) on your web application, WAF can block the request based on the SQL injection attempt.
An ideal security policy includes only the attack signatures needed to defend your application. If too many are included, you waste resources on keeping up with signatures that you do not need. Likewise, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than omitting it.
WAF provides over 8,000 attack signatures that are designed to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications. Updates are provided periodically. You can install (add or update) live updates to ensure that your WAF policy’s attack signatures are up-to-date with the latest information about known threats.
You can also create custom signatures, if needed, to secure your application. Additionally, you can create signatures to protect specific alphanumeric user-input parameters.
All of the attack signatures are organized into sets and are stored in the attack signature pool on WAF. If you know what systems your application is built on (Windows, SQL, IIS, UNIX/Linux, Apache, and so on), you can allow the system to choose the appropriate attack signatures to include in the security policy.