Reference: Attack Signature Sets¶
Signature sets are a grouping of signatures based on defined filters, or manual grouping. Web Application Firewall (WAF) policy templates include default signature sets, see Default Signature Sets for information about each set.
For more information about how signature sets are defined, see Detection Filters and Type.
For more information on how to update attack signatures, see How to: Update the Attack Signatures package
Default Signature Sets¶
The following signature sets are included in policy templates. Each template’s enforcement varies depending on the protection level. The default setting per signature set is listed below each template column. Most of the signature sets are defined by the attack Type they protect from.
Note: The templates included in this version of BIG-IP Next only enforces high accuracy signatures, as shown in the table below.
| Signature Set Name | Rating-Based | Rapid | Fundamental | Comprehensive |
|---|---|---|---|---|
| All Signatures | Enabled | |||
| All Response Signatures | ||||
| Command Execution Signatures | ||||
| Cross Site Scripting Signatures | ||||
| Directory Indexing Signatures | ||||
| Generic Detection Signatures (High Accuracy) | ||||
| Generic Detection Signatures (High/Medium Accuracy) | Enabled | Enabled | Enabled | |
| HTTP Response Splitting Signatures | ||||
| High Detection Evasion Signatures | ||||
| High Accuracy Signatures | Enabled | |||
| Information Leakage Signatures | ||||
| Low Accuracy Signatures | ||||
| Medium Accuracy Signatures | ||||
| OS Command Injection Signatures | ||||
| OWA Signatures | ||||
| Other Application Attacks Signatures | ||||
| Path Traversal Signatures | ||||
| Predictable Resource Location Signatures | ||||
| Remote File Include Signatures | ||||
| SQL Injection Signatures | ||||
| Server Side Code Injection Signatures | ||||
| WebSphere Signatures | ||||
| XPath Injection Signatures |
Detection Filters¶
Signature sets can contain filters to categorize signatures. These are used to specify when detected signature violation should be enforced. If you apply filters, you can specify whether action is taken when a signature match is made. Higher accuracy value results in fewer false positives.
Signature Accuracy Filter
All (
all) - All signatures are included, regardless of accuracy level (accuracy level isall). This is the default filter.Equals (
eq) - Filters signatures equal to the accuracy level of a signature/signature set.Greater Than/Equal To (
ge) - Filters signatures greater than, or equal to, the accuracy level of a signature/signature set.Less Than/Equal To (
le) - Filters signatures less than, equal to, the accuracy level of a signature/signature set.
Signature Accuracy Value Indicates the ability of the attack signature to identify the attack, including susceptibility to false-positives:
All (
all) - All attack signatures in the attack signature pool. This is the default value.High (
high) - Signatures with a high level of accuracy that produce few false positives when identifying attacks.Medium (
medium) - Signatures with a medium level of accuracy when identifying attacksLow (
low) - Signatures that may result in more false positives when identifying attacks.
CVE Specifies if the signature has a CVE
All (
all)No (
no)Yes (
yes)
Last Updated Filter
After (
after)All (
all)Before (
before)
Risk Value The assigned risk of attack from a detected signature. This value is used in conjunction with Risk Filter.
All (
all)High (
high) - Indicates the attack may cause a full system compromise.Low (
low) - Indicates the attack does not cause direct damage or reveal highly sensitive data.Medium (
medium) - Indicates the attack may reveal sensitive data or cause moderate damage.
Risk Filter Filter for the evaluated risk value of the signature
All (
all)Equal (
eq)Greater than or Equal (
ge)Less than or Equal (
le)
Signature Type Signature applies to client requests, server responses, or both.
All (
all)Request (
request)Response (
response)
Tag Filter Filter by the configured tag value, or whether the signature includes tags or not.
All (
all) - No filterEqual (
eq) - Only signatures with a tag that equals tag value are added to the signature set.Untagged (
untagged) - Only signatures without a tag are added to the signature set.
Tag Value A specified tag value for a signature.
Type¶
Defines whether the signature set is:
filter-based- Signature set includes signatures based on the defined detection filters.manual- Signature set includes manually specified signatures.
Note: Most signature sets are filter-based.