Reference: Attack Signature Sets

Signature sets are a grouping of signatures based on defined filters, or manual grouping. Web Application Firewall (WAF) policy templates include default signature sets, see Default Signature Sets for information about each set.

For more information about how signature sets are defined, see Detection Filters and Type.

For more information on how to update attack signatures, see How to: Update the Attack Signatures package

Default Signature Sets

The following signature sets are included in policy templates. Each template’s enforcement varies depending on the protection level. The default setting per signature set is listed below each template column. Most of the signature sets are defined by the attack Type they protect from.

Note: The templates included in this version of BIG-IP Next only enforces high accuracy signatures, as shown in the table below.

Signature Set Name Rating-Based Rapid Fundamental Comprehensive
All Signatures Enabled
All Response Signatures
Command Execution Signatures
Cross Site Scripting Signatures
Directory Indexing Signatures
Generic Detection Signatures (High Accuracy)
Generic Detection Signatures (High/Medium Accuracy) Enabled Enabled Enabled
HTTP Response Splitting Signatures
High Detection Evasion Signatures
High Accuracy Signatures Enabled
Information Leakage Signatures
Low Accuracy Signatures
Medium Accuracy Signatures
OS Command Injection Signatures
OWA Signatures
Other Application Attacks Signatures
Path Traversal Signatures
Predictable Resource Location Signatures
Remote File Include Signatures
SQL Injection Signatures
Server Side Code Injection Signatures
WebSphere Signatures
XPath Injection Signatures

Detection Filters

Signature sets can contain filters to categorize signatures. These are used to specify when detected signature violation should be enforced. If you apply filters, you can specify whether action is taken when a signature match is made. Higher accuracy value results in fewer false positives.

Signature Accuracy Filter

  • All (all) - All signatures are included, regardless of accuracy level (accuracy level is all). This is the default filter.

  • Equals (eq) - Filters signatures equal to the accuracy level of a signature/signature set.

  • Greater Than/Equal To (ge) - Filters signatures greater than, or equal to, the accuracy level of a signature/signature set.

  • Less Than/Equal To (le) - Filters signatures less than, equal to, the accuracy level of a signature/signature set.

Signature Accuracy Value Indicates the ability of the attack signature to identify the attack, including susceptibility to false-positives:

  • All (all) - All attack signatures in the attack signature pool. This is the default value.

  • High (high) - Signatures with a high level of accuracy that produce few false positives when identifying attacks.

  • Medium (medium) - Signatures with a medium level of accuracy when identifying attacks

  • Low (low) - Signatures that may result in more false positives when identifying attacks.

CVE Specifies if the signature has a CVE

  • All (all)

  • No (no)

  • Yes (yes)

Last Updated Filter

  • After (after)

  • All (all)

  • Before (before)

Risk Value The assigned risk of attack from a detected signature. This value is used in conjunction with Risk Filter.

  • All (all)

  • High (high) - Indicates the attack may cause a full system compromise.

  • Low (low) - Indicates the attack does not cause direct damage or reveal highly sensitive data.

  • Medium (medium) - Indicates the attack may reveal sensitive data or cause moderate damage.

Risk Filter Filter for the evaluated risk value of the signature

  • All (all)

  • Equal (eq)

  • Greater than or Equal (ge)

  • Less than or Equal (le)

Signature Type Signature applies to client requests, server responses, or both.

  • All (all)

  • Request (request)

  • Response (response)

Tag Filter Filter by the configured tag value, or whether the signature includes tags or not.

  • All (all) - No filter

  • Equal (eq) - Only signatures with a tag that equals tag value are added to the signature set.

  • Untagged (untagged) - Only signatures without a tag are added to the signature set.

Tag Value A specified tag value for a signature.


Defines whether the signature set is:

  • filter-based - Signature set includes signatures based on the defined detection filters.

  • manual - Signature set includes manually specified signatures.

Note: Most signature sets are filter-based.