How To: Override an attack signature on BIG-IP Next Central Manager

When WAF receives a client request (or a server response), the system compares the request or response against the attack signatures associated with your security policy. If a matching pattern is detected, WAF triggers an attack signature detected violation, and either alarms or blocks based on the enforcement mode of your security policy.

Occasionally, specific allowed application elements (cookies and URLs) can contain known attack signatures that are not a threat to your application. You can create exceptions to attack signatures detected in allowed cookies and URLs.

Creating a signature override reduces known false positives in valid traffic.

Note: You can disable signature entirely if they are not a threat to your application. With signature override, you disable an attack signature within an area of the request (such as URL or cookie) that is not indiactive of a threat.

Procedure summary

Use the following procedures to detect and override sigantures:

Detecting signature exceptions using the WAF event log

When examining blocked or alerted traffic, or investigating client tickets you can use the WAF event log to examine detected signatures.

For more information about managing the WAF event log, see How To: Create and Manage WAF Event Logs. For more information about event details, see Reference: Event Logs.

Prerequisites

To view events in the WAF event log, you must have the following:

  • A WAF policy configured to log events.

  • The WAF policy is attached to an application that is deployed to a BIG-IP Next instance.

  • The WAF-protected application is receiving traffic.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Event Logs.

    Note: Events are displayed in chronological order. You can click on the column header to sort by ascending or descending alphabetical/numeric order of the header information.

  3. To filter events by violation identifiers, such as : Request Status, Violation Name, Application Name, Signature Name or ID. You can add multiple filters in a search.

  4. Click the event row to display a panel for that event.

  5. Under Triggered Violations note if Attack signature detected is available. If so, expand for more information to review whether the traffic blocked was illegal, or requires a signature override.

Sample triggered violation details for a cookie:

  1. If the triggered violation is valid traffic, note the attack signature Name or ID and Policy. Also, note the URL or cookie to be added to the policy allow list.

Use the information to create, or add override signatures to an allowed application entity.

Override signatures

Override a signature that blocks valid traffic for a policy’s allowed URLs or cookies.

Prerequisists

Ensure you know the following information:

  • A WAF policy to the protected application.

  • The Attack Signature name or ID.

  • The exact cookie or URL (if applicable).

  • Apply the wildcard syntax for the allowed cookie or URL types (if applicable)

Override allowed URL signatures

Requests that include an allowed URL may be blocked by signatures that your WAF policy considers as an attack. You can prevent the policy from blocking legitimate traffic by disabling specific signatures if they are found in a request with an allowed URL.

To add allowed policy URLs see Manage URLs.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click URLs.

  5. Either Create an allowed URL or select a URL from the list.

  6. From the Overridden Signatures area, click Add Signature Override.

    Click Add if disabled signatures are already added to the URL.

  7. Use the filter in the panel to search the signature by ID number or Signature Name.

  8. Select the check box next to the signature row.

    Note: You can select multiple signatures.

  9. Click Add.

  10. Confirm the action.

    The signature(s) is immediately added to the URL’s Overriden Signatures list.

  11. Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.

  12. Click Deploy to deploy changes.

The policy allows traffic to your application if the request’s URL contains the specified signature(s).