Attack Signatures

Overview

Attack signatures are rules or patterns that identify attacks on a web application. When WAF receives a client request (or a server response), the system compares the request or response against the attack signatures associated with your security policy. If a matching pattern is detected, WAF triggers an attack signature detected violation, and either alarms or blocks based on the enforcement mode of your security policy.

For example, the SQL injection attack signature looks for certain expressions like ‘ or 1=1, and if a user enters that string into a field (such as the username field) on your web application, WAF can block the request based on the SQL injection attempt.

An ideal security policy includes only the attack signatures needed to defend your application. If too many are included, you waste resources on keeping up with signatures that you do not need. Likewise, if you do not include enough, you might let an attack compromise your application without knowing it. If you are in doubt about a certain signature set, it is a good idea to include it in the policy rather than omitting it.

WAF provides over 8,000 attack signatures that are designed to guard against many different types of attacks and protect networking elements such as operating systems, web servers, databases, frameworks, and applications. Updates are provided periodically. You can install (add or update) live updates to ensure that your WAF policy’s attack signatures are up-to-date with the latest information about known threats.

You can also create custom signatures, if needed, to secure your application. Additionally, you can create signatures to protect specific alphanumeric user-input parameters.

All of the attack signatures are organized into sets and are stored in the attack signature pool on WAF. If you know what systems your application is built on (Windows, SQL, IIS, UNIX/Linux, Apache, and so on), you can allow the system to choose the appropriate attack signatures to include in the security policy.

Prerequisites

  • Verify any attached application services to ensure proper security after changes are deployed.

  • You need to have a user role of Security Manager or Administrator to manage a WAF policy.

  • If you plan to override attack signatures:

    • A WAF policy to the protected application.

    • The Attack Signature name or ID.

    • The exact cookie or URL (if applicable).

    • Apply the wildcard syntax for the allowed cookie or URL types (if applicable)

If you have not yet installed automatic live updates, ensure you have the latest attack sigantures installed:

How to manage attack signatures

Note: F5 recommends using signature sets to manage your policy’s signatures. This will allow you to manage signatures based on a defined filter or attack-type, rather than each signature individually. See Attack Signature Sets for applying and managing signature sets.

Manage policy signature enforcement status

Define how the policy manages each attack signature when it is detected in application traffic.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click Policies under WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click Attack Signatures.

    The panel displays a list of attack signatures defined in the policy. You can select the signature name to view general signature properties and additional information about the potential attack risk of the signature. See Reference: Attack Signatures.

  5. Select the checkbox next to the signature(s) name(s). You can filter the signature list by key words.

  6. Click one of the enforcement statuses at the top right of the panel:

    1. Enforce - Traffic containing attack signatures is blocked and logged. Select one of the following:

      1. Enforce Selected - Only signatures manually selected in the list are enforced.

      2. Enforce all Staged Signatures - Enforce all signatures with a staging status.

    2. Stage - Traffic containing the attack signatures is logged, but not blocked. This is the default enforcement status for most signatures.

    3. Disable - Remove any logging or enforcement against the detected attack signatures.

  7. Confirm the enforcement of the selected signatures. You can view your signature’s enforcement in the Status column.

  8. If you have completed your changes to the policy, click Deploy to update associated BIG-IP Next instance(s).

  9. To confirm the deployment, click Deploy.

Override allowed URL signatures

Requests that include an allowed URL may be blocked by signatures that your WAF policy considers as an attack. You can prevent the policy from blocking legitimate traffic by disabling specific signatures if they are found in a request with an allowed URL.

To add allowed policy URLs see Manage URLs.

  1. Click the workspace icon next to the F5 icon, and click Security.

  2. From the left menu click WAF.

  3. Select the name of the policy.

    A panel for the General Settings opens.

  4. From the panel menu, click URLs.

  5. Either Create an allowed URL or select a URL from the list.

  6. From the Overridden Signatures area, click Add Signature Override.

    Click Add if disabled signatures are already added to the URL.

  7. Use the filter in the panel to search the signature by ID number or Signature Name.

  8. Select the check box next to the signature row.

    Note: You can select multiple signatures.

  9. Click Add.

  10. Confirm the action.

    The signature(s) is immediately added to the URL’s Overriden Signatures list.

  11. Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.

  12. Click Deploy to deploy changes.

The policy allows traffic to your application if the request’s URL contains the specified signature(s).