Forum Discussion

strongarm_46960's avatar
strongarm_46960
Icon for Nimbostratus rankNimbostratus
Sep 01, 2009

Broken Sig Sets

It appears that the ASM signature update file from F5 does not actually contain any signature set, just signatures, no sets.

 

If the signature update does not contain set, then the F5 generated sets must have been created at initial install.

 

 

 

which sig update file created what set and where can I get these old sig file inorder to make all my devices sig set uniform.

 

I find myself in a unique position of having different sets of signature sets in Prod & QA even-though they are running the same version of LTM, historically perhaps asm signature upgrade has been skipped in prod.

 

 

 

Thus I thought upgrading both QA & Prod systems with the same latest ASM signature file will align both policy, since I need to import the policy from QA, some of the required sig set within the policy must match.

 

 

 

Specifically, the Systems: Microsoft Windows, IIS, ASP... signature set is missing from the production, so I proceeded to manually create this set, inserted the same systems as in QA. Finally, importing the QA security policy into production produces this error”: Warning: Signature Set "Systems: Microsoft Windows, IIS, ASP... 1" (previously used in this policy) does not exist on this system.

 

 

 

It’s as though I hadn’t manually created the IIS, ASP sig set. Whats the significance of the (dots)... after the ASP, is signature sets within ASM is broken?

 

 

 

Granted that signature sets cant be imported between 2 ASM devices ==> CR109139, however, I expect to be have uniform sig set across devices, atleast I expect to be able to make it so, without errors.

 

 

+---------------------------------------------------------+

 

| Signature set as seen on QA ASM, The production ASM is missing the last 2 sets.

 

+---------------------------------------------------------+

 

| Generic Detection Signatures

 

| OWA Signatures

 

| All Signatures

 

| Systems: Outlook Web Access, Microsoft Windows, IIS...

 

| Systems: Other Web Server, CGI

 

| Systems: Unix/Linux, Other Web Server, CGI...

 

| Systems: Unix/Linux, Other Web Server 1

 

| Systems: Unix/Linux, Other Web Server, CGI... 1

 

| Systems: Unix/Linux, SSI (Server Side Includes), CGI...

 

| Systems: ASP, Unix/Linux, Other Web Server...

 

| Systems: Other Web Server 1

 

| Systems: Microsoft Windows, IIS, ASP...

 

| Systems: Microsoft Windows, IIS, ASP... 1

 

+---------------------------------------------------------+
APM
app sec
security

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 01, 2009
    If you've manually created the attack signature set and added the relevant signatures, I think you can safely ignore the error. Though I'd suggest opening a case with F5 Support to get confirmation of this and ask them to address the issue in the product.

     

     

    I have several customers who have to jump through hoops every time they try to replicate their ASM configuration between various test environments through to the live environment using just the ASM policy because the attack signatures are not included in the policy. You've cited CR109139. CR109140 is a related RFE. If you haven't already, I'd suggest opening a case with F5 Support and asking them to fix this issue in the product. It's been listed as a request for enhancement even though we've lost functionality since attack signatures were introduced.

     

     

    Aaron