F5 ASM stores the attack signatures in the internal MySQL database on the box.
There is an AskF5 KnowledgeBase solution SOL11680 which tells you how to dump the signatures from the database into a text file:
https://support.f5.com/kb/en-us/solutions/public/11000/600/sol11680.html?
However this command only dumps the signature ID and name, which is helpful if you want to compare two sets.
There is a little trick which allows you to actually extract the signature rules from the MySQL database if you add:
,PLC.NEGSIG_SIGNATURES.rule
just before the " from" command in the SQL query, so for example if you are a BIG-IP version 11.6 or higher you can run this command from the bash shell:
mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "select PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SETS.set_id,PLC.NEGSIG_SIGNATURES.sig_id,
PLC.NEGSIG_SIGNATURES.sig_name,PLC.NEGSIG_SIGNATURES.rule from PLC.NEGSIG_SETS,
PLC.NEGSIG_SIGNATURES order by set_name,sig_id;" > /var/tmp/unit1_sig_sets.out
Then download this file from the box (e.g. using scp): /var/tmp/unit1_sig_sets.out
It will have the signature rules in it. The rules will be in standard ASM signature syntax described in the ASM guide here:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signature-reference-12-0-0/4.html
Hope this is useful (I get this question asked a lot).
Sam