Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Feb 20, 2021
Solved

ASM attack signatures

What does ASM attack signatures covers?

Does all types of attacks will be blocked by ASM ? or it's cover limited level of vulnerabilities? and why there is no attack signature from F5 for some CVEs ?

Are there certain standards for ASM to deal with a specific type of attacks?

  • You do not have to add all sets to the policy. When you create the policy using the deployment wizard, you can specify server technologies during policy creation. That will assign attack signatures for each server technology immediately. Alternatively, you can go to the Learning and Blocking Settings page, and select Enable Server Technology Detection in the Server Technologies section. That will take a bit more time but then you will see learning suggestions to add the discovered server technologies/attack signatures.

4 Replies

  • Attack signatures are complex regular expressions which cover all known malicious input strings--think of SQL commands, Unix command line strings, etc. which can be sent to an application to probe for vulnerabilities or to mount an attack against a server or application. Attack signatures are written to address known threats against common server technologies such as Windows OS, Unix/Linux, PHP, MongoDB, and many more. There are layers of redundancy in F5-supplied attack signatures and they are extremely effective. CVEs are a little bit different, because they are transient attacks when compared with well understood historical attacks such as any sort of code injection. CVEs are addressed by Threat Campaigns in F5 Advanced WAF. Threat campaigns are extremely accurate relatives of attack signatures but focus on defeating the precise threat defined in the CVE.

    • THE_BLUE's avatar
      THE_BLUE
      Icon for Cirrostratus rankCirrostratus

      Dear Erik,

      thanks for ur inputs.

      so can we say ASM can block attack to server level based on server technology ?

      by default F5 add attack signatures to policy based on learning stage, so is that enough? or we have to add all sets on policy?

  • You do not have to add all sets to the policy. When you create the policy using the deployment wizard, you can specify server technologies during policy creation. That will assign attack signatures for each server technology immediately. Alternatively, you can go to the Learning and Blocking Settings page, and select Enable Server Technology Detection in the Server Technologies section. That will take a bit more time but then you will see learning suggestions to add the discovered server technologies/attack signatures.