f5-declarative-onboarding icon indicating copy to clipboard operation
f5-declarative-onboarding copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

Add capability to import custom ASM attack signatures

Open megamattzilla opened this issue 2 years ago • 0 comments

Unable to import custom ASM attack signatures.

ASM has the capability to create custom attack signatures in addition to the attack signatures that F5 SIRT publishes. Currently, there is no capability to import these custom attack signatures via DO. These signatures are referenced by the ASM security policy but not defined by the security policy.

See https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/4.html
The custom signatures can be exported/viewed as .XML format when they are exported from the Big-IP ASM system that created them.

Create a method to import custom ASM attack signatures via URL.

Currently, you can import an ASM policy in XML format using an external URL in the waf_policy schema.
Ideally, there would be an option to do the same with custom ASM signatures in XML format.

Alternatively, create a method to import custom ASM attack signatures via JSON.

Instead of importing custom ASM attack signatures via external URL, create a method so that the custom ASM attack signatures can be specified in JSON format in the waf_policy schema.

Additional context

The imported attack signature should always use the signature ID specified in the XML/JSON versus a system generated signature ID.
Example custom ASM signature in XML format once they are exported from Big-IP ASM:

<?xml version="1.0" encoding="utf-8"?>
<signatures export_version="13.1.1">
<sig id="700000001">
  <rev num="1">
    <sig_name>Demo Custom Signature</sig_name>
    <rule>uricontent:"/demo/path/:demo/demo"; nocase;</rule>
    <last_update>2020-10-08 08:50:20</last_update>
    <apply_to>Request</apply_to>
    <risk>1</risk>
    <accuracy>3</accuracy>
    <doc>Access to demo URI</doc>
    <attack_type>Abuse of Functionality</attack_type>
  </rev>
</sig>
</signatures>

I have an ansible playbook here that imports custom ASM signatures via REST API: https://github.com/megamattzilla/concord-ansible-waf/blob/main/playbooks/import_custom_asm_signatures.yml

The API call to update the custom signatures: POST https://{{host}}:{{mgmt_port}}/mgmt/tm/asm/tasks/update-signatures

{
  "file": "<base64 encoded XML file- you could use the above example>",
    "isBase64": true,
  "isUserDefined": true
}

The REST API will respond with a task ID which can be queried to see when the import task is complete.

megamattzilla avatar Mar 07 '22 21:03 megamattzilla