What is an Attack Signature?

An attack signature is a one-of-a-kind set of data that can be used to track down an attacker's attempt to exploit a known fault in the operating system or application. When Intrusion Detection detects an attack signature, a Security Alert is displayed.

Attack Signatures Pool

You can choose signatures to include in any security policy from an Attack Signatures Pool provided by the system. The system-supplied attack signatures, which are the attack signatures that come with the Application Security Manager (ASM), are included in the pool, as are any user-defined attack signatures.

  • The Attack Signatures Pool stores all of the attack signatures on the Application Security Manager.

  • You can create customized (user-defined) attack signatures; however, this is more advanced functionality that should only be used in specific situations.

  • User-defined signatures are saved in the Attack Signatures Pool, along with the system-supplied signatures. User-defined attack signatures can be imported and exported.

A set of attack signatures is referred to as an attack signature set. Instead of applying individual attack signatures, you can apply one or more attack sets to a security policy. Several system-supplied signature sets are included with the Application Security Manager.

  • Each security policy has its own collection of attack signatures.

  • New security rules are assigned a generic signature set by default.

  • Additional signature sets can be assigned to the security policy.

  • Certain sets are better suited to specific types of applications or attacks.

  • The sets are labeled logically, so you can figure out which ones to pick.

  • Furthermore, you have the option of creating your own attack signature sets.

What Kind of Attacks Do Attack Signatures Detect?

Attack signatures in a security policy are matched to requests or answers in an attempt to identify attack types such as SQL injection, command injection, cross-site scripting, and directory traversal, among others.

Attack signatures detect the following types of attacks −

  • Information Leakage − When sensitive data, such as developer comments or error messages, is exposed on a website, it can aid an attacker in abusing the system.

  • Abuse of Functionality − Using the capabilities and functionality of a website to consume, deceive, or evade the application's access control systems.

  • Other Application Assaults − Email injection, HTTP header injection, efforts to access local files, potential worm attacks, CDATA injection, and session fixation are examples of attacks that do not fit into the clearer attack categorization.

  • Vulnerability Scan − A online application is probed for software vulnerabilities using an automated security program.

  • XPath Injection − When an attempt is made to inject XPath queries into the susceptible web application, XPath Injection occurs.

Creating Attack Signature Sets

You have two options for creating attack signature sets − using a filter or manually picking the signatures to include.

Signature sets created with the signatures filter are exclusively dependent on the parameters you specify in the signatures filter. Instead of trying to manage a specific list of attack signatures, filter-based signature sets allow you to focus on the parameters that define the attack signatures you're interested in.

Another advantage of filter-based sets is that the system updates any affected signature sets when the attack signatures database is updated.

You must manually choose each of the signatures to add from the signature pool when manually establishing a signature set. You can still filter the signatures first to make this method easier to use.

Attack Signatures in ASM

Attack Signatures can be either system-defined or user-defined. Systemdefined attack signatures are F5-created systems that have been added to the attack signature pool. In contrast, user-defined attack signatures are those that are created by the administrator and then added to the attack signature pool.

  • Individual signatures are not allowed to be used in security policies. A security policy is assigned an attack signature.

  • Generic Attack Signature Set is applied to new security policies by default.

  • We have the option of updating these signatures manually or automatically.

  • Attack signatures are updated, and new signature sets are added to the ASM when you update attack signatures.