Forum Discussion

NickAD's avatar
NickAD
Icon for Cirrus rankCirrus
Jun 21, 2017

Exporting a full list of Attack Sigantures

Hi. I am looking to export a full list of the current signatures I have in blocking mode. If possible, I would like to separate these lists in to their signature sets.

 

If I navigate to "Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets" then I can view the different signature set types. Let's take the High Accuracy Signatures for instance. If I click on those, I get a list of signatures that are a part of that set, but I cannot copy and paste them.

 

I have people asking me for a list of these signatures so I am hoping there is an easy way to extract these. They want to be able to share it within their team to show what the WAF is doing for them, and what it is blocking so they can test it out for themselves.

 

Is it a possibility that a file exists in the console that I can pull down through WinSCP that has a list of these?

 

Similarly if I go to "Security ›› Application Security : Attack Signatures" I would like to be able to export the full list of 2857 signatures I have for this policy.

 

Thanks.

 

  • Peter_Silva_123's avatar
    Peter_Silva_123
    Historic F5 Account

    Hi Nick~

     

    I believe you can only export user-defined attack signatures.

     

    Here's the chapter on Importing and Exporting Security Policies (not sure of your version):

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/5.html

     

    and

     

    The chapter on Working with Attack Signatures:

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_attack_sigs.html

     

    In the 2nd link, at the bottom of the page it gives the steps to export all user-defined attack signatures.

     

    I know not exactly what you need but hope it helps.

     

    ps

     

  • I've used a similar export in v13 via the Rest API. Not to get the signatures per signature set, but all signatures from policies in blocking.

     

    Specifically getting the attack signature sets to correlate to the signatures assigned to the blocking policy would require some additional logic and leg work.

     

    API endpoints:

     

    1. You can find policies in Blocking:

       

      API endpoint: https://$target_ip/mgmt/tm/asm/policies

       

    2. Signature sets for those policies:

       

      API endpoint: https://$target_ip/mgmt/tm/asm/policies//signature-sets

       

    3. Signatures for the policies:

       

      API endpoint: https://$target_ip/mgmt/tm/asm/policies//signatures?\$expand=signatureReference