Viewing F5 provided ASM attack signature

Question

Hi experts.&nbsp;
I noticed signatures that are matching certain strings (e.g. "more", "at", "id", "tar") in HTTP transactions may be quite dangerous in terms of false positives. There are many occurrences in our environment where legitimate user traffic carries such "words" in parameter values or URL paths.&nbsp;
Does F5 ASM allow one to validate (read, analyze) the F5 provided signatures syntax (regex ...) in order to understand, how they are being triggered? Please note that I am only asking about F5 default signature sets, not user-defined ones (those I know one is allowed to edit and export).&nbsp;
Regards,
mm&nbsp;

boneyard · Answer

i believe officially F5 states they are not accessible. but there are knowledge base articles that explain how to examine the databases ASM uses and those signatures are in one of those.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6979.html&nbsp;

erik_novak · Answer

Boneyard is correct. Attack signatures are intellectual property:&nbsp;
https://support.f5.com/kb/en-us/solutions/public/8000/700/sol8771.html&nbsp;

Forum Discussion

Viewing F5 provided ASM attack signature

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

F5 APM as Service Provider (SP) and Microsoft AzureAD as Identity Provider (IDP)

Enable SAML Service Provider on F5 Distributed Cloud Application

F5 Terraform providers – Helping to implement Infrastructure as Code

Support of WAF Signature Staging in F5 Distributed Cloud (XC)

Service Discovery and authentication options for Kubernetes providers (EKS, AKS, GCP)