f5networks.f5_modules.bigip_asm_policy_signature_set module – Manages Signature Sets on an ASM policy

Note

This module is part of the f5networks.f5_modules collection (version 1.17.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install f5networks.f5_modules.

To use it in a playbook, specify: f5networks.f5_modules.bigip_asm_policy_signature_set.

New in version 1.0.0: of f5networks.f5_modules

Synopsis

  • Manages Signature Sets on an ASM policy.

Parameters

Parameter

Comments

alarm

boolean

Specifies if the security policy logs the request data in the Statistics screen when a request matches a signature that is included in the signature set.

Choices:

  • no

  • yes

block

boolean

Effective when the security policy enforcement mode is Blocking.

Determines how the system treats requests that match a signature included in the signature set.

When yes, the system blocks all requests that match a signature, and provides the client with a support ID number.

When no, the system accepts those requests.

Choices:

  • no

  • yes

learn

boolean

Specifies if the security policy learns all requests that match a signature that is included in the signature set.

Choices:

  • no

  • yes

name

string / required

Specifies the name of the signature sets to apply on, or remove from, the ASM policy.

Apart from built-in signature sets that ship with the device, you can create and use custom signature sets.

When All Response Signatures, configures all signatures in the attack signature pool that can review responses.

When All Signatures, configures all attack signatures in the attack signature pool.

When Apache Struts Signatures, configures signatures that target attacks against the Apache Struts web servers. Only available in version 13.x and later.

When Apache Tomcat Signatures, configures signatures that target attacks against the Apache Tomcat web servers. Only available in version 13.x and later.

When Cisco Signatures, configures signatures that target attacks against Cisco systems. Only available in version 13.x and later.

When Command Execution Signatures, configures signatures involving attacks perpetrated by executing commands.

When Cross Site Scripting Signatures, configures signatures that target attacks caused by cross-site scripting techniques.

When Directory Indexing Signatures, configures signatures targeting attacks that browse directory listings.

When Generic Detection Signatures, configures signatures targeting well-known or common web and application attacks.

When HTTP Response Splitting Signatures, configures signatures targeting attacks that take advantage of responses for which input values have not been sanitized.

When High Accuracy Detection Evasion Signatures, configures signatures with a high level of accuracy that produce few false positives when identifying evasion attacks. Only available in version 13.x and later.

When High Accuracy Signatures, configures signatures with a high level of accuracy that produce few false positives when identifying evasion attacks.

When IIS and Windows Signatures, configures signatures that target attacks against Microsoft IIS and Windows-based systems. Only available in version 13.x and later.

When Information Leakage Signatures, configures signatures targeting attacks that are looking for system data or debugging information that shows where the system is vulnerable to attack.

When Java Servlets/JSP Signatures, configures signatures that target attacks against Java Servlets and Java Server Pages (JSP) based applications. Only available in version 13.x and later.

When Low Accuracy Signatures, configures signatures that may result in more false positives when identifying attacks.

When Medium Accuracy Signatures, configures signatures with a medium level of accuracy when identifying attacks.

When OS Command Injection Signatures, configures signatures targeting attacks that attempt to run system level commands through a vulnerable application.

When OWA Signatures, configures signatures that target attacks against the Microsoft Outlook Web Access (OWA) application.

When Other Application Attacks Signatures, configures signatures targeting miscellaneous attacks, including session fixation, local file access, injection attempts, header tampering and so on, affecting many applications.

When Path Traversal Signatures, configures signatures targeting attacks that attempt to access files and directories that are stored outside the web root folder.

When Predictable Resource Location Signatures, configures signatures targeting attacks that attempt to uncover hidden website content and functionality by forceful browsing, or by directory and file enumeration.

When Remote File Include Signatures, configures signatures targeting attacks that attempt to exploit a remote file include vulnerability that could enable a remote attacker to execute arbitrary commands on the server hosting the application.

When SQL Injection Signatures, configures signatures targeting attacks that attempt to insert (inject) a SQL query using the input data from a client to an application.

When Server Side Code Injection Signatures, configures signatures targeting code injection attacks on the server side.

When WebSphere signatures, configures signatures targeting attacks on many computing platforms that are integrated using WebSphere, including general database, Microsoft Windows, IIS, Microsoft SQL Server, Apache, Oracle, Unix/Linux, IBM DB2, PostgreSQL, and XML.

When XPath Injection Signatures, configures signatures targeting attacks that attempt to gain access to data structures or bypass permissions when a web site uses user-supplied information to construct XPath queries for XML data.

partition

string

This parameter is only used when identifying an ASM policy.

Default: “Common”

policy_name

string / required

Specifies the name of an existing ASM policy to add or remove signature sets to.

provider

dictionary

added in 1.0.0 of f5networks.f5_modules

A dict object containing connection details.

auth_provider

string

Configures the auth provider for to obtain authentication tokens from the remote device.

This option is really used when working with BIG-IQ devices.

no_f5_teem

boolean

If yes, TEEM telemetry data is not sent to F5.

You may omit this option by setting the environment variable F5_TELEMETRY_OFF.

Previously used variable F5_TEEM is deprecated as its name was confusing.

Choices:

  • no ← (default)

  • yes

password

aliases: pass, pwd

string / required

The password for the user account used to connect to the BIG-IP.

You may omit this option by setting the environment variable F5_PASSWORD.

server

string / required

The BIG-IP host.

You may omit this option by setting the environment variable F5_SERVER.

server_port

integer

The BIG-IP server port.

You may omit this option by setting the environment variable F5_SERVER_PORT.

Default: 443

timeout

integer

Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.

transport

string

Configures the transport connection to use when connecting to the remote device.

Choices:

  • rest ← (default)

user

string / required

The username to connect to the BIG-IP with. This user must have administrative privileges on the device.

You may omit this option by setting the environment variable F5_USER.

validate_certs

boolean

If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.

You may omit this option by setting the environment variable F5_VALIDATE_CERTS.

Choices:

  • no

  • yes ← (default)

state

string

When present, ensures the resource exists.

When absent, ensures the resource is removed.

Choices:

  • present ← (default)

  • absent

Notes

Note

  • This module is primarily used as a component of configuring an ASM policy in the Ansible Galaxy ASM Policy Role.

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.

  • Requires BIG-IP software version >= 12.

  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Add Signature Set to ASM Policy
  bigip_asm_policy_signature_set:
    name: IIS and Windows Signatures
    policy_name: FooPolicy
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Remove Signature Set to ASM Policy
  bigip_asm_policy_signature_set:
    name: IIS and Windows Signatures
    policy_name: FooPolicy
    state: absent
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

alarm

boolean

Specifies whether the security policy logs the request data in the Statistics screen.

Returned: changed

Sample: true

block

boolean

Determines how the system treats requests that match a signature included in the signature set.

Returned: changed

Sample: false

learn

boolean

Specifies if the policy learns all requests that match a signature that is included in the signature set.

Returned: changed

Sample: true

name

string

The name of the Signature Set added/removed on an ASM policy.

Returned: changed

Sample: “Cisco Signatures”

policy_name

string

The name of the ASM policy.

Returned: changed

Sample: “FooPolicy”

Authors

  • Wojciech Wypior (@wojtek0806)