Getting started with signatures

To add signature:

  1. Select the Default-signature and click add to make a copy.

  2. Give a meaningful name. The new sig object is added as a User-Defined object.

  3. Enable the target rules that are pertinent to your specific need.

    • The rules are disabled by default.
    • more rules require more processing
  4. Configure the actions:

    Block and Log actions are enabled by default. Stats is another option

  5. Set the signature to be used by your profile.

Tips for Using Signatures

  • Optimize the processing overhead by enabling only those signatures that are applicable for protecting your application.

  • Every pattern in the rule must match to trigger a signature match.

  • You can add your own customized rules to inspect incoming requests to detect various types of attacks, such as SQL injection or cross-site scripting attacks.

  • You can also add rules to inspect the responses to detect and block leakage of sensitive information such as credit card numbers.

  • Add multiple security check conditions to create your own customized check.

Best Practices for Using Signatures

Following are some of the best practices you can follow when encountered with issues related to Signatures:

  • Verify that the import command has succeeded on primary as well as secondary.

  • Verify that CLI and GUI outputs are consistent.

  • Check ns.log to identify any errors during signature import and auto update.

  • Check if the DNS name server is configured properly.

  • Check schema version incompatibility.

  • Check if the device is unable to access the Signature Update URL hosted on AWS for auto-update.

  • Check for the version mismatch between Default signature and user-added ones.

  • Check for version mismatch between signature objects on the primary and secondary nodes.

  • Monitor for High CPU Utilization (disable auto-update to rule out issue with signature update).