This is the second part of this blog. Part 1 2 3 4 5
Click here to see how to start your WAF project
Make sure, signatures get updated automatically. Today (January 22 2020) we have version 40. Check the auto update settings.
Check, if Signatures Auto Update is enabled and Click on “Check URL”. This will connect to the update server and see the current version of signatures there. It should be the one you’re currently using. If they are elder, I strongly recommend updating signatures before continuing!
How to create signatures
Easy like that: Click the default signatures and than add.Probably you need to merge several signature templates, there are application specific signatures for signatures like Microsoft Sharepoint.
Give your signatures a name. I usually use the name I used for the profile, without APPFWP_. Yes, I create a profile pre application. So my name would be NAME_OF_THE_APPLICATION. Unfortunately this didn’t bring us much further.
You see, there are several categories of signatures and not a single signature is currently enabled (that’s not exactly right, there is currently one signature enabled). So we have to enable signatures.
Let’s say, our app runs on an IIS, using ASPX. So I would enable web-iis and web-activex. To do so I click “Toggle All”, select my two categories and click “Show/Hide”. All signatures related to this categories are visible. Next I click the “Select Action” button and “Enable All”. Let’s hope we don’t cause false positives.
There is one category causing trouble. It’s a kind of trash bin for various signatures: web-misc. It currently contains of more than 600 rules. Each rule is a burden for the CPU. Because of this you should, on one hand, avoid enabling rules you don’t need, on the other you should enable all rules your application needs. So you have to go through all of them. It’s a nice job for the next some days, as I assume, you don’t understand what these rules are actually doing.
I am a very lazy guy, I avoid work if any possible. So I have developed my own method for this task: I use search.
Before actually starting I enable all these rules: I click the “Select Action” button and than “Enable All”
There are some rules I will not need for sure. For example, signatures with a log string Netscape web-servers are not needed for IIS (for all the newbies: Netscape had been the internet when Microsoft and Google didn’t even know about it)
So I will search for Netscape in the log stream, click the “Select Action” button and than “Disable All”. This will disable all rules currently visible. Same for iPlanet, Cisco, Linksys, signatures related to etc directory and many more.
On the other hand, if I would select signatures for Linux, I would search for signatures containing .exe or .dll.
If you want so see all enabled rules, you may search for enabled on or off.
Let’s save the signatures. This will take a while.