ADC

Updating a signature object

You must update your signatures objects frequently to ensure that your Web App Firewall is providing protection against current threats. You must regularly update both the default Web App Firewall signatures and any signatures that you import from a supported vulnerability scanning tool.

NetScaler regularly updates the default signatures for the Web App Firewall. You can update the default signatures manually or automatically. In either case, ask your NetScaler representative or NetScaler reseller for the URL to access the updates. You can enable automatic updates of the NetScaler native format signatures in the “Engine Settings” and “Signature Auto Update Settings” dialog boxes.

Most makers of vulnerability scanning tools regularly update the tools. Most websites also change frequently. You must update your tool and rescan your websites regularly, exporting the resulting signatures to a file and importing them into your Web App Firewall configuration.

Tip

When you update the Web App Firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue more update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

Note

The following applies to merging a third-party signature object with a user-defined signature object with Native rules and user-added rules:

When a version 0 signatures is merged with a new imported file, the resultant signatures remain as version 0.

This means all native (or built-in) rules in the imported file will be ignored after the merge. This is to ensure that the version 0 signatures are maintained as is after a merge.

To include the native rules in the imported file for merge, you must update the existing signatures from version 0 first before the merge. This means you need to abandon the version 0 nature of the existing signatures.

When there is a NetScaler release upgrade, the file “default_signatures.xml” is added to the new build and the file “updated_signature.xml” is removed from the older build. After the upgrade, if the signature auto update feature is enabled, the appliance updates the existing signature to the latest version of the build and generates the “updated_signature.xml” file.

To update the Web App Firewall signatures from the source by using the command line

At the command prompt, type the following commands:

  • update appfw signatures <name> [-mergedefault]
  • save ns config

Example

The following example updates the signatures object named MySignatures from the default signatures object, merging new signatures in the default signatures object with the existing signatures. This command does not overwrite any user-created signatures or signatures imported from another source, such as an approved vulnerability scanning tool.

update appfw signatures MySignatures -mergedefault
save ns config
<!--NeedCopy-->

Updating a signatures object from a NetScaler format file

NetScaler regularly updates the signatures for the Web App Firewall. You must regularly update the signatures on your Web App Firewall to ensure that your Web App Firewall is using the most current list. Ask your NetScaler representative or NetScaler reseller for the URL to access the updates.

To update a signatures object from a NetScaler format file by using the command line

At the command prompt, type the following commands:

  • update appfw signatures <name> [-mergeDefault]
  • save ns config

To update a signatures object from a NetScaler format file by using the GUI

  1. Navigate to Security > Web App Firewall > Signatures.
  2. In the details pane, select the signatures object that you want to update.
  3. In the Action drop-down list, select Merge.
  4. In the Update Signatures Object dialog box, choose one of the following options.
    • Import from URL—Choose this option if you download signature updates from a web URL.
    • Import from Local File—Choose this option if you import signature updates from a file on your local hard drive, network hard drive, or other storage device.
  5. In the text area, type the URL, or type or browse to the local file.
  6. Click Update. The update file is imported, and the Update Signatures dialog box changes to a format nearly identical to that of the Modify Signatures Object dialog box. The Update Signatures Object dialog box displays all branches with new or modified signature rules, SQL injection or cross-site scripting patterns, and XPath injection patterns if there are any.
  7. Review and configure the new and modified signatures.
  8. When you are finished, click OK, and then click Close.

Updating a signatures object from a supported vulnerability scanning tool

Note:

Before you update a signatures object from a file, you must create the file by exporting signatures from the vulnerability scanning tool.

To import and update signatures from a vulnerability scanning tool

  1. Navigate to Security > Web App Firewall > Signatures.
  2. In the details pane, select the signatures object that you want to update, and then click Merge.
  3. In the Update Signatures Object dialog box, on the External Format tab, Import section, choose one of the following options.
    • Import from URL—Choose this option if you download signature updates from a Web URL.
    • Import from Local File—Choose this option if you import signature updates from a file on your local or a network hard drive or other storage device.
  4. In the text area, type the URL, or browse or type the path to the local file.
  5. In the XSLT section, choose one of the following options.
    • Use Built-in XSLT File—Choose this option if you want to use a built-in XSLT file.
    • Use Local XSLT File—Choose this option to use an XSLT file on your local computer.
    • Reference XSLT from URL—Choose this option to import an XSLT file from a web URL.
  6. If you chose Use Built-in XSLT File, in the Built-In XSLT drop-down list select the file that you want to use from the following options:
    • Cenzic.
    • Deep_Security_for_Web_Apps.
    • Hewlett_Packard_Enterprise_WebInspect.
    • IBM-AppScan-Enterprise.
    • IBM-AppScan-Standard.
    • Qualys.
    • Whitehat.
  7. Click Update. The update file is imported, and the Update Signatures dialog box changes to a format nearly identical to that of the Modify Signatures Object dialog box, which is described in Configuring or Modifying a Signatures Object. The Update Signatures Object dialog box displays all branches with new or modified signature rules, SQL injection or cross-site scripting patterns, and XPath injection patterns if there are any.
  8. Review and configure the new and modified signatures.
  9. When you are finished, click OK, and then click Close.
Updating a signature object