User Tools

Site Tools


howtos:disable_an_attack_signature_via_api

This script is meant to give you an easy way of disabling a signature from a specific policy which causes false positives.

#!/bin/bash

user="admin"
pwd="passw0rd"
bigip_mgmt="10.10.10.10"

get_token() {
	# Get authentication token
    echo $(curl -sk -X POST https://$bigip_mgmt/mgmt/shared/authn/login --data-binary '{"username":"'$username'", "password":"'$pwd'", "loginProviderName":"tmos"}' -H "Content-Type: application/json" | jq -r '.token.token')
}

apply_policy() {
	# Apply the policy
	curl -ks -H "X-F5-Auth-Token: ${TOKEN}" -H "Content-Type: application/json" -X POST https://$bigip_mgmt/mgmt/tm/asm/tasks/apply-policy -d '{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/'$1'"}}' | jq '.'
}

get_policy_list() {
	# Get all ASM policies
	echo $(curl -ks -H "X-F5-Auth-Token: ${TOKEN}" 'https://$bigip_mgmt/mgmt/tm/asm/policies?&$select=name,id'|jq '.items[]| .name'| sed -e "s/\"/ /g")
}

show_policy_list() {
	# Convert list to an array
	arr=($1)	
	# Show policies as a menu (go through array and prepend indice number)
	for i in ${!arr[@]}
	do 
		echo $i ${arr[$i]}
	done
	# Get the number matching policy name
	echo -n "Select the ASM Policy [ENTER]: "
	read policy_name_index
	# Exctract policy name based on indice
	policy_name=${arr[$policy_name_index]}
	echo $policy_name
}

get_policy_id() {
	# Get policy id matching the name
	echo $(curl -ks -H "X-F5-Auth-Token: ${TOKEN}" 'https://$bigip_mgmt/mgmt/tm/asm/policies?$filter=name%20eq%20'$1'&$select=name,id' | jq -r '.items[] | .id')
}

get_signature_id() {
	# Get the attack signature id
	echo -n "Enter Signature ID to disable [ENTER]: "
	read SIGNATURE

	echo $(curl -ks -H "X-F5-Auth-Token: ${TOKEN}" 'https://$bigip_mgmt/mgmt/tm/asm/policies/'$1'/signatures?$select=signatureReference,id,enabled' | jq '.items[]  | select(.signatureReference.signatureId == '$SIGNATURE') | .id' | sed -e "s/\"/ /g")
}

disable_attack_signature() {
	# Disable the attack signature
	curl -ks -H "X-F5-Auth-Token: ${TOKEN}" -H "Content-Type: application/json" -X PATCH 'https://$bigip_mgmt/mgmt/tm/asm/policies/'$1'/signatures/'$2'' -d '{"enabled":"false"}' |echo $?
}


TOKEN=$(get_token)

POLICY_LIST=$(get_policy_list)

POLICY_NAME=$(show_policy_list $POLICY_LIST)

POLICYID=$(get_policy_id $POLICY_NAME)

SIGNATUREID=$(get_signature_id $POLICYID)
if [[ $SIGNATUREID -eq "" ]]; then
        echo "Signature $SIGNATURE not found in policy...exiting"
        exit 1
fi

disable_attack_signature $POLICYID $SIGNATUREID

apply_policy $POLICYID
howtos/disable_an_attack_signature_via_api.txt · Last modified: 25/05/2023 17:57 by domingo