Manage the Security Monitoring Signature Database

Overview

You can use the F5 NGINX Security Monitoring module to monitor NGINX App Protect WAF instances for security. The Security Monitoring module analytics dashboards utilize a Signature Database to give more detail about the Attack Signatures that have caused a Security Violation, like the Signature’s name, accuracy, and risk. If the Signature Database is not updated to match the Attack Signature version used for App Protect WAF protection, new signatures may be triggered without a name or other attributes like risk and accuracy.

Make sure the dashboards show the right info by following the steps in this topic to update the Security Monitoring module with the newest Attack Signature data.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

  • NGINX Security Monitoring is installed and running
  • NGINX App Protect is configured, and the Security Monitoring dashboard is gathering security violations

How to Update the Signature Database

  1. Open an SSH connection to the data plane host and log in.

  2. Use the Attack Signature Report Tool to generate a Signature Report file. The filename must be signature-report.json.

    Example:

    sudo /opt/app_protect/bin/get-signatures -o ./signature-report.json
    
  3. Open an SSH connection to the management plane host and log in.

  4. Replace the signature-report.json on your NGINX Instance Manager’s control plane at /usr/share/nms/sigdb/signature-report.json with the newly generated Signature Report.

    Example:

    sudo scp /path/to/signature-report.json {user}@{host}:/usr/share/nms/sigdb/signature-report.json
    
  5. Restart the NGINX Instance Manager services:

    sudo systemctl restart nms-ingestion
    sudo systemctl restart nms-core
    

Last modified November 14, 2024