The following article describes how to enable signature pinning for Web Application Firewall (WAF). WAF inline customers can activate signature pinning by upgrading to Alert Logic appliance version 22.214.171.124, available as of November 18, 2022.
The Signature Pinning feature is a new addition to the Alert Logic WAF. It allows for aligning active signature version selection with change management requirements. The options include pinning to a specific version and trailing most recent to always be one or two versions behind it.
To support testing requirements, there is an option to log differences between the current approved version and the most recent version. When enabled, regardless of the mode (protect/detect) a website is running in, violations that would have been caught by the newer signature version are detected and logged – but not blocked. This is a valuable tool for customers who are hesitant to move to newer signature models due to concerns about false positives and downtime. The feature allows customers to test the impact of newer signature models on their normal production web traffic before activating it.
The release of the advanced signature model (released on October 4, 2021) requires less tuning due to the tiered coverage model. The advanced model also provides coverage of elements the legacy signature model does not cover (headers and upload file data). Alert Logic has strong interest in moving customers from the legacy model to the advanced signature model for customers to get this additional coverage. However, for already tuned websites, moving to a more recent signature model with more recent signatures involves a theoretical risk of false positives from new signatures. This is also true for moving to a more recent signature version within the same model (advanced > advanced).
Signature pinning will allow risk averse customers to overcome this by showing them the consequences before committing to the new signature model or moving to a new version.
To ease the process of upgrading from the legacy signature model to the new advanced trust and confidence-based signature model, the legacy signatures have been ported to the new signature format. They will appear in the list of signature versions as 126.96.36.199. By pinning the signatures to this version and enabling the “log difference” feature, the outcome in terms of additional detection can be monitored in the deny log as allowed violations.
Follow these steps to enable signature pinning and to set the approved running signature version:
- In the Alert Logic console, navigate to the main menu icon () > Configure > WAF > Appliances.
- Select Manage Appliance to the right of the appliance that you want to enable the signature pinning for.
- Select Websites from the left-hand navigation followed by Global in the header navigation.
- Scroll down to section header Advanced signature model.
- Select the version policy you wish to enable from the dropdown.
- Select the approved version you wish to enable from the dropdown.
- Select the checkbox to enable logging the difference between the most recent signature version and the approved version.
- After selecting the version policy, approved version, and log options, click Save Settings at the bottom-right of the screen.
- Click Apply Changes in the top-left of the screen.
Explanation of Signature Pinning Configuration
The Most recent version represents the most recent signature version available for customers to use, whether it is the active approved version or not.
The active signature version used on the appliance is now set via the Approved version in conjunction with both the version policy and approved version controls.
If the Version Policy equals Trail, then the approved version can either be the most recent version or trail the most recent version by one or two.
As such, when you are in Trail mode and a newer version is released, the approved version will always advance in line with the trailing version distance selected (equal to, behind by one, or behind by two). Using the screenshot above as an example, as the most recent version advances to 188.8.131.52, the approved version will then become 184.108.40.206.
If the version policy equals pin, then the approved version selected is the one you wish to be active on the appliance.
If you are in Pin mode and a newer version is released, the approved version will remain as the approved version selected until someone makes and saves a change. Using the screenshots above as an example, as the most recent version advances to 220.127.116.11, the approved version will remain 18.104.22.168 until someone explicitly changes and saves the configuration.
The critical component to signature pinning is the ability to log the difference between running the approved version and the most recent version in the form of log-only violations (regardless of website policy being protected) that are clearly flagged as violations that are only detected by the most recent signature version. If you check the box Log differences between the most recent and approved version, you will find future entries in the deny log made and denoted by the version which triggered the exception and which signature within that version triggered the event. The request would display an allowed action, but you would see an exception within the information field showing that it would have been blocked if you were running the most recent signature version.
Users can then filter their deny logs based on the exceptions returned to review requests that are presently allowed that would be blocked if they move to the newest signature version.
You can now use signature pinning to stage and compare how the latest update of signatures work for you. If the traffic flows as expected (no false positives triggered) and everything works fine, then you have the data and analysis to get any buy-in needed to switch the signature version.