How to: Work with user-defined signatures¶
User-defined signatures are added as a new node in a declarative policy, which contain user-defined signatures associated with a signature tag. These signatures are only accessible to the current policy. User-defined signatures and signature sets are not global entities like in classic BIG-IP.
User-defined tagged signatures appear in the remote log with the tag name prepended. All previous signatures associated with a policy will be deleted when the policy is deleted or re-imported.
{
"policy": {
"name": "my_signature_policy",
"template": {
"name": "POLICY_TEMPLATE_COMPREHENSIVE"
},
"enforcementMode": "blocking",
"signature-sets": [
{
"name": "foo sigs",
"alarm": true,
"block": true,
"signatureSet": {
"filter": {
"tagValue": "foo",
"tagFilter": "eq"
}
}
}
],
"user-defined-signatures": [
{
"tag": "foo",
"signatures": [
{
"accuracy": "medium",
"attackType": {
"name": "Denial of Service"
},
"description": "So, a signature walks into a bar",
"name": "bar",
"risk": "medium",
"rule": "content:\"bar\"; re2:\"/bar\\d+stuff/\"; nocase; ",
"signatureType": "request"
}
]
}
]
}
}
Signature import files can be referenced externally as well the files must be stored locally to BIG-IP Next.
{
"policy": {
"name": "my_signature_policy",
"template": {
"name": "POLICY_TEMPLATE_COMPREHENSIVE"
},
"enforcementMode": "blocking",
"signature-sets": [
{
"tag": "foo",
"alarm": true,
"block": true
},
{
"tag": "bar",
"alarm": true,
"block": false
}
],
"user-defined-signatures": [
{
"$ref": "file:///foo_signatures.json"
},
{
"$ref": "file:///bar_signatures.json"
}
]
}
}