How to: Work with user-defined signatures

User-defined signatures are added as a new node in a declarative policy, which contain user-defined signatures associated with a signature tag. These signatures are only accessible to the current policy. User-defined signatures and signature sets are not global entities like in classic BIG-IP.

User-defined tagged signatures appear in the remote log with the tag name prepended. All previous signatures associated with a policy will be deleted when the policy is deleted or re-imported.

{
    "policy": {
        "name": "my_signature_policy",
        "template": {
            "name": "POLICY_TEMPLATE_COMPREHENSIVE"
        },
        "enforcementMode": "blocking",
        "signature-sets": [
            {
                "name": "foo sigs",
                "alarm": true,
                "block": true,
                "signatureSet": {
                    "filter": {
                        "tagValue": "foo",
                        "tagFilter": "eq"
                    }
                }
            }
        ],
        "user-defined-signatures": [
            {
                "tag": "foo",
                "signatures": [
                    {
                        "accuracy": "medium",
                        "attackType": {
                            "name": "Denial of Service"
                        },
                        "description": "So, a signature walks into a bar",
                        "name": "bar",
                        "risk": "medium",
                        "rule": "content:\"bar\"; re2:\"/bar\\d+stuff/\"; nocase; ",
                        "signatureType": "request"
                    }
                ]
            }
        ]
    }
}

Signature import files can be referenced externally as well the files must be stored locally to BIG-IP Next.

{
    "policy": {
        "name": "my_signature_policy",
        "template": {
            "name": "POLICY_TEMPLATE_COMPREHENSIVE"
        },
        "enforcementMode": "blocking",
        "signature-sets": [
            {
                "tag": "foo",
                "alarm": true,
                "block": true
            },
            {
                "tag": "bar",
                "alarm": true,
                "block": false
            }
        ],
        "user-defined-signatures": [
            {
                "$ref": "file:///foo_signatures.json"
            },
            {
                "$ref": "file:///bar_signatures.json"
            }
        ]
    }
}