security dos dos-signature
security dos dos-signature(1) BIG-IP TMSH Manual security dos dos-signature(1)
NAME
dos-signature - Configures DoS Behavioral Signature(s).
MODULE
security dos
SYNTAX
Configure the dos-signature component within the security dos module
using the syntax shown in the following sections.
CREATE/MODIFY
create dos-signature [name]
modify dos-signature [name]
options:
alias [string]
app-service [string | none]
approval-state [ unapproved | manually-approved ]
parent-context-type [device | virtual-server | device-netflow]
parent-context [string]
parent-profile [string]
description [string]
family [dns| network | http]
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
origin [dynamic-bdos | user-defined]
predicates [list of struct(string, string, string)]
shareability-state [not-shareable | fully-shareable ]
state [disabled | learn-only | detect-only | mitigate]
tags [list of string]
threshold-mode [manual | stress-based-mitigation | fully-automatic]
type [dynamic | persistent]
DISPLAY
list dos-signature [name]
DELETE
delete dos-signature [name]
DESCRIPTION
You can use the dos-signature component to modify or display a DoS
signature.
EXAMPLES
create security dos dos-signature Sig_Device_ToS type persistent family
http origin user-defined state disabled
This example shows how to create a DoS signature named Sig_Device_ToS
list security dos dos-signature Sig_Device_ToS
This example shows how to display a DoS signature named Sig_Device_ToS
modify dos-signature Sig_Device_TTL manual-detection-threshold 10000
manual-mitigation-threshold 4294967295
This examples show how to modify the manual detection and mitigation
threshold of a DoS signature named Sig_Device_TTL
delete security dos dos-signature Sig_Device_ToS
This example shows how to delete a DoS signature named Sig_Device_ToS
OPTIONS
alias
Specifies the alias name of a signature. The default is empty
string.
app-service
Specifies the application service that the object belongs to.
approval-state
Specifies whether or not the signature has been reviewed for
quality/correctness. The default is unapproved.
User can't modify approval-state for a signature with dns or
network family.
The options are:
unapproved
Specifies the signature is not approved.
manually-approved
Specifies the signature has been reviewed for
quality/correctness.
parent-context-type
Specifies the type of the context for which this signature has
been generated. The available options:
device
Specifies the context type is a DoS device.
virtual-server
Specifies the type of the context is a Virtual Server.
device-netflow
Specifies the context type is Netflow device.
For a dynamic type signature, it is required field and it is not
allowed to be modified once specified. For persistent type
signature, it can't be reset once it is set. The default is
unspecified.
parent-context
Specifies the context for which this signature has been generated.
This field is based on parent-context-type. If parent-context-type
is device, it must be constant "Device". For a dynamic type
signature, it can't be empty and it is not allowed to be modified
once specified. For persistent type signature, it can't be reset
once it is set. The default is empty string.
parent-profile
Specifies the profile for which this signature has been generated.
This field is based on parent-context-type. If parent-context-type
is device, it must be constant "/Common/dos-device-config". For a
dynamic type signature, it can't be empty and it is not allowed to
be modified once specified. For persistent type signature, it
can't be reset once it is set. The default is empty string.
description
Specifies user defined description for this signature.
family
Specifies the family this signature belongs to. This is a require
field for creation. The options are dns, network, http
It is not allowed to be modified once it is created. User can't
create a signature with dns or network family.
manual-detection-threshold
Specifies the manual threshold (Events Per Second) above which the
traffic is declared as an attack. The default is
infinite(4294967295).
This field is taken effective only when threshold-mode attribute
is set to manual. For a signature with http family, it should be
always 0.
manual-mitigation-threshold
Specifies the manual threshold (Events Per Second) above which the
system rate limits (drops) the traffic that matches this
signature. The default is infinite(4294967295).
This field is taken effective only when threshold-mode attribute
is set to manual. For a signature with http family, it should be
always 0.
origin
Specifies the origin where this signature is generated from. The
options are dynamic-bdos and user-defined. The default is user-
defined.
It is not allowed to be modified once it is created.
predicates
Specifies list of predicates that constitutes this signature. Each
predicate contains 3 string fields: metric, operator, and
arguments. It is required field.
User can not add/modify predicates for a signature with dns or
network family.
shareability-state
Specifies whether or not the signature can be used by Contexts
(Virtual Servers) other than the one that created the signature.
The default is not-shareable.
User can't modify shareability-state for a signature with dns or
network family. Only not-shareable signature can be deleted.
not-shareable
Specifies the signature can only be used by context which
created it.
fully-shareable
Specifies the signature can be used by contexts other than
the one that created it.
state
Specifies the deployment state of this signature. The default is
disabled.
The options are:
disabled
Do not learn, do not collect stats.
learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-
speak) any attacks,
detect-only
Learn/Collect stats/detect, but do not mitigate
(rate-limit/drop, challenge, etc.) any attacks.
mitigate
Learn/Collect stats/detect/mitigate (using whichever
mitigation(s) are configured).
tags Specifies list of tags of this signature. The default is empty.
threshold-mode
Specifies the threshold mode for DoS detection and mitigation. The
default is manual.
The options are:
manual
Specifies the manual thresholds.
stress-based-mitigation
Specifies the manual detection ("alarm") threshold, but
mitigation threshold is stress-based. This option is not
available for a signature with http family or for a signature
with parent-context-type being device-netflow.
fully-automatic
Specifies both the detection ("alarm") and mitigation
thresholds are automatically computed. This option is not
available for a signature with http family or for a signature
with parent-context-type being device-netflow.
type Specifies the type of this signature. The options are dynamic and
persistent. The default is persistent.
It is not allowed to be changed from persistent to dynamic. User
can't create dynamic signature but can modify and delete it.
SEE ALSO
edit, list, modify, security, security dos, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2017. All rights reserved.
BIG-IP 2017-08-05 security dos dos-signature(1)