security dos dos-signature¶

security dos dos-signature(1) BIG-IP TMSH Manual security dos dos-signature(1)

NAME
dos-signature - Configures DoS Behavioral Signature(s).

MODULE
security dos

SYNTAX
Configure the dos-signature component within the security dos module
using the syntax shown in the following sections.

CREATE/MODIFY
create dos-signature [name]
modify dos-signature [name]
options:
alias [string]
app-service [string | none]
approval-state [ unapproved | manually-approved ]
parent-context-type [device | virtual-server | device-netflow]
parent-context [string]
parent-profile [string]
description [string]
family [dns| network | http | tls]
manual-detection-threshold [integer]
manual-mitigation-threshold [integer]
multiplier-mitigation-percentage [integer]
origin [dynamic-bdos | user-defined]
predicates [list of struct(string, string, string)]
shareability-state [not-shareable | fully-shareable ]
state [disabled | learn-only | detect-only | mitigate]
tags [list of string]
threshold-mode [manual | manual-multiplier-mitigation | stress-based-mitigation | fully-automatic]
type [dynamic | persistent]

DISPLAY
list dos-signature [name]

DELETE
delete dos-signature [name]

DESCRIPTION
You can use the dos-signature component to modify or display a DoS
signature.

EXAMPLES
create security dos dos-signature Sig_Device_ToS type persistent family
http origin user-defined state disabled

This example shows how to create a DoS signature named Sig_Device_ToS

list security dos dos-signature Sig_Device_ToS

This example shows how to display a DoS signature named Sig_Device_ToS

modify dos-signature Sig_Device_TTL manual-detection-threshold 10000
manual-mitigation-threshold 4294967295

This examples show how to modify the manual detection and mitigation
threshold of a DoS signature named Sig_Device_TTL

delete security dos dos-signature Sig_Device_ToS

This example shows how to delete a DoS signature named Sig_Device_ToS

OPTIONS
alias
Specifies the alias name of a signature. The default is empty
string.

app-service
Specifies the application service that the object belongs to.

approval-state
Specifies whether or not the signature has been reviewed for
quality/correctness. For a persistent signature with dns or
network family, the default is manually-approved. Otherwise, the
default is unapproved.

User can't modify approval-state for a dynamic signature with dns
or network family.

The options are:

unapproved
Specifies the signature is not approved.

manually-approved
Specifies the signature has been reviewed for
quality/correctness.

parent-context-type
Specifies the type of the context for which this signature has
been generated.

The available options:

device
Specifies the context type is a DoS device.

virtual-server
Specifies the type of the context is a Virtual Server.

device-netflow
Specifies the context type is Netflow device.

For a dynamic type signature, it is required field and it is not
allowed to be modified once specified.

For persistent type signature, it can't be reset once it is set.
The default is unspecified.

For persistent type signature with dns or network family, this
field is not applicable.

parent-context
Specifies the context for which this signature has been generated.
The default is empty string.

This field is based on parent-context-type. If parent-context-type
is device, it must be constant "Device". If parent-context-type is
device-netflow, it must be constant "NetFlow".

For a dynamic type signature, it can't be empty and it is not
allowed to be modified once specified.

For persistent type signature, it can't be reset once it is set.

For persistent type signature with dns or network family, this
field is not applicable.

parent-profile
Specifies the profile for which this signature has been generated.
The default is empty string.

This field is based on parent-context-type. If parent-context-type
is device or device-netflow, it must be constant
"/Common/dos-device-config".

For a dynamic type signature, it can't be empty and it is not
allowed to be modified once specified.

For a persistent type signature, it can't be reset once it is set.

This field is required for a persistent type signature with dns or
network family and non-shareable shareability-state.

description
Specifies user defined description for this signature.

family
Specifies the family this signature belongs to. This is a require
field for creation. The options are dns, network, http

It is not allowed to be modified once it is created.

manual-detection-threshold
Specifies the manual threshold (Events Per Second) above which the
traffic is declared as an attack. The default is
infinite(4294967295).

This field is taken effective only when threshold-mode attribute
is set to manual. For a signature with http family, it should be
always 0.

For a persistent signature with dns or network family, this field
is not applicable and it should be always default value.

For a dynamic signature with dns or network family, this field
can't be changed if threshold-mode is fully-automic.

manual-mitigation-threshold
Specifies the manual threshold (Events Per Second) above which the
system rate limits (drops) the traffic that matches this
signature. The default is infinite(4294967295).

This field is taken effective only when threshold-mode attribute
is set to manual. For a signature with http family, it should be
always 0.

For a persistent signature with dns or network family, this field
is not applicable and it should be always default value.

For a dynamic signature with dns or network family, this field
can't be changed if threshold-mode is fully-automic.

For a signature with parent-context-type is device-netflow, this
field must be infinite(4294967295).

multiplier-mitigation-percentage
Specifies the mitigation multiplier value of this specific dos
signature in percentage when using manual-multiplier-mitigation
mode. The default value is inherited from the corresponding device
level/profile mitigation multiplier value of the same dos family.

origin
Specifies the origin where this signature is generated from. The
options are dynamic-bdos and user-defined. The default is user-
defined.

It is not allowed to be modified once it is created.

predicates
Specifies list of predicates that constitutes this signature. Each
predicate contains 3 string fields: metric, operator, and
arguments. It is required field.

User can't add/modify predicates for a dynamic signature with dns
or network family.

shareability-state
Specifies whether or not the signature can be used by Contexts
(Virtual Servers) other than the one that created the signature.
For a persistent signature with dns or network, the default is
fully-shareable. Otherwise, the default is not-shareable.

User can't modify shareability-state for a dynamic signature with
dns or network family.

This field can't be changed from fully-shareable to not-shareable
if the signature is referred.

The options are:

not-shareable
Specifies the signature can only be used by context which
created it.

fully-shareable
Specifies the signature can be used by contexts other than
the one that created it.

state
Specifies the deployment state of this signature. The default is
disabled.

The options are:

disabled
Do not learn, do not collect stats.

learn-only
Learn/Collect stats, but do not "detect" ("alarm" in ASM-
speak) any attacks,

detect-only
Learn/Collect stats/detect, but do not mitigate
(rate-limit/drop, challenge, etc.) any attacks.

mitigate
Learn/Collect stats/detect/mitigate (using whichever
mitigation(s) are configured).

For a persistent signature with dns or network family, this field
is not applicable and it should be always default value.

For a dynamic signature with dns or network family, learn-only is
not allowed.

For a signature with http family, only learn-only or mitigate is
allowed.

tags Specifies list of tags of this signature. The default is empty.

threshold-mode
Specifies the threshold mode for DoS detection and mitigation. The
default is manual.

The options are:

manual
Specifies the manual thresholds.

stress-based-mitigation
Specifies the manual detection ("alarm") threshold, but
mitigation threshold is stress-based. This option is not
available for a signature with http family or for a signature
with parent-context-type being device-netflow.

fully-automatic
Specifies both the detection ("alarm") and mitigation
thresholds are automatically computed. This option is not
available for a signature with http family.

manual-multiplier-mitigation
Specifies the detection ("alarm") threshold is automatically
computed. The mitigation threshold is calculated by the
detection threshold multiplies the multiplier-mitigation-
percentage.

For a persistent signature with dns or network family, this field
is not applicable and it should be always default value.

For a signature with parent-context-type is device-netflow, this
field can't be stress-based-mitigation.

For a signature with http family, this field can't be stress-
based-mitigation or fully-automatic.

type Specifies the type of this signature. The options are dynamic and
persistent. The default is persistent.

It is not allowed to be changed from persistent to dynamic. User
can't create dynamic signature but can modify and delete it.

SEE ALSO
edit, list, modify, security, security dos, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.

BIG-IP 2018-07-19 security dos dos-signature(1)