Manual Chapter : Create protocol inspection items

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Create protocol inspection items

Add inspection items to create new inspections based on Snort signatures. You write signatures in Snort format. For information on writing Snort rules, see https://www.snort.org/documents.
  1. On the Main tab, click
    Security
    Protocol Security
    Inspection List
    .
    The Inspection List screen opens.
  2. Click
    New Signature
    .
  3. In the
    Name
    field, type a name for the signature.
  4. In the
    Description
    field, type a description.
  5. In the
    Signature Definition
    field, type the valid snort syntax.
    All remaining fields are optional. However, the default settings accept the signature, and may not be configured correctly for your inspection. Configure settings that are appropriate to your security stance and the detection you want to accomplish.
  6. Specify an action for the signature.
  7. Select whether to log the signature.
  8. Specify the accuracy for the signature.
  9. Specify the direction on which the signature is detected.
  10. Specify the performance impact for the signature.
  11. Specify the protocol on which the signature acts.
  12. Specify the risk level for the attack.
  13. In the
    Documentation
    field, type any documentation for the signature.
  14. In the
    Attack Type
    field, specify the attack type.
  15. In the
    References
    field, type any references for the signature.
  16. In the
    Reference Links
    field, type any reference links.
  17. In the
    Revision
    field, type the revision number.
  18. In the
    Systems
    field, type the systems affected by the signature.
  19. Specify the service to which the signature applies.
  20. Click
    Create
    to create the inspection item.
The signature is created and appears in the inspection list.
Assign the inspection item to an inspection profile to enable detection and the action associated with the inspection item.
To view user defined inspection items, you can select
yes
from the
User Defined
list on the Inspection Profile or Inspection List screens.