Manual Chapter :
Creating DOM signatures
Applies To:
Show VersionsBIG-IP FPS
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Creating DOM signatures
Use DOM Signatures to create a blacklist of
suspicious character strings (can be alphanumeric, non-alphanumeric, or a combination of
both) that the BIG-IP system will search for in specific locations in your web page, or
(if you choose) the entire web page. If the BIG-IP system detects a blacklisted string
in the location you specify, an alert is sent to the FPS dashboard.
- On the Main tab, click.The Anti-Fraud Profiles screen opens.
- From the list of profiles, select the relevant profile.The Anti-Fraud Profile Properties screen opens.
- In the Anti-Fraud Configuration area, click.The list of user-defined malware types is displayed.
- In the Malware List, click the malware type on which you want to create DOM signatures, or clickAddto add a new malware type.If you clickAddto add a new malware type, you should first assign a name to the malware type in the General Settings area before proceeding to the next step.The Malware Properties screen appears.
- In the Malware Configuration area, selectDOM Signatures.The DOM Signatures list appears.
- ClickAdd.The Add DOM Signature pop-up screen appears.
- From the Search In list, set the location where the BIG-IP system searches for the character string on the web page. Choose from one of the following locations:
- All:Search in all of the HTML code and all globally declared JavaScript variables on the web page.
- HTML:Search in all of the HTML code on the web page.
- Text:Search only in text contained inside HTML tags on the web page.
- JavaScript Global Variable:Search in all globally declared JavaScript variables on the web page.
- DOM Attribute:Search only in the value of the HTML tag attribute that you assign for Attribute Name. For example, if you have the following HTML tag on your web page:
you choose<a href="example.php">link</a>DOM Attributefrom the Search In list, and you typedhrefin the Attribute Name text box, the BIG-IP system will consider this a match if Match Type = Is and you typedexample.phpin the Search For text box.
- From the Match Type list, select one of the following match types:
- Contains:If the string is contained in the location you choose, this is considered a match. For example, if you assign the stringbarin Search For and the system findsbargainin the location you defined, this is considered a match.
- Is:An exact match is required. For example, if you assign the stringbarin Search For and the system findsbargainin the location you defined, this is not considered a match.The Match Type forJavaScript Global Variablecan only beIs(exact match), even ifAllis selected for theSearch Inoption.
- In the Search For text box, type the character string that you want the BIG-IP system to search for.The character string can be any combination of alphanumeric or non-alphanumeric characters.
- If you choseDOM Attributefor the search location, in the Attribute Name text box type the name of the DOM attribute in the HTML tag where the BIG-IP system will search for the character string.The Attribute Name text box appears only if you chooseDOM Attributefor the search location.
- If you choseHTML,Text, orDOM Attributefor the search location, in the Tag Name text box type the name of the HTML tag where the BIG-IP system searches for the character string.This setting is optional and if left blank the system searches in all HTML tags on the web page.The Tag Name text box appears only if you chooseHTML,Text, orDOM Attributefor the search location.
- ClickAddin Add DOM Signature pop-up screen.The DOM signature that you defined is added to the list of DOM signatures.
- ClickSavein the Malware Properties screen.