F5 Logo MyF5
Search
  1. MyF5 Home
  2. F5 Fraud Protection Service: BIG-IP Configuration
  3. Detecting Malware
  4. Overview: Detecting Malware
  5. Apply malware detection to a user-defined malware type
  6. Creating DOM signatures
Manual Chapter : Creating DOM signatures

Applies To:

Show Versions Show Versions

BIG-IP FPS

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Manual Chapter

Creating DOM signatures

Use DOM Signatures to create a blacklist of suspicious character strings (can be alphanumeric, non-alphanumeric, or a combination of both) that the BIG-IP system will search for in specific locations in your web page, or (if you choose) the entire web page. If the BIG-IP system detects a blacklisted string in the location you specify, an alert is sent to the FPS dashboard.
  1. On the Main tab, click
    Security
    Fraud Protection Service
    Anti-Fraud Profiles
    .
    The Anti-Fraud Profiles screen opens.
  2. From the list of profiles, select the relevant profile.
    The Anti-Fraud Profile Properties screen opens.
  3. In the Anti-Fraud Configuration area, click
    Malware Detection
    Malware List
    .
    The list of user-defined malware types is displayed.
  4. In the Malware List, click the malware type on which you want to create DOM signatures, or click
    Add
     to add a new malware type.
    If you click
    Add
     to add a new malware type, you should first assign a name to the malware type in the General Settings area before proceeding to the next step.
    The Malware Properties screen appears.
  5. In the Malware Configuration area, select
    DOM Signatures
    .
    The DOM Signatures list appears.
  6. Click
    Add
    .
    The Add DOM Signature pop-up screen appears.
  7. From the Search In list, set the location where the BIG-IP system searches for the character string on the web page. Choose from one of the following locations:
    • All:
       Search in all of the HTML code and all globally declared JavaScript variables on the web page.
    • HTML:
       Search in all of the HTML code on the web page.
    • Text:
       Search only in text contained inside HTML tags on the web page.
    • JavaScript Global Variable:
       Search in all globally declared JavaScript variables on the web page.
    • DOM Attribute:
       Search only in the value of the HTML tag attribute that you assign for Attribute Name. For example, if you have the following HTML tag on your web page: 
      <a href="example.php">link</a>
      you choose
      DOM Attribute
       from the Search In list, and you typed
      href
       in the Attribute Name text box, the BIG-IP system will consider this a match if Match Type = Is and you typed
      example.php
       in the Search For text box.
  8. From the Match Type list, select one of the following match types:
    • Contains:
       If the string is contained in the location you choose, this is considered a match. For example, if you assign the string
      bar
       in Search For and the system finds
      bargain
       in the location you defined, this is considered a match.
    • Is:
       An exact match is required. For example, if you assign the string
      bar
       in Search For and the system finds
      bargain
       in the location you defined, this is not considered a match.
      The Match Type for
      JavaScript Global Variable
       can only be
      Is
       (exact match), even if
      All
       is selected for the
      Search In
       option.
  9. In the Search For text box, type the character string that you want the BIG-IP system to search for.
    The character string can be any combination of alphanumeric or non-alphanumeric characters.
  10. If you chose
    DOM Attribute
     for the search location, in the Attribute Name text box type the name of the DOM attribute in the HTML tag where the BIG-IP system will search for the character string.
    The Attribute Name text box appears only if you choose
    DOM Attribute
     for the search location.
  11. If you chose
    HTML
    ,
    Text
    , or
    DOM Attribute
     for the search location, in the Tag Name text box type the name of the HTML tag where the BIG-IP system searches for the character string.
    This setting is optional and if left blank the system searches in all HTML tags on the web page.
    The Tag Name text box appears only if you choose
    HTML
    ,
    Text
    , or
    DOM Attribute
     for the search location.
  12. Click
    Add
     in Add DOM Signature pop-up screen.
    The DOM signature that you defined is added to the list of DOM signatures.
  13. Click
    Save
     in the Malware Properties screen.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information