Add signature rule patterns
You can add a pattern or modify an existing pattern to specify a string or expression that characterizes an attack if the signature matches. To detect the patterns an attack exhibits, you can examine the logs on your web server. You can use a tool to observe connection data in real time, or obtain the string or expression from a third-party report about the attack.
Important
A new pattern that you add to a signature rule is in an AND relationship with the existing patterns. Do not add a pattern to an existing signature rule if you do not want a potential attack to have to match all patterns to match the signature.
Each pattern can consist of a simple string, a PCRE-format regular expression, or the built-in SQL injection or cross-site scripting pattern. Before you attempt to add a pattern that is based on a regular expression, you must make sure that you understand PCRE-format regular expressions. PCRE expressions are complex and powerful. If you do not understand how they work, you can unintentionally create a pattern that matches something that you did not want (a false positive) or that fails to match something that you did want (a false negative).
Custom signature pattern for non-default content types
The NetScaler Web App Firewall (WAF) now supports new location to inspect canonicalized content. By default, WAF does not block encoded payload with non-default content types. When these content types are whitelisted, and no configured action is applied, the SQL and cross-site scripting protection check do not filter SQL or cross-site scripting attacks in the encoded payloads. To resolve the issue, a user can create a custom signature rule with this new location (HTTP_CANON_POST_BODY) that examines the encoded payloads for non-default content-types and if there is any SQL or cross-site scripting attack, it blocks the traffic after canonicalization of the post body.
Note:
That support is applicable only for HTTP requests.
If you are not already familiar with PCRE-format regular expressions, you can use the following resources to learn the basics, or for help with some specific issue:
- “Mastering Regular Expressions,” Third Edition. Copyright (c) 2006 by Jeffrey Friedl. O’Reilly Media, ISBN: 9780596528126.
- “Regular Expressions Cookbook”. Copyright (c) 2009 by Jan Goyvaerts and Steven Levithan. O’Reilly Media, ISBN: 9780596520687
- PCRE Man page/Specification
- PCRE Man Page/Specification
- Wikipedia PCRE entry
- PCRE Mailing List
If you need to encode non-ASCII characters in a PCRE-format regular expression, the NetScaler platform supports the encoding of hexadecimal UTF-8 codes. For more information, see PCRE Character Encoding Format.
Configure a signature rule pattern
When you are editing a signature, you can add or edit the rule pattern. To add or modify the signature rules, see Edit signatures to add or modify rules.
-
Type - Select the type of connection that the pattern is intended to match.
- Request - It matches the request elements or features such as injected SQL code, attacks on web forms, cross-site scripts, or inappropriate URLs.
- Response - It matches the response elements or features such as credit card numbers or safe objects.
-
Location - Select an Area to examine with this pattern. The area describes what elements of the HTTP request or response to examine for this pattern. Based on the selected pattern type, the options appear in the Area list. depend upon the chosen pattern type.
For the Request pattern type, items relevant to HTTP requests appear.
- HTTP_ANY. All parts of the HTTP connection.
-
HTTP_COOKIE. All cookies in the HTTP request headers after any cookie transformations are performed.
Note
Does not search HTTP response “Set-Cookie:” headers.
-
HTTP_FORM_FIELD. Form fields and their contents, after URL decoding, percent decoding, and removal of excess whitespace. You can use the
<Location>
tag to further restrict the list of form field names to be searched. - HTTP_HEADER. The value portions of the HTTP header after any cross-site scripting or URL decoding transformations.
- HTTP_METHOD. The HTTP request method.
- HTTP_URL. The value portion of the URL in the HTTP headers, excluding any query or fragment ports, after conversion to the UTF-* character set, URL decoding, stripping of whitespace, and conversion of relative URLs to absolute. Does not include HTML entity decoding.
- HTTP_ORIGIN_URL. The origin URL of a web form.
- HTTP_POST_BODY. The HTTP post body and the web form data that it contains.
- HTTP_RAW_COOKIE. All HTTP request cookie, including the “Cookie:” name portion. Note: Does not search HTTP response “Set-Cookie:” headers.
- HTTP_RAW_HEADER. The entire HTTP header, with individual headers separated by linefeed characters (\n) or carriage return/line-feed strings (\r\n).
For the Response type, items relevant to HTTP responses appear.
- HTTP_RAW_RESP_HEADER. The entire response header, including the name and value parts of the response header after URL transformation has been done, and the complete response status. As with HTTP_RAW_HEADER, individual headers are separated by linefeed characters (\n) or carriage return/line-feed strings (\r\n).
-
HTTP_RAW_SET_COOKIE. The entire Set-Cookie header after any URL transformations have been performed
Note
URL transformation can change both the domain and path parts of the Set-Cookie header.
- HTTP_RAW_URL. The entire request URL before any URL transformations is performed, including any query or fragment parts.
- HTTP_RESP_HEADER. The value part of the complete response headers after any URL transformations have been performed.
- HTTP_RESP_BODY. The HTTP response body
- HTTP_SET_COOKIE. All “Set-Cookie” headers in the HTTP response headers.
- HTTP_STATUS_CODE. The HTTP status code.
- HTTP_STATUS_MESSAGE. The HTTP status message.
When you select an option from the Area list, it dynamically changes options for the selected area.
- Any. Checks field names or URLs.
- Literal. Checks field names or URLs that contain a literal string. After you select Literal, a text box is displayed. Type the literal string that you want in the text box.
- PCRE. Checks field names or URLs that match a PCRE-format regular expression. After you select this choice, the regular expression window is displayed. Type the regular expression in the window. You can use the Regex Tokens to insert common regular expression elements at the cursor, or you can click Regex Editor to display the Regular Expression Editor dialog box, which provides more assistance in constructing the regular expression that you want.
- Expression. Checks field names or URLs that match a NetScaler default expression.
-
Pattern - A pattern is a literal string or PCRE-format regular expression that defines the pattern that you want to match. Select the Match type from the list.
- Literal. A literal string.
-
PCRE. A PCRE-format regular expression.
Note
When you choose PCRE, the regular expression tools beneath the Pattern window are enabled. These tools are not useful for most other types of patterns.
-
Expression. An expression in the NetScaler default expressions language is the same expression language for creating Web App Firewall policies on the NetScaler appliance. Although the NetScaler expressions language was originally developed for policy rules, it is a highly flexible general purpose language that can also be used to define a signature pattern.
When you choose Expression, the NetScaler Expression Editor appears beneath the Pattern window. For more information about the Expression Editor and instructions on how to use it, see To add a firewall rule (expression) by using the Add Expression dialog box
-
SQL Injection. Directs the Web App Firewall to look for injected SQL in the specified location.
-
CrossSiteScripting. Directs the Web App Firewall to look for cross-site scripts in the specified location.
-
CommandInjection. Directs the NetScaler Web App Firewall to look for any injected malicious commands in the specified location.
-
SQLInjectionGrammar. Directs the NetScaler Web App Firewall to look for injected SQL grammar in the specified location. Especially when commonly used words such as
Select
andFrom
are used in an HTTP request. - CommandInjectionGrammar. Directs the NetScaler Web App Firewall to look for injected malicious command grammar in the specified location. Especially, when a commonly used word such as “Exit” is used in an HTTP request.
If you want to configure more settings, specify the following:
- Offset. The number of characters to skip over before starting to match on this pattern. You use this field to start examining a string at some point other than the first character.
- Depth. How many characters from the starting point to examine for matches. You use this field to limit searches of a large string to a specific number of characters.
- Min-Length. The string to be searched must be at least the specified number of bytes in length. Shorter strings are not matched.
- Max-Length. The string to be searched must be no longer than the specified number of bytes in length. Longer strings are not matched.
-
Search method. A check box labeled
fastmatch
. You can enablefastmatch
only for a literal pattern, to improve performance.
Note
Until you click OK in the Signature Rule Pattern pane, your changes are not saved. Do not close either of these dialog boxes without clicking OK unless you want to discard your changes.