Edit signatures to add or modify rules

You can edit the user-defined signatures to add or modify a rule. A local signature rule has the same attributes as a default signature rule from Citrix, and it functions in the same way. You enable or disable it, and configure the signature actions for it, just as you do for a default signature.

Add a local rule if you need to protect your websites and services from a known attack that the existing signatures do not match. For example, you might discover a new type of attack and determine its characteristics by examining the logs on your web server, or you might obtain third-party information about a new type of attack.

At the heart of a signature rule are the rule patterns, which collectively describe the characteristics of the attack that the rule is designed to match. Each pattern can consist of a simple string, a PCRE-format regular expression, or the built-in SQL injection or cross-site scripting patterns.

You might want to modify a signature rule by adding a new pattern or modifying an existing pattern to match an attack. For example, you might find out about changes to an attack, or you might determine a better pattern by examining the logs on your web server, or from third-party information.

Add or modify a local signature rule

  1. Navigate to Security > NetScaler Web App Firewall > Signatures.

  2. In the details pane, select the user-defined signatures that you want to edit, and then click Edit.

  3. In the Signature Rules section, click Add. The Signature Rule pane appears.

  4. Configure the actions for a signature by selecting the appropriate check boxes.

    • Enabled. Enables the new signature rule. If you do not select this, this new signature rule is added to your configuration, but is inactive.
    • Block. Blocks connections that violate this signature rule.
    • Log. Logs violations of this signature rule to the NetScaler log.
    • Stat. Includes violations of this signature rule in the statistics.
    • Remove. Strips information that matches the signature rule from the response. (Applies only to response rules.)
    • X-Out. Masks information that matches the signature rule with the letter X. (Applies only to response rules.)
    • Allow Duplicates. Allows duplicates of this signature rule in this signatures object.
  5. Choose a category for the new signature rule from the Category drop-down list.

    If you want to create a category, click Add. For more information, see Add a signature rule category.

  6. In the LogString text box, type a brief description of the signature rule to be used in the logs.

  7. In the Comment text box, type a comment. (Optional)

  8. Click More to modify the advanced options.

    1. To strip HTML comments before applying this signature rule, in the Strip Comments drop-down list choose All or Exclude Script Tag.
    2. To set CSRF Referrer Header checking, in the CSRF Referrer Header checking radio button array, select either the If Present or Always radio button.
    3. To manually modify the Rule ID assigned to this local signature rule, modify the number in the Rule ID text box. The ID must be a positive integer between 1000000 and 1999999 that has not already been assigned to a local signature rule.
    4. To assign a version number to the new signature rule, modify the number in the Version Number text box.
    5. To assign a Source ID, modify the string in the Source ID text box.
    6. To specify the source, choose Local or Snort from the Source drop-down list, or click the Add icon to the right of the list and add a new source.
    7. To assign a harm score to violations of this local signature rule, type a number between 1 and 10 in the Harm Score text box.
    8. To assign a severity rating to this local signature rule, in the Severity drop-down list choose High, Medium, or Low, or click the Add icon to the right of the list and add a new severity rating.
    9. To assign a violation type to this local signature rule, in the Type drop-down list choose Vulnerable or Warning, or click the Add icon to the right of the list and add a new violation type.
  9. In Rule Patterns, click Add to add a pattern. You can also edit the existing patterns to do so click Edit.

    For more information about adding or editing patterns, see Signature Rule Patterns.

  10. Click OK.

Add a signature rule category

Putting signature rules into a category enables you to configure the actions for a group of signatures instead of for each individual signature. You might want to do so for the following reasons:

  • Ease of selection. For example, assume that all of the signature rules in a particular group protect against attacks on a specific type of web server software or technology. If your protected websites use that software or technology, you want to enable them all. If they do not, you do not want to enable any of them.
  • Ease of initial configuration. It is easiest to set defaults for a group of signatures as a category, instead of one-by-one. You can then make any changes to the individual signatures as needed.
  • Ease of ongoing configuration. It is easier to configure signatures if you can display only those that meet specific criteria, such as belonging to a specific category.
Edit signatures to add or modify rules