Imperva Cyber Community

 View Only

Signatures - Fundamentals of On-Premise WAF - Part 7

By Ira Miga posted 09-23-2022 07:59

  

Signatures - Fundamentals of On-Premise WAF - Part 7


Part 5 and 6 of this series looked at
Advanced Web Policies and Global Objects. This part will look at Signatures, how to view, disable and filter on signatures. It also explains the basic unit of signature and regular expressions.


What are Signatures?

Signatures are text strings that identify known attacks. They are organized in dictionaries, each of which is essentially a filter on the signatures database.

You can:

  • define new signatures and new dictionaries.
  • enable or disable signatures in an individual dictionary or all dictionaries.
  • apply dictionaries to policies.

    On-Premises WAF includes thousands of signatures provided by Imperva ADC (Application Defense Center).

    These signatures are regularly updated, and the updated signatures can be automatically downloaded to the On-Premises WAF. You can also define custom dictionaries and custom signatures and apply those dictionaries to policies.


    To view signatures:

    1. In the Main workspace, select Setup > Signatures.
      The dictionaries are displayed in the left pane.
    1. The signatures included in the dictionary selected in the left pane are displayed in the middle pane.
    2. You can disable a signature from all dictionaries or a specific dictionary, and you can enable a disabled signature in all dictionaries or a specific dictionary.
    3. A signature’s status is indicated by the icon to its left:

    4. A dictionary is a filter on signatures.
    5. You cannot apply individual signatures to policy, only the entire dictionary, so you should group your custom signatures into custom dictionaries accordingly. To add a dictionary to a security policy:
        1. In the Main workspace, select Policies > Security.
        2. Select a signature policy, for example:
          Under Policy Rules, add a new policy rule by clicking the New button:
          1. From the Dictionary Name field, select the dictionary to which you wish to assign the policy.
          2. Check the Enabled field.
          3. Select the Severity, Action, and Followed Action of your choice.
          4. Click Save.


    Part

    The basic signature unit is part, which contains the actual signature text.
    Example: The following signature searches for the text "hello world".
    part="hello world"

    Use \x<hex value> to add binary characters to the signature.

    Example: In the following signature the white space is replaced with \x20.

    part="hello\x20world"

    To look for the backslash character, enter a double backslash.

    Example: The following signature looks for the text "hello\world".

    part="hello\\world"


    Regular Expressions

    The use of a regular expression part is optional and only applies to non-stream signatures (that is URL, parameters, parameter types, and headers). You can only include one regular expression part in a signature and it must be the last part of the signature. One or more non-regular expression parts can precede the regular expression part.

    Imperva On-Premises WAF searches for the regular expression only if all the preceding parts are found.

    For example, if you want to check if the "filename" parameter ends with a ".txt", your signature should be:

    'part=".txt", rgxp="filename=[^&]*\.txt(&|$)"


    The next blog in this series will look at how we to create efficient signatures, so keep an eye on our Community blogs for that.

    You can also find the other parts of this series here



    #fundamentals #dictionary #signatures #dictionary #howto #bestpractice #learning

    ​​​​​​​​​
    #On-PremisesWAF(formerlySecuresphere)
    0 comments
    45 views

    Permalink