Imperva Cyber Community

communities_1.jpg
 View Only
Expand all | Collapse all

Custom Signature Writing

  • 1.  Custom Signature Writing

    Posted 03-19-2021 10:47

    Hey everyone,

    Is anyone really good at custom signature writing in Securesphere?

    I'm trying to tune out a reoccurring query within an audit policy and I've tried several combinations of regex to match this query with no success. I've read through all the Imperva documentation, but still do not quite understand proper syntax, especially the "part" definitions that are needed.

    DM me if you can help, would appreciate it!


    #DatabaseActivityMonitoring

    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------


  • 2.  RE: Custom Signature Writing

    Posted 03-23-2021 04:27
    Hi Alex,

    Did you try to apply the following guideline?

    https://docs.imperva.com/howto/4a075a15

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 3.  RE: Custom Signature Writing

    Posted 03-25-2021 11:14

    Hey Cezmi,

    I did try to apply that guideline, among others found on the Imperva document portal. Also tried several different combinations of signatures which were considered 'valid' in Securesphere, however it did not exclude from my audit policy.

    Example of the query:
    insert into "schema1"."table_one" "("column1","column2","column3") values(?,?,?)"

    Example of a signature I have tried:
    part="insert into", part="schema1", part="table_one", rgxp="insert\sinto\s\"schema1\"\.\"table_one\"\s\(\"column1\",\s\"column2\",\s\"column3"\)\svalues\s\(\?,\s\?,\s\?\)"




    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 4.  RE: Custom Signature Writing

    Posted 03-25-2021 11:42
    Hi Alex,

    If you don't want to exclude only specific query you can use only following as signature.

    part="insert into", part="schema1", part="table_one"

    If you keep your signature like above, it does not consider the left part of the query and exclude the queries containing these 3 strings sequentially when you apply the guideline above correctly. If this helps, you do not need to use rgxp in your signature.

    You can find the details about multi part signatures below:
    https://docs.imperva.com/bundle/v13.6-database-activity-monitoring-user-guide/page/3113.htm

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 5.  RE: Custom Signature Writing

    Posted 03-25-2021 14:27

    Thanks Cezmi, I was attempting to exclude the specific query, however I do not think it would be an issue to try what you suggested.

    I made the adjustment and will report back with results after this job runs in our environment.



    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 6.  RE: Custom Signature Writing

    Posted 03-31-2021 08:40

    Hey Cezmi,

    Just wanted to let you know that I tried your suggestion on my query, however it did not succeed in excluding it from my audit policy.

    Please let me know if you have any other suggestions, otherwise I'll be taking another hard look at this signature documentation.


    Thanks again for trying to help!




    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 7.  RE: Custom Signature Writing

    Posted 03-31-2021 10:19
    Edited by Cezmi Cal 04-01-2021 07:22
    Hi Alex,

    While applying the procedure (https://docs.imperva.com/howto/4a075a15), instead of enabling the Policy for following step, could you apply the policy to related Service/Application on "Apply To" tab while Enabled box (under Policy Rules tab) is not checked and recheck if it is running as intended or not.

    Regards,

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 8.  RE: Custom Signature Writing

    Posted 04-01-2021 08:50

    Hey Cezmi,

    So I did not perform those steps since this was a custom audit policy, however your comment jarred my memory. About 2 years when we implemented Imperva, I had a similar support issue where I was trying to tune out some benign activity. I worked with support and they assisted with writing a custom signature.

    It was not until you mentioned 'check and recheck' that I recalled a really simple step to get that old signature working. We played around with it for a week or so unsuccessfully, until I completely disabled the policy on my site, saved it, then reapplied it.

    Such a simple step, but low and behold I tried it yesterday morning and it worked! I feel so much better knowing my syntax was probably correct and it was just this really quirky Securesphere thing holding it back.

    When in doubt: Disable and reapply the policy


    Cezmi - Thank you for all the help, and I hope this helps out someone else in the future!



    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 9.  RE: Custom Signature Writing

    Posted 10-19-2022 10:20
    Hi Comunity,

    I think that the mentioned article is a bit confusing as it does not really tell you about the basic stuff. So here are 10 things I found out the hard way (using On Prem WAF 14.6) writing Signatures for Web Applications:
    1. part="whatever" is always needed
    2. part="whatever" is not case sensitive, so it matches whatever whaTever whateVer WHATEVER...
    3. Combining parts is an AND function Example: part="whatever", part="whenever" matches whateverwhenever or whatever--whenever but not whateverwhatever an even not whatever (<- as you are missing the "whenever" here)
    4. because of 3. the regex part normally has to match a "part" part
    5. test your regex and make sure you are using the correct syntax
    Plus:
    6. Check if you enabled the correct/necessary Protocol and Serach Signature in Parameters in Dictionary 
    7. Check if you enabled the Policy Rule in your Policy, and the Action is not "none" or if so, your Followed Action does at least something
    8. Check if the policy is applied to the correct/all Sites you need (Check Apply To Checkboxes)
    9. If you are testing, make sure to release yourself from penalty box if you are using it in your Followed Action (Monitor-> Blocked Sources)
    PlusPlus
    10. Check the Display response Page in Alerts box in Advanced Tab to avoid other colleges searching for the cause of a webpage not working

    ------------------------------
    Michel Krahl
    Solution Engineering
    Kubus IT
    Dresden
    ------------------------------



  • 10.  RE: Custom Signature Writing

    Posted 10-20-2022 09:52
    Really good tips, Michel! Thanks for sharing!

    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------



  • 11.  RE: Custom Signature Writing

    Posted 10-20-2022 12:08

    Totally agree with @Jaired Anderson !

    @Michel Krahl thanks so much for sharing these great tips!​​



    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------