Hi Comunity,
I think that the mentioned article is a bit confusing as it does not really tell you about the basic stuff. So here are 10 things I found out the hard way (using On Prem WAF 14.6) writing Signatures for Web Applications:
1. part="whatever" is always needed
2. part="whatever" is not case sensitive, so it matches
whatever whaTever whateVer WHATEVER...
3. Combining parts is an AND function Example: part="whatever", part="whenever" matches
whateverwhenever or
whatever--whenever but not
whateverwhatever an even not
whatever (<- as you are missing the "whenever" here)
4. because of 3. the regex part normally has to match a "part" part
5. test your regex and make sure you are using the correct syntax
Plus:
6. Check if you enabled the correct/necessary
Protocol and
Serach Signature in Parameters in
Dictionary
7. Check if you enabled the
Policy Rule in your
Policy, and the
Action is not "none" or if so, your
Followed Action does at least something
8. Check if the policy is applied to the correct/all Sites you need (Check
Apply To Checkboxes)
9. If you are testing, make sure to release yourself from penalty box if you are using it in your Followed Action (Monitor-> Blocked Sources)
PlusPlus
10. Check the
Display response Page in Alerts box in
Advanced Tab to avoid other colleges searching for the cause of a webpage not working
------------------------------
Michel Krahl
Solution Engineering
Kubus IT
Dresden
------------------------------
Original Message:
Sent: 03-25-2021 11:41
From: Cezmi Cal
Subject: Custom Signature Writing
Hi Alex,
If you don't want to exclude only specific query you can use only following as signature.
part="insert into", part="schema1", part="table_one"
If you keep your signature like above, it does not consider the left part of the query and exclude the queries containing these 3 strings sequentially when you apply the guideline above correctly. If this helps, you do not need to use rgxp in your signature.
You can find the details about multi part signatures below:
https://docs.imperva.com/bundle/v13.6-database-activity-monitoring-user-guide/page/3113.htm
------------------------------
Cezmi Cal
technical support engineer
Barikat Cyber Security
Ankara
Original Message:
Sent: 03-25-2021 11:13
From: Alex Kasprzak
Subject: Custom Signature Writing
Hey Cezmi,
I did try to apply that guideline, among others found on the Imperva document portal. Also tried several different combinations of signatures which were considered 'valid' in Securesphere, however it did not exclude from my audit policy.
Example of the query:
insert into "schema1"."table_one" "("column1","column2","column3") values(?,?,?)"
Example of a signature I have tried:
part="insert into", part="schema1", part="table_one", rgxp="insert\sinto\s\"schema1\"\.\"table_one\"\s\(\"column1\",\s\"column2\",\s\"column3"\)\svalues\s\(\?,\s\?,\s\?\)"
------------------------------
Alex Kasprzak
Cybersecurity Engineer
Brookdale Senior Living
Brentwood IL
Original Message:
Sent: 03-23-2021 04:27
From: Cezmi Cal
Subject: Custom Signature Writing
Hi Alex,
Did you try to apply the following guideline?
https://docs.imperva.com/howto/4a075a15
------------------------------
Cezmi Cal
technical support engineer
Barikat Cyber Security
Ankara
Original Message:
Sent: 03-19-2021 10:46
From: Alex Kasprzak
Subject: Custom Signature Writing
Hey everyone,
Is anyone really good at custom signature writing in Securesphere?
I'm trying to tune out a reoccurring query within an audit policy and I've tried several combinations of regex to match this query with no success. I've read through all the Imperva documentation, but still do not quite understand proper syntax, especially the "part" definitions that are needed.
DM me if you can help, would appreciate it!
#DatabaseActivityMonitoring
------------------------------
Alex Kasprzak
Cybersecurity Engineer
Brookdale Senior Living
Brentwood IL
------------------------------