Imperva Cyber Community

Expand all | Collapse all

Custom Signature Writing

  • 1.  Custom Signature Writing

    Posted 30 days ago

    Hey everyone,

    Is anyone really good at custom signature writing in Securesphere?

    I'm trying to tune out a reoccurring query within an audit policy and I've tried several combinations of regex to match this query with no success. I've read through all the Imperva documentation, but still do not quite understand proper syntax, especially the "part" definitions that are needed.

    DM me if you can help, would appreciate it!


    #DatabaseActivityMonitoring

    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------


  • 2.  RE: Custom Signature Writing

    CHAMPION
    Posted 27 days ago
    Hi Alex,

    Did you try to apply the following guideline?

    https://docs.imperva.com/howto/4a075a15

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 3.  RE: Custom Signature Writing

    Posted 24 days ago

    Hey Cezmi,

    I did try to apply that guideline, among others found on the Imperva document portal. Also tried several different combinations of signatures which were considered 'valid' in Securesphere, however it did not exclude from my audit policy.

    Example of the query:
    insert into "schema1"."table_one" "("column1","column2","column3") values(?,?,?)"

    Example of a signature I have tried:
    part="insert into", part="schema1", part="table_one", rgxp="insert\sinto\s\"schema1\"\.\"table_one\"\s\(\"column1\",\s\"column2\",\s\"column3"\)\svalues\s\(\?,\s\?,\s\?\)"




    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 4.  RE: Custom Signature Writing

    CHAMPION
    Posted 24 days ago
    Hi Alex,

    If you don't want to exclude only specific query you can use only following as signature.

    part="insert into", part="schema1", part="table_one"

    If you keep your signature like above, it does not consider the left part of the query and exclude the queries containing these 3 strings sequentially when you apply the guideline above correctly. If this helps, you do not need to use rgxp in your signature.

    You can find the details about multi part signatures below:
    https://docs.imperva.com/bundle/v13.6-database-activity-monitoring-user-guide/page/3113.htm

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 5.  RE: Custom Signature Writing

    Posted 24 days ago

    Thanks Cezmi, I was attempting to exclude the specific query, however I do not think it would be an issue to try what you suggested.

    I made the adjustment and will report back with results after this job runs in our environment.



    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 6.  RE: Custom Signature Writing

    Posted 18 days ago

    Hey Cezmi,

    Just wanted to let you know that I tried your suggestion on my query, however it did not succeed in excluding it from my audit policy.

    Please let me know if you have any other suggestions, otherwise I'll be taking another hard look at this signature documentation.


    Thanks again for trying to help!




    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------



  • 7.  RE: Custom Signature Writing

    CHAMPION
    Posted 18 days ago
    Hi Alex,

    While applying the procedure (https://docs.imperva.com/howto/4a075a15), instead of enabling the Policy for following step, could you apply the policy to related Service/Application on "Apply To" tab while Enabled box (under Policy Rules tab) is not checked and recheck if it is running as intended or not.

    Regards,

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 8.  RE: Custom Signature Writing

    Posted 17 days ago

    Hey Cezmi,

    So I did not perform those steps since this was a custom audit policy, however your comment jarred my memory. About 2 years when we implemented Imperva, I had a similar support issue where I was trying to tune out some benign activity. I worked with support and they assisted with writing a custom signature.

    It was not until you mentioned 'check and recheck' that I recalled a really simple step to get that old signature working. We played around with it for a week or so unsuccessfully, until I completely disabled the policy on my site, saved it, then reapplied it.

    Such a simple step, but low and behold I tried it yesterday morning and it worked! I feel so much better knowing my syntax was probably correct and it was just this really quirky Securesphere thing holding it back.

    When in doubt: Disable and reapply the policy


    Cezmi - Thank you for all the help, and I hope this helps out someone else in the future!



    ------------------------------
    Alex Kasprzak
    Cybersecurity Engineer
    Brookdale Senior Living
    Brentwood IL
    ------------------------------