Imperva Cyber Community

 View Only
  • 1.  Regular expression in signatures - negation

    Posted 03-22-2022 03:35
    Hi all,
    I am trying to create a custom signature which defines what is allowed rather than what's not allowed.

    For example, for this URI: /user_login.asp?user=
    For the parameter user I want to allow only [a-z] letters.

    How do I do that in regular expression?

    This is how to block [a-z]:
    Part="user_login.asp", part="user", rgxp="user=\s*[a-z]"

    How do I change the signature to allow only [a-z] ?

    Thanks,
    Noam.

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Noam Rotter
    Security Engineer
    Jerusalem
    ------------------------------


  • 2.  RE: Regular expression in signatures - negation

    Posted 03-22-2022 09:32
    Hi Noam,

    Give the following Regex a try. Please test this in a nonproduction environment first. 

         ^.*(?![A-Za-z]).+$


  • 3.  RE: Regular expression in signatures - negation

    Posted 03-22-2022 14:35
    Hi Jaired,
    Thanks for trying :)

    Unfortunately, it doesn't block.
    Your signature should have blocked the request if I put anything that is not letters (upper or lowercase)
    But, it didn't block non-letters chars.

    On the other hand, when I put letters, it didn't block too - which is good.

    It's interesting since I checked your regex in regex101 and the syntax looks correct
    but from some unknown reason, the SecureSphere WAF didn't block non-letters requests.

    ------------------------------
    Noam Rotter
    Security Engineer
    Jerusalem
    ------------------------------