Search Imperva Community for
Is anyone really good at custom signature writing in Securesphere?
I'm trying to tune out a reoccurring query within an audit policy and I've tried several combinations of regex to match this query with no success. I've read through all the Imperva documentation, but still do not quite understand proper syntax, especially the "part" definitions that are needed.DM me if you can help, would appreciate it!
Hey Cezmi,I did try to apply that guideline, among others found on the Imperva document portal. Also tried several different combinations of signatures which were considered 'valid' in Securesphere, however it did not exclude from my audit policy.
Example of the query:insert into "schema1"."table_one" "("column1","column2","column3") values(?,?,?)"Example of a signature I have tried:part="insert into", part="schema1", part="table_one", rgxp="insert\sinto\s\"schema1\"\.\"table_one\"\s\(\"column1\",\s\"column2\",\s\"column3"\)\svalues\s\(\?,\s\?,\s\?\)"
Thanks Cezmi, I was attempting to exclude the specific query, however I do not think it would be an issue to try what you suggested.
I made the adjustment and will report back with results after this job runs in our environment.
Just wanted to let you know that I tried your suggestion on my query, however it did not succeed in excluding it from my audit policy.
Please let me know if you have any other suggestions, otherwise I'll be taking another hard look at this signature documentation.
Thanks again for trying to help!
So I did not perform those steps since this was a custom audit policy, however your comment jarred my memory. About 2 years when we implemented Imperva, I had a similar support issue where I was trying to tune out some benign activity. I worked with support and they assisted with writing a custom signature.
It was not until you mentioned 'check and recheck' that I recalled a really simple step to get that old signature working. We played around with it for a week or so unsuccessfully, until I completely disabled the policy on my site, saved it, then reapplied it.
Such a simple step, but low and behold I tried it yesterday morning and it worked! I feel so much better knowing my syntax was probably correct and it was just this really quirky Securesphere thing holding it back.
When in doubt: Disable and reapply the policyCezmi - Thank you for all the help, and I hope this helps out someone else in the future!
Totally agree with @Jaired Anderson !
@Michel Krahl thanks so much for sharing these great tips!
or Contact Us
Copyright @ 2019 Imperva. All rights reserved