Forum Discussion
NimbostratusASM Regex rule
I am attempting to write a series of rules to target SQL injections, due to false positives that are occurring with the inbox rules.
I know that the re2 logic is sound, but I keep getting errors with what I believe is the F5 portion of the logic. What do I precede this statement with to make a valid rule?
re2:[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]
valuecontent:"XXX";nocase;norm;re2:"[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]"
is throwing errors stating there are unescaped characters.
suttonscEmployee
Within the re2 content you need to delimit the regex with "/":
re2:"/[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]/";
As the rule is written above there will be a conflict between the Value Content and the general content targeted in the regex.
Either set the rule to target a different content type or set the modifier in the re2 to other than general.
Example:
Header content
headercontent:"XXX"; nocase; re2:"/[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]/";
Setting the re2 to parameter and value pairs, or XML or JSON data payloads:
valuecontent:"XXX"; nocase; norm; re2:"/[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]/Vi";
There are a couple of useful resources for review:
https://devcentral.f5.com/articles/asm-custom-signatures-oh-my