Forum Discussion
Custom Signature in ASM
I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule. I've read through the ASM syntax articles but appear to be missing something.
So basically we are seeing a number of the following type of URLs thrown at us: http://www.website.com/someurlhttp:/
The http in the URI is not something we would normally have so I created a custom signature with the following rule: uricontent:"http"; nocase; objonly;
I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature.
What am I missing?
Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM. Moved from comments for formatting.
when HTTP_REQUEST {
set uriclass "MalURI[URI::basename [virtual name]]"
Check that URI is sanitised
set luri [string tolower [HTTP::uri]]
if { [class match $luri contains $uriclass] }
{ HTTP::respond 200 content "Company Name\Naughty Naughty"
log local0. "URI is $luri"
}
}
- Ido_Breger_3805Historic F5 AccountHi Mark, It is hard to tell without knowing the URLs, and looking at your configuration , but why don't you simply add these URLs to the "disallowed URL list " (under URLs->Disallowed URLs)?
- Mark_22062NimbostratusHi Ido, That isn't really practical as the URLs being requested are fairly random but all contain the http keyword or some other keywords we would never use. I had generated an irule that seemed to do the trick but was looking at using ASM to implement instead. The irule I used was in conjunction with a string datagroup. when HTTP_REQUEST { set uriclass "MalURI[URI::basename [virtual name]]" Check that URI is sanitised set luri [string tolower [HTTP::uri]] if { [class match $luri contains $uriclass] } { HTTP::respond 200 content "Company Name\Naughty Naughty" log local0. "URI is $luri" } }
- Mark_van_DCirrostratus
Got this to work. I tested the signature on a VS that only had explicit allowed URLs. When throwing some nonsense URLs at the VS it came up as signature detected.
So on a hunch I removed the explicit learning wildcard URL from the actual VS and it now detects the signature. ASM automatically re-added the wildcard learning URL to the policy but it is still detecting the nuisance URLs.This signature worked:
uricontent:"http"; nocase; objonly;
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com