Custom Signature in ASM

Question

I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule.  I've read through the ASM syntax articles but appear to be missing something.
So basically we are seeing a number of the following type of URLs thrown at us:
http://www.website.com/someurlhttp:/
The http in the URI is not something we would normally have so I created a custom signature with the following rule:
uricontent:"http"; nocase; objonly;
I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature.
What am I missing?
Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM.  Moved from comments for formatting.
when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
      { HTTP::respond 200 content "Company Name\Naughty Naughty"
      log local0. "URI is $luri"
      }
   }

ido_breger_3805 · Answer

Hi Mark,
It is hard to tell without knowing the URLs, and looking at your configuration , but why don't you simply add these URLs to the "disallowed URL list " (under URLs-&gt;Disallowed URLs)?

mark_22062 · Answer

Hi Ido,
That isn't really practical as the URLs being requested are fairly random but all contain the http keyword or some other keywords we would never use.  I had generated an irule that seemed to do the trick but was looking at using ASM to implement instead.  The irule I used was in conjunction with a string datagroup.

when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
  { HTTP::respond 200 content "Company Name\Naughty Naughty"
  log local0. "URI is $luri"
  }
   }

mark_van_d · Answer

Got this to work.  I tested the signature on a VS that only had explicit allowed URLs.  When throwing some nonsense URLs at the VS it came up as signature detected.
So on a hunch I removed the explicit learning wildcard URL from the actual VS and it now detects the signature.  ASM automatically re-added the wildcard learning URL to the policy but it is still detecting the nuisance URLs.
This signature worked:
uricontent:"http"; nocase; objonly;

Forum Discussion

Custom Signature in ASM

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

ASM Custom Signatures, oh my!

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

F5 AWAF/ASM Bot protection custom signature does not allow the traffic

Customized Bot Signature not working

Live Update- ASM attack signatures

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS