Forum Discussion

Mark_22062's avatar
Mark_22062
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

Custom Signature in ASM

I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule. I've read through the ASM syntax articles but appear to be missing something.

So basically we are seeing a number of the following type of URLs thrown at us: http://www.website.com/someurlhttp:/

The http in the URI is not something we would normally have so I created a custom signature with the following rule: uricontent:"http"; nocase; objonly;

I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature.

What am I missing?

Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM. Moved from comments for formatting.

when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
      { HTTP::respond 200 content "Company Name\Naughty Naughty"
      log local0. "URI is $luri"
      }
   }
  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account
    Hi Mark, It is hard to tell without knowing the URLs, and looking at your configuration , but why don't you simply add these URLs to the "disallowed URL list " (under URLs->Disallowed URLs)?
  • Hi Ido, That isn't really practical as the URLs being requested are fairly random but all contain the http keyword or some other keywords we would never use. I had generated an irule that seemed to do the trick but was looking at using ASM to implement instead. The irule I used was in conjunction with a string datagroup. when HTTP_REQUEST { set uriclass "MalURI[URI::basename [virtual name]]" Check that URI is sanitised set luri [string tolower [HTTP::uri]] if { [class match $luri contains $uriclass] } { HTTP::respond 200 content "Company Name\Naughty Naughty" log local0. "URI is $luri" } }
  • Got this to work. I tested the signature on a VS that only had explicit allowed URLs. When throwing some nonsense URLs at the VS it came up as signature detected.

    So on a hunch I removed the explicit learning wildcard URL from the actual VS and it now detects the signature. ASM automatically re-added the wildcard learning URL to the policy but it is still detecting the nuisance URLs.

    This signature worked:

    uricontent:"http"; nocase; objonly;