Forum Discussion

Mark_22062's avatar
Mark_22062
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

Custom Signature in ASM

I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule. I've read through the ASM syntax articles but appear to be missing something.

So basically we are seeing a number of the following type of URLs thrown at us: http://www.website.com/someurlhttp:/

The http in the URI is not something we would normally have so I created a custom signature with the following rule: uricontent:"http"; nocase; objonly;

I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature.

What am I missing?

Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM. Moved from comments for formatting.

when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
      { HTTP::respond 200 content "Company Name\Naughty Naughty"
      log local0. "URI is $luri"
      }
   }
ASM Advanced WAF
security
signature
  • Ido_Breger_3805's avatar
    Ido_Breger_3805
    Historic F5 Account
    Aug 26, 2013
    Hi Mark, It is hard to tell without knowing the URLs, and looking at your configuration , but why don't you simply add these URLs to the "disallowed URL list " (under URLs->Disallowed URLs)?
  • Mark_22062's avatar
    Mark_22062
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2013
    Hi Ido, That isn't really practical as the URLs being requested are fairly random but all contain the http keyword or some other keywords we would never use. I had generated an irule that seemed to do the trick but was looking at using ASM to implement instead. The irule I used was in conjunction with a string datagroup. when HTTP_REQUEST { set uriclass "MalURI[URI::basename [virtual name]]" Check that URI is sanitised set luri [string tolower [HTTP::uri]] if { [class match $luri contains $uriclass] } { HTTP::respond 200 content "Company Name\Naughty Naughty" log local0. "URI is $luri" } }
  • Mark_van_D's avatar
    Mark_van_D
    Icon for Cirrostratus rankCirrostratus
    Aug 28, 2013

    Got this to work. I tested the signature on a VS that only had explicit allowed URLs. When throwing some nonsense URLs at the VS it came up as signature detected.

    So on a hunch I removed the explicit learning wildcard URL from the actual VS and it now detects the signature. ASM automatically re-added the wildcard learning URL to the policy but it is still detecting the nuisance URLs.

    This signature worked:

    uricontent:"http"; nocase; objonly;