Forum Discussion

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      thanks for the reply

      do you mean that in the second example the netstat.exe is treated as parameter and not as fle type?

      and how should I act on positional parameters to block these kind of request?

      • Samir's avatar
        Samir
        Icon for MVP rankMVP

        do you mean that in the second example the netstat.exe is treated as parameter and not as fle type? Its parameter(Query String) not file type.

        and how should I act on positional parameters to block these kind of request?

        1. Navigate to Security ›› Application Security : Policy Building : Learning and Blocking Settings > Illegal parameter data type
        2. Then Security ›› Application Security : Parameters : Parameters List ›› Add Parameter...
        3. Parameter Level: URL, URL Path: GET, Location: Query string,  Parameter Value Type: User-input values,  Data Type: Alpha-Numbric, Regular Expression: ^(.*\.)(exe)$ 

        Hope it will work.

  • In order to block the request, you can follow these steps:

    1)_ Fix and use the REGEX : (([A-Za-z0-9_-]+)\.exe).*$
         Tool: https://regex101.com/

    2)_ Create Attack Signature List.
         Security ›› Options : Application Security : Attack Signatures : Attack Signatures List

    3)_ Create custom "Attack Signature Sets"
         Security ›› Options : Application Security : Attack Signatures : Attack Signature Sets

    4)_ Enforce the Signature in the policy

    5)_ Test