Forum Discussion

Mark_van_D's avatar
Mark_van_D
Icon for Cirrostratus rankCirrostratus
Aug 26, 2013

Custom Signature in ASM

I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule. I've read through the ASM syntax articles but appear to be missing something.

So basically we are seeing a number of the following type of URLs thrown at us: http://www.website.com/someurlhttp:/

The http in the URI is not something we would normally have so I created a custom signature with the following rule: uricontent:"http"; nocase; objonly;

I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature.

What am I missing?

Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM. Moved from comments for formatting.

when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
      { HTTP::respond 200 content "Company Name\Naughty Naughty"
      log local0. "URI is $luri"
      }
   }
No RepliesBe the first to reply