Configuring a Web Attack Signature policy
The FortiGuard Web Attack Signature service provides a database of attack signatures that is updated periodically to protect against new kinds of attacks. Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures. The categories are reported in logs.
In the Web Attack Signature policy configuration, you can enable/disable the class of scanpoints and the action when traffic matches signatures.
There are three classes of scanpoints:
- HTTP Header—Scans traffic against HTTP header signatures. If you enable a policy at all, you are enabling HTTP header scanning.
- HTTP Request Body—Scans traffic against HTTP request body signatures.
- HTTP Response Body—Scans traffic against HTTP response body signatures.
Header scanning is always a good practice, so enabling a policy always enables header scanning. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.
You can specify separate actions for three levels of event severity:
- High—We recommend you deny traffic for high severity events.
- Medium—We recommend you deny or alert, according to your preference. To be strict, deny; otherwise, alert.
- Low—We recommend you allow the traffic and log an alert for low severity events.
Web Attack Signature predefined policies describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.
Policy | Status | Action |
---|---|---|
High-Level-Security |
Scan HTTP header—Enabled. Scan HTTP Request Body—Enabled. Scan HTTP Response Body—Disabled. |
High Severity Action—Deny. Medium Severity Action—Deny. Low Severity Action—Alert. |
Medium-Level-Security |
Scan HTTP header—Enabled. Scan HTTP Request Body—Enabled. Scan HTTP Response Body—Disabled. |
High Severity Action—Deny. Medium Severity Action—Alert. Low Severity Action—Alert. |
Alert-Only |
Scan HTTP header—Enabled. Scan HTTP Request Body—Disabled. Scan HTTP Response Body—Disabled. |
High Severity Action—Alert. Medium Severity Action—Alert. Low Severity Action—Alert. |
Basic Steps
- Configure the connection to FortiGuard so that the system can receive periodic WAF Signature Database updates. See Configuring FortiGuard service settings.
- Optionally, if you do not want to use the predefined policies, configure Web Attack Signature policies. See below.
- When configuring the WAF profile, select a policy that you associate with virtual servers . See Configuring a Web Attack Signature policy.
Before you begin:
- You must have read-write permission for security settings.
To configure a Web Attack Signature policy:
- Go to Web Application Firewall > Known Web Attacks.
- Click the Web Attack Signature tab.
- Click Create New to display the configuration editor.
- Complete the configuration as described in Web Attack Signature configuration.
- Save the configuration.
Settings | Guidelines |
---|---|
Category | This dialog provides tools for configuring a Web attack signature policy. |
Name |
Specify a unique name for the Web attack signature policy and click Save. Valid characters are Note: Once saved, the policy name cannot be changed. |
Category |
This section lists the (main) categories of Web attack signatures within the system. Do the following to include the desired categories of Web attack signature in the policy:
|
Sub-category |
This section lists the sub-categories of a (main) category of Web attack signature that you have opened (double-clicked) from above. Do the following to enable any of the sub-categories of interest:
|
Signature |
This dialog provides tools for searching through and filtering Web attack signatures available within the system. |
Search |
Use the following options to search for Web attack signatures to display:
Note: Web attack signatures that match your search criterion show up in the Signature section below the moment you click the corresponding Search button. |
Filters |
Use any or a combination of the following filters to filter the Web attack signatures to be displayed in the Signature section below:
|
Signature |
This section displays all Web attack signatures that match your search and filter criteria, showing the following information for each Web attack signature:
|
Signature Detail |
This section shows detailed information about the Web attack signature that you've highlighted (clicked) in the Signature section above. |
Detail |
This tab shows the following information about the selected signature:
|
Edit Signature |
This tab provides tools for editing a selected Web attack signature. It contains the following fields:
|
The following table summarizes the categories of threats that are detected by the signatures.
Category (ID) | Subcategory (ID) |
---|---|
Cross Site Scripting (1) |
Generic XSS Attack (42) |
SQL Injection (2) |
Generic SQL Injection (43) |
Generic Attacks (3) |
OS Command Injection (1) Coldfusion Injection (2) LDAP Injection (3) Command Injection (4) Session Fixation (5) File Injection (6) PHP Injection (7) SSI Injection (8) UPDF XSS (9) Email Injection (10) HTTP Response Splitting (11) RFI Injection (12) Xpath Injection (49) XML External Entities (57) Insecure Deserialization (59) HTTP Header Injection (60) Buffer Overflow (62) Denial Of Service (64) |
Trojans (4) |
Trojans (44) |
Information Disclosure (5) |
Zope Information Leakage (13) CF Information Leakage (14) PHP Information Leakage (15) ISA Server Existence Revealed (16) Microsoft Office Document Properties Leakage (17) CF Source Code Leakage (18) IIS Information Leakage (19) Weblogic information leakage (20) Generic Filename and Directory leakage (21) ASP/JSP Source Code Leakage (22) PHP Source Code Leakage (23) SQL Error leakage (24) HTTP Header Leakage (25) WordPress Leakage (26) Generic Malicious Leakage (47) Path Travel (58) |
Known Exploits (6) |
Oracle 9i (27) Coppermine Photo Gallery (28) Netscape Enterprise Server (29) Cisco IOS HTTP Service (30) Microsoft SQL Server (31) HP OpenView Network Node Manager (32) Best Sofrware SalesLogix (33) IBM Lotus Domino Web Server (34) Microsoft IIS (35) Microsoft Windows Media Services (36) Dave Carrigan Auth_LDAP (37) 427BB (38) RaXnet Cacti Graph (39) CHETCPASSWD (40) SAP (41) Generic Exploit (48) Lighttpd Server (53) Caucho Resin Server (54) JRun Web Server (55) IBM Lotus Domino (56) WordPress (61) Struts 2 (63) Joomla! (65) |
Credit Card Detection (7) |
Credit Card Detection (45) |
Bad Robot (8) |
Bad Robot (46) |
Cross Site Scripting (Extended) (9) |
Cross Site Scripting (Extended) (50) |
SQL Injection (Extended) (10) |
SQL Injection (Extended) (51) |
Generic Attacks (Extended) (11) |
Generic Attacks (Extended) (52) |