Fortinet black logo

Handbook

Configuring a Web Attack Signature policy

Configuring a Web Attack Signature policy

The FortiGuard Web Attack Signature service provides a database of attack signatures that is updated periodically to protect against new kinds of attacks. Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures. The categories are reported in logs.

In the Web Attack Signature policy configuration, you can enable/disable the class of scanpoints and the action when traffic matches signatures.

There are three classes of scanpoints:

  • HTTP Header—Scans traffic against HTTP header signatures. If you enable a policy at all, you are enabling HTTP header scanning.
  • HTTP Request Body—Scans traffic against HTTP request body signatures.
  • HTTP Response Body—Scans traffic against HTTP response body signatures.

Header scanning is always a good practice, so enabling a policy always enables header scanning. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

You can specify separate actions for three levels of event severity:

  • High—We recommend you deny traffic for high severity events.
  • Medium—We recommend you deny or alert, according to your preference. To be strict, deny; otherwise, alert.
  • Low—We recommend you allow the traffic and log an alert for low severity events.

Web Attack Signature predefined policies describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.

Web Attack Signature predefined policies

Policy Status Action

High-Level-Security

Scan HTTP header—Enabled.

Scan HTTP Request Body—Enabled.

Scan HTTP Response Body—Disabled.

High Severity Action—Deny.

Medium Severity Action—Deny.

Low Severity Action—Alert.

Medium-Level-Security

Scan HTTP header—Enabled.

Scan HTTP Request Body—Enabled.

Scan HTTP Response Body—Disabled.

High Severity Action—Deny.

Medium Severity Action—Alert.

Low Severity Action—Alert.

Alert-Only

Scan HTTP header—Enabled.

Scan HTTP Request Body—Disabled.

Scan HTTP Response Body—Disabled.

High Severity Action—Alert.

Medium Severity Action—Alert.

Low Severity Action—Alert.

Basic Steps
  1. Configure the connection to FortiGuard so that the system can receive periodic WAF Signature Database updates. See Configuring FortiGuard service settings.
  2. Optionally, if you do not want to use the predefined policies, configure Web Attack Signature policies. See below.
  3. When configuring the WAF profile, select a policy that you associate with virtual servers . See Configuring a Web Attack Signature policy.

Before you begin:

  • You must have read-write permission for security settings.
To configure a Web Attack Signature policy:
  1. Go to Web Application Firewall > Known Web Attacks.
  2. Click the Web Attack Signature tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Web Attack Signature configuration.
  5. Save the configuration.

Web Attack Signature configuration

Settings Guidelines
Category This dialog provides tools for configuring a Web attack signature policy.

Name

Specify a unique name for the Web attack signature policy and click Save. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed between characters.

Note: Once saved, the policy name cannot be changed.

Category

This section lists the (main) categories of Web attack signatures within the system. Do the following to include the desired categories of Web attack signature in the policy:

  1. In the Name column, identify the categories of Web attack signatures of interest.
  2. In the Status column, select (check mark) the categories you like to include in the policy.
  3. In the Action column, select the action you want to apply to the categories that you select.
  4. Double-click the name of a category to view its sub-categories. See Sub-category below.

Sub-category

This section lists the sub-categories of a (main) category of Web attack signature that you have opened (double-clicked) from above. Do the following to enable any of the sub-categories of interest:

  1. In the Name column, identify the sub-categories of interest.
  2. In the Status column, select (check mark) the sub-categories you like to include in the policy.
Signature

This dialog provides tools for searching through and filtering Web attack signatures available within the system.

Search

Use the following options to search for Web attack signatures to display:

  • Description—Enter a descriptive text string and click Search.
  • ID—Enter a Web attack signature ID and click Search.
  • CVE Number—Enter a CVE number related to a Web attack signature and click Search.
  • Clear Search—Click this button to empty all search fields.

Note: Web attack signatures that match your search criterion show up in the Signature section below the moment you click the corresponding Search button.

Filters

Use any or a combination of the following filters to filter the Web attack signatures to be displayed in the Signature section below:

  • Category—Click the down arrow and select a (main) category of Web attack signatures from the drop-down menu.
  • Sub-category—Click the down arrow and select a sub-category of the category of Web attack signatures that you have selected.
  • Status —Click the down arrow and select either (Enable or Disable) from the drop-down menu.
  • Severity—Click the down arrow and select High, Medium, or Low from the drop-down menu.
  • Exception—Click the down arrow and select either (Yes or No) from the drop-down menu.
  • Clear All—Click this button to clear the existing filters. Note: You can also remove a specific filter by clicking the corresponding x mark.
Signature

This section displays all Web attack signatures that match your search and filter criteria, showing the following information for each Web attack signature:

  • ID
  • Status
  • Name
  • Severity
  • Target Application
  • Exception Name
Signature Detail

This section shows detailed information about the Web attack signature that you've highlighted (clicked) in the Signature section above.

Detail

This tab shows the following information about the selected signature:

  • Signature ID
  • Category
  • Sub-category
  • Severity
  • Target Application
  • Description
  • CVE Number (if one exsits)
  • Reference (if one exists)
  • Found In
Edit Signature

This tab provides tools for editing a selected Web attack signature. It contains the following fields:

  • Signature ID—(Read only) Shows the ID of the selected signature.
  • Status—Click to enable or disable the signature.
  • Exception Name—Click the down arrow and select an exception from the drop-down menu.

Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures.

Web Attack Signature categories and subcategories

Category (ID) Subcategory (ID)

Cross Site Scripting (1)

Generic XSS Attack (42)

SQL Injection (2)

Generic SQL Injection (43)

Generic Attacks (3)

OS Command Injection (1)

Coldfusion Injection (2)

LDAP Injection (3)

Command Injection (4)

Session Fixation (5)

File Injection (6)

PHP Injection (7)

SSI Injection (8)

UPDF XSS (9)

Email Injection (10)

HTTP Response Splitting (11)

RFI Injection (12)

Xpath Injection (49)

XML External Entities (57)

Insecure Deserialization (59)

HTTP Header Injection (60)

Buffer Overflow (62)

Denial Of Service (64)

Trojans (4)

Trojans (44)

Information Disclosure (5)

Zope Information Leakage (13)

CF Information Leakage (14)

PHP Information Leakage (15)

ISA Server Existence Revealed (16)

Microsoft Office Document Properties Leakage (17)

CF Source Code Leakage (18)

IIS Information Leakage (19)

Weblogic information leakage (20)

Generic Filename and Directory leakage (21)

ASP/JSP Source Code Leakage (22)

PHP Source Code Leakage (23)

SQL Error leakage (24)

HTTP Header Leakage (25)

WordPress Leakage (26)

Generic Malicious Leakage (47)

Path Travel (58)

Known Exploits (6)

Oracle 9i (27)

Coppermine Photo Gallery (28)

Netscape Enterprise Server (29)

Cisco IOS HTTP Service (30)

Microsoft SQL Server (31)

HP OpenView Network Node Manager (32)

Best Sofrware SalesLogix (33)

IBM Lotus Domino Web Server (34)

Microsoft IIS (35)

Microsoft Windows Media Services (36)

Dave Carrigan Auth_LDAP (37)

427BB (38)

RaXnet Cacti Graph (39)

CHETCPASSWD (40)

SAP (41)

Generic Exploit (48)

Lighttpd Server (53)

Caucho Resin Server (54)

JRun Web Server (55)

IBM Lotus Domino (56)

WordPress (61)

Struts 2 (63)

Joomla! (65)

Credit Card Detection (7)

Credit Card Detection (45)

Bad Robot (8)

Bad Robot (46)

Cross Site Scripting (Extended) (9)

Cross Site Scripting (Extended) (50)

SQL Injection (Extended) (10)

SQL Injection (Extended) (51)

Generic Attacks (Extended) (11)

Generic Attacks (Extended) (52)

Configuring a Web Attack Signature policy

The FortiGuard Web Attack Signature service provides a database of attack signatures that is updated periodically to protect against new kinds of attacks. Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures. The categories are reported in logs.

In the Web Attack Signature policy configuration, you can enable/disable the class of scanpoints and the action when traffic matches signatures.

There are three classes of scanpoints:

  • HTTP Header—Scans traffic against HTTP header signatures. If you enable a policy at all, you are enabling HTTP header scanning.
  • HTTP Request Body—Scans traffic against HTTP request body signatures.
  • HTTP Response Body—Scans traffic against HTTP response body signatures.

Header scanning is always a good practice, so enabling a policy always enables header scanning. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

You can specify separate actions for three levels of event severity:

  • High—We recommend you deny traffic for high severity events.
  • Medium—We recommend you deny or alert, according to your preference. To be strict, deny; otherwise, alert.
  • Low—We recommend you allow the traffic and log an alert for low severity events.

Web Attack Signature predefined policies describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.

Web Attack Signature predefined policies

Policy Status Action

High-Level-Security

Scan HTTP header—Enabled.

Scan HTTP Request Body—Enabled.

Scan HTTP Response Body—Disabled.

High Severity Action—Deny.

Medium Severity Action—Deny.

Low Severity Action—Alert.

Medium-Level-Security

Scan HTTP header—Enabled.

Scan HTTP Request Body—Enabled.

Scan HTTP Response Body—Disabled.

High Severity Action—Deny.

Medium Severity Action—Alert.

Low Severity Action—Alert.

Alert-Only

Scan HTTP header—Enabled.

Scan HTTP Request Body—Disabled.

Scan HTTP Response Body—Disabled.

High Severity Action—Alert.

Medium Severity Action—Alert.

Low Severity Action—Alert.

Basic Steps
  1. Configure the connection to FortiGuard so that the system can receive periodic WAF Signature Database updates. See Configuring FortiGuard service settings.
  2. Optionally, if you do not want to use the predefined policies, configure Web Attack Signature policies. See below.
  3. When configuring the WAF profile, select a policy that you associate with virtual servers . See Configuring a Web Attack Signature policy.

Before you begin:

  • You must have read-write permission for security settings.
To configure a Web Attack Signature policy:
  1. Go to Web Application Firewall > Known Web Attacks.
  2. Click the Web Attack Signature tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Web Attack Signature configuration.
  5. Save the configuration.

Web Attack Signature configuration

Settings Guidelines
Category This dialog provides tools for configuring a Web attack signature policy.

Name

Specify a unique name for the Web attack signature policy and click Save. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed between characters.

Note: Once saved, the policy name cannot be changed.

Category

This section lists the (main) categories of Web attack signatures within the system. Do the following to include the desired categories of Web attack signature in the policy:

  1. In the Name column, identify the categories of Web attack signatures of interest.
  2. In the Status column, select (check mark) the categories you like to include in the policy.
  3. In the Action column, select the action you want to apply to the categories that you select.
  4. Double-click the name of a category to view its sub-categories. See Sub-category below.

Sub-category

This section lists the sub-categories of a (main) category of Web attack signature that you have opened (double-clicked) from above. Do the following to enable any of the sub-categories of interest:

  1. In the Name column, identify the sub-categories of interest.
  2. In the Status column, select (check mark) the sub-categories you like to include in the policy.
Signature

This dialog provides tools for searching through and filtering Web attack signatures available within the system.

Search

Use the following options to search for Web attack signatures to display:

  • Description—Enter a descriptive text string and click Search.
  • ID—Enter a Web attack signature ID and click Search.
  • CVE Number—Enter a CVE number related to a Web attack signature and click Search.
  • Clear Search—Click this button to empty all search fields.

Note: Web attack signatures that match your search criterion show up in the Signature section below the moment you click the corresponding Search button.

Filters

Use any or a combination of the following filters to filter the Web attack signatures to be displayed in the Signature section below:

  • Category—Click the down arrow and select a (main) category of Web attack signatures from the drop-down menu.
  • Sub-category—Click the down arrow and select a sub-category of the category of Web attack signatures that you have selected.
  • Status —Click the down arrow and select either (Enable or Disable) from the drop-down menu.
  • Severity—Click the down arrow and select High, Medium, or Low from the drop-down menu.
  • Exception—Click the down arrow and select either (Yes or No) from the drop-down menu.
  • Clear All—Click this button to clear the existing filters. Note: You can also remove a specific filter by clicking the corresponding x mark.
Signature

This section displays all Web attack signatures that match your search and filter criteria, showing the following information for each Web attack signature:

  • ID
  • Status
  • Name
  • Severity
  • Target Application
  • Exception Name
Signature Detail

This section shows detailed information about the Web attack signature that you've highlighted (clicked) in the Signature section above.

Detail

This tab shows the following information about the selected signature:

  • Signature ID
  • Category
  • Sub-category
  • Severity
  • Target Application
  • Description
  • CVE Number (if one exsits)
  • Reference (if one exists)
  • Found In
Edit Signature

This tab provides tools for editing a selected Web attack signature. It contains the following fields:

  • Signature ID—(Read only) Shows the ID of the selected signature.
  • Status—Click to enable or disable the signature.
  • Exception Name—Click the down arrow and select an exception from the drop-down menu.

Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures.

Web Attack Signature categories and subcategories

Category (ID) Subcategory (ID)

Cross Site Scripting (1)

Generic XSS Attack (42)

SQL Injection (2)

Generic SQL Injection (43)

Generic Attacks (3)

OS Command Injection (1)

Coldfusion Injection (2)

LDAP Injection (3)

Command Injection (4)

Session Fixation (5)

File Injection (6)

PHP Injection (7)

SSI Injection (8)

UPDF XSS (9)

Email Injection (10)

HTTP Response Splitting (11)

RFI Injection (12)

Xpath Injection (49)

XML External Entities (57)

Insecure Deserialization (59)

HTTP Header Injection (60)

Buffer Overflow (62)

Denial Of Service (64)

Trojans (4)

Trojans (44)

Information Disclosure (5)

Zope Information Leakage (13)

CF Information Leakage (14)

PHP Information Leakage (15)

ISA Server Existence Revealed (16)

Microsoft Office Document Properties Leakage (17)

CF Source Code Leakage (18)

IIS Information Leakage (19)

Weblogic information leakage (20)

Generic Filename and Directory leakage (21)

ASP/JSP Source Code Leakage (22)

PHP Source Code Leakage (23)

SQL Error leakage (24)

HTTP Header Leakage (25)

WordPress Leakage (26)

Generic Malicious Leakage (47)

Path Travel (58)

Known Exploits (6)

Oracle 9i (27)

Coppermine Photo Gallery (28)

Netscape Enterprise Server (29)

Cisco IOS HTTP Service (30)

Microsoft SQL Server (31)

HP OpenView Network Node Manager (32)

Best Sofrware SalesLogix (33)

IBM Lotus Domino Web Server (34)

Microsoft IIS (35)

Microsoft Windows Media Services (36)

Dave Carrigan Auth_LDAP (37)

427BB (38)

RaXnet Cacti Graph (39)

CHETCPASSWD (40)

SAP (41)

Generic Exploit (48)

Lighttpd Server (53)

Caucho Resin Server (54)

JRun Web Server (55)

IBM Lotus Domino (56)

WordPress (61)

Struts 2 (63)

Joomla! (65)

Credit Card Detection (7)

Credit Card Detection (45)

Bad Robot (8)

Bad Robot (46)

Cross Site Scripting (Extended) (9)

Cross Site Scripting (Extended) (50)

SQL Injection (Extended) (10)

SQL Injection (Extended) (51)

Generic Attacks (Extended) (11)

Generic Attacks (Extended) (52)