waf syntax-based-attack-detection
Using regular expression-based signatures to detect SQL/XSS injection attacks is core to a WAF solution. However, it is a continuous and tedious process to maintain and update the signatures to address new evasion techniques and to tune false positives and negatives for some attacks. To address this, syntax-based SQL/XSS injection detection is introduced.
Syntax
config waf syntax-based-attack-detection
edit "<policy_name>"
set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }
set sql-arithmetic-operation-block-period <period_int>
set sql-arithmetic-operation-severity {High | Medium | Low | Info}
set sql-arithmetic-operation-status {enable | disable}
set sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe}
set sql-arithmetic-operation-trigger <trigger_policy_name>
set sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set sql-condition-based-block-period <period_int>
set sql-condition-based-severity {High | Medium | Low | Info}
set sql-condition-based-status {enable | disable}
set sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set sql-condition-based-trigger <trigger_policy_name>
set sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set sql-embeded-queries-block-period <period_int>
set sql-embeded-queries-severity {High | Medium | Low | Info}
set sql-embeded-queries-status {enable | disable}
set sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe}
set sql-embeded-queries-trigger <trigger_policy_name>
set sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set sql-function-based-block-period <period_int>
set sql-function-based-severity {High | Medium | Low | Info}
set sql-function-based-status {enable | disable}
set sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set sql-function-based-trigger <trigger_policy_name>
set sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set sql-line-comments-block-period <period_int>
set sql-line-comments-severity {High | Medium | Low | Info}
set sql-line-comments-status {enable | disable}
set sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe}
set sql-line-comments-trigger <trigger_policy_name>
set sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set sql-stacked-queries-block-period <period_int>
set sql-stacked-queries-severity {High | Medium | Low | Info}
set sql-stacked-queries-status {enable | disable}
set sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe}
set sql-stacked-queries-trigger <trigger_policy_name>
set xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }
set xss-html-attribute-based-block-period <period_int>
set xss-html-attribute-based-severity {High | Medium | Low | Info}
set xss-html-attribute-based-status {enable | disable}
set xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set xss-html-attribute-based-trigger <trigger_policy_name>
set xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set xss-html-css-based-block-period <period_int>
set xss-html-css-based-severity {High | Medium | Low | Info}
set xss-html-css-based-status {enable | disable}
set xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set xss-html-css-based-trigger <trigger_policy_name>
set xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set xss-html-tag-based-block-period <period_int>
set xss-html-tag-based-check-level {strict | moderate}
set xss-html-tag-based-severity {High | Medium | Low | Info}
set xss-html-tag-based-status {enable | disable}
set xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set xss-html-tag-based-trigger <trigger_policy_name>
set xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set xss-javascript-function-based-block-period <period_int>
set xss-javascript-function-based-severity {High | Medium | Low | Info}
set xss-javascript-function-based-status {enable | disable}
set xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set xss-javascript-function-based-trigger <trigger_policy_name>
set xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}
set xss-javascript-variable-based-block-period <period_int>
set xss-javascript-variable-based-severity {High | Medium | Low | Info}
set xss-javascript-variable-based-status {enable | disable}
set xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe}
set xss-javascript-variable-based-trigger <trigger_policy_name>
config exception-element-list
edit "<list-id>"
set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}
set operator {STRING_MATCH| REGEXP_MATCH}
set value-name <name_str>
set value-check {enable | disable}
set value <value_str>
set concatenate-type {AND | OR}
set attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}
next
end
next
end
Variable |
Description |
Default |
---|---|---|
"<policy_name>" |
Enter a name for the syntax based detection policy. |
No default |
sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS } |
Select the elements in the request that you want FortiWeb to scan:
You can select multiple elements, for example, |
Parameter Name/Parameter Value/Request Cookie |
sql-arithmetic-operation-block-period <period_int> | Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
sql-arithmetic-operation-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
sql-arithmetic-operation-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Arithmetic Operation Based Boolean Injection attack. |
|
sql-arithmetic-operation-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
sql-condition-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
sql-condition-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Arithmetic Operation Based Boolean Injection attack. |
|
sql-condition-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
sql-embeded-queries-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
sql-embeded-queries-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Embedded Queries SQL Injection attack. |
|
sql-embeded-queries-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
sql-function-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
sql-function-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for SQL Function Based Boolean Injection attack. |
|
sql-function-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
sql-line-comments-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
sql-line-comments-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Line Comments attack. |
|
sql-line-comments-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
sql-stacked-queries-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
sql-stacked-queries-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Stacked Queries SQL Injection attack. |
|
sql-stacked-queries-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS } |
Select the elements in the request that you want FortiWeb to scan:
You can select multiple elements, for example, |
Parameter Name/Parameter Value/Request Cookie |
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
xss-html-attribute-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
xss-html-attribute-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for HTML Attribute Based XSS Injection attack. |
|
xss-html-attribute-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
xss-html-css-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
xss-html-css-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for HTML CSS Based XSS Injection attack. |
|
xss-html-css-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
xss-html-tag-based-check-level {strict | moderate} |
Note: It is not advised to set it as |
strict
|
xss-html-tag-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
xss-html-tag-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for HTML Tag Based XSS Injection attack. |
|
xss-html-tag-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
xss-javascript-function-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
xss-javascript-function-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Javascript Function Based XSS Injection attack. |
|
xss-javascript-function-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response} |
Select the action FortiWeb takes when this injection type attack is identified.
Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail. |
alert_deny
|
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. |
600
|
|
xss-javascript-variable-based-severity {High | Medium | Low | Info} |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
High
|
xss-javascript-variable-based-status {enable | disable} |
Enable or disable the attack type detection for this rule. |
|
xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Javascript Variable Based XSS Injection attack. |
|
xss-javascript-variable-based-trigger <trigger_policy_name> |
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default |
"<list-id>" |
Enter an ID for the exception list. |
No default |
match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE} |
Select the type of request element to exempt from this rule. |
|
operator {STRING_MATCH | REGEXP_MATCH} |
|
|
value-name <name_str> |
Specify the name of the parameter to match. |
|
value-check {enable | disable} |
Enable to specify a parameter value to match in addition to the parameter name. |
|
value <value_str> |
Specify a HOST/URI/FULL-URL/PARAMETER/COOKIE value to match. |
No default |
concatenate-type {AND | OR} |
Later, you can use the exception list options to adjust the matching sequence for entries. |
|
attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection} |
Select the attack type you want to create the exception for. |
No default |