How do I create a custom signature that erases response packet content?
For 6.4.0 and later releases, we don’t recommend to use custom signatures to modify packets because signature is designed to detect malicious patterns instead of changing packet, and the erasing action of signature is actually masking, not deleting.
Please use “URL rewrite” to delete response header or mask response body for any releases after 6.4.0. Please refer to FortiWeb Administration Guide > Application Delivery > Rewriting & Redirecting for details.
For releases before 6.4.0, do the following.
- Create a custom signature rule that includes the following values:
Direction Response Expression Either a simple string or a regular expression that matches the response to erase. Action
Alert & Erase
The erase action replaces the content specified by Expression with
- Add an appropriate target:
The RESPONSE_STATUS is not erased in the raw packet.
If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.
For detailed custom signature creation instructions, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.
What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?
waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the
signature-class option, use one of the following IDs to specify the category of signature to match:
|Cross Site Scripting||01000000|
|Cross Site Scripting (Extended)||02000000|
|SQL Injection (Extended)||04000000|
|Generic Attacks (Extended)||06000000|
For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:
config waf custom-access rule
set action block-period
set severity High
set trigger "notification-servers1"
set status enable
config waf custom-access policy
set rule-name "sql-inject"
For more information on the
waf custom-access rule command, see the FortiWeb CLI Reference:
How do I reduce false positives and false negatives?
If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:
- If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting in FortiWeb Administration Guide), disable it.
- Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
- If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.
For details, see "Blocking known attacks & data leaks" in FortiWeb Administration Guide.
For details, see "Configuring action overrides or exceptions to data leak & attack detection signatures" in FortiWeb Administration Guide.
Fortinet can resolve the issue by modifying the attack signature.
If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:
- Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
- All the appropriate signatures are enabled.
- The enabled signatures do not have exceptions that permit the attack packets.
Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.
For additional information about reducing false positives, see "Reducing false positives" in FortiWeb Administration Guide.
Can signature attack be detected in WebSocket traffic?
When Web Protection > Protocol > WebSocket >Enable Attack signature is enabled, attack signatures in WebSocket message body can be detected.
But if WebSocket traffic has extension header and the extension header is allowed in WebSocket security rule, FortiWeb does not promise to detect attack signatures.
When you select the WebSocket Security policy in Policy > Web Protection Profile > Protocol, do select the signature in Known Attacks > Signatures.
From 7.0.2 and newer builds, signature attacks can be detected when websocket data is masked or compressed.