Custom Signature in ASM

Question

I am trying to create a custom signature that detects a number of Nuisance URLs that are being thrown at our site, but am having a few issues with the syntax of the rule.  I've read through the ASM syntax articles but appear to be missing something.
So basically we are seeing a number of the following type of URLs thrown at us:
http://www.website.com/someurlhttp:/
The http in the URI is not something we would normally have so I created a custom signature with the following rule:
uricontent:"http"; nocase; objonly;
I assigned it to a policy and set it to learn and alarm only but I am not seeing any hits on the signature.
What am I missing?
Updated: I did have this working using an irule and a string datagroup but am looking at implementing using ASM.  Moved from comments for formatting.
when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
      { HTTP::respond 200 content "Company Name\Naughty Naughty"
      log local0. "URI is $luri"
      }
   }

ido_breger_3805 · Answer

Hi Mark,
It is hard to tell without knowing the URLs, and looking at your configuration , but why don't you simply add these URLs to the "disallowed URL list " (under URLs-&gt;Disallowed URLs)?

mark_22062 · Answer

Hi Ido,
That isn't really practical as the URLs being requested are fairly random but all contain the http keyword or some other keywords we would never use.  I had generated an irule that seemed to do the trick but was looking at using ASM to implement instead.  The irule I used was in conjunction with a string datagroup.

when HTTP_REQUEST {
   set uriclass "MalURI[URI::basename [virtual name]]"
   Check that URI is sanitised
    set luri [string tolower [HTTP::uri]]
      if { [class match $luri contains $uriclass] }
  { HTTP::respond 200 content "Company Name\Naughty Naughty"
  log local0. "URI is $luri"
  }
   }

mark_van_d · Answer

Got this to work.  I tested the signature on a VS that only had explicit allowed URLs.  When throwing some nonsense URLs at the VS it came up as signature detected.
So on a hunch I removed the explicit learning wildcard URL from the actual VS and it now detects the signature.  ASM automatically re-added the wildcard learning URL to the policy but it is still detecting the nuisance URLs.
This signature worked:
uricontent:"http"; nocase; objonly;

Forum Discussion

Custom Signature in ASM

3 Replies

Recent Discussions

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

ASM Custom Signatures, oh my!

F5 AWAF/ASM Bot protection custom signature does not allow the traffic

Customized Bot Signature not working

Live Update- ASM attack signatures