Fortinet black logo

Administration Guide

FAQ

FAQ

How do I create a custom signature that erases response packet content?

For 6.4.0 and later releases, we don’t recommend to use custom signatures to modify packets because signature is designed to detect malicious patterns instead of changing packet, and the erasing action of signature is actually masking, not deleting.

Please use “URL rewrite” to delete response header or mask response body for any releases after 6.4.0. Please refer to FortiWeb Administration Guide > Application Delivery > Rewriting & Redirecting for details.

For releases before 6.4.0, do the following.

  1. Create a custom signature rule that includes the following values:
    DirectionResponse
    ExpressionEither a simple string or a regular expression that matches the response to erase.
    Action

    Alert & Erase

    The erase action replaces the content specified by Expression with xxx.

  2. Add an appropriate target:
  • RESPONSE_BODY

  • RESPONSE_HEADER
  • RESPONSE_STATUS

    The RESPONSE_STATUS is not erased in the raw packet.

If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.

  • Add the rule to a custom signature group, and then add the group to a signature policy that you can add to an inline or Offline Protection profile.
  • For detailed custom signature creation instructions, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?

    The waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class option, use one of the following IDs to specify the category of signature to match:

    Cross Site Scripting 01000000
    Cross Site Scripting (Extended) 02000000
    SQL Injection 03000000
    SQL Injection (Extended) 04000000
    Generic Attacks 05000000
    Generic Attacks (Extended) 06000000
    Known Exploits 09000000

    For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:

    config waf custom-access rule

    edit "sql-inject"

    set action block-period

    set severity High

    set trigger "notification-servers1"

    config signature-class

    edit 03000000

    set status enable

    next

    end

    next

    end

    config waf custom-access policy

    edit "sql-inject-policy"

    config rule

    edit 1

    set rule-name "sql-inject"

    next

    end

    next

    end

    For more information on the waf custom-access rule command, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/product/fortiweb/

    How do I reduce false positives and false negatives?

    If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:

    1. If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting in FortiWeb Administration Guide), disable it.
    2. The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.

      For details, see "Blocking known attacks & data leaks" in FortiWeb Administration Guide.

    3. Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
    4. For details, see "Configuring action overrides or exceptions to data leak & attack detection signatures" in FortiWeb Administration Guide.

    5. If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
    6. Fortinet can resolve the issue by modifying the attack signature.

    If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:

    1. Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
    • All the appropriate signatures are enabled.
    • The enabled signatures do not have exceptions that permit the attack packets.
  • If your signature configuration is correct, capture the packet that FortiWeb did not identify as an attack and contact Fortinet Technical Support for assistance.
  • Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    For additional information about reducing false positives, see "Reducing false positives" in FortiWeb Administration Guide.

    FAQ

    How do I create a custom signature that erases response packet content?

    For 6.4.0 and later releases, we don’t recommend to use custom signatures to modify packets because signature is designed to detect malicious patterns instead of changing packet, and the erasing action of signature is actually masking, not deleting.

    Please use “URL rewrite” to delete response header or mask response body for any releases after 6.4.0. Please refer to FortiWeb Administration Guide > Application Delivery > Rewriting & Redirecting for details.

    For releases before 6.4.0, do the following.

    1. Create a custom signature rule that includes the following values:
      DirectionResponse
      ExpressionEither a simple string or a regular expression that matches the response to erase.
      Action

      Alert & Erase

      The erase action replaces the content specified by Expression with xxx.

    2. Add an appropriate target:
    • RESPONSE_BODY

    • RESPONSE_HEADER
    • RESPONSE_STATUS

      The RESPONSE_STATUS is not erased in the raw packet.

    If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.

  • Add the rule to a custom signature group, and then add the group to a signature policy that you can add to an inline or Offline Protection profile.
  • For detailed custom signature creation instructions, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?

    The waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class option, use one of the following IDs to specify the category of signature to match:

    Cross Site Scripting 01000000
    Cross Site Scripting (Extended) 02000000
    SQL Injection 03000000
    SQL Injection (Extended) 04000000
    Generic Attacks 05000000
    Generic Attacks (Extended) 06000000
    Known Exploits 09000000

    For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:

    config waf custom-access rule

    edit "sql-inject"

    set action block-period

    set severity High

    set trigger "notification-servers1"

    config signature-class

    edit 03000000

    set status enable

    next

    end

    next

    end

    config waf custom-access policy

    edit "sql-inject-policy"

    config rule

    edit 1

    set rule-name "sql-inject"

    next

    end

    next

    end

    For more information on the waf custom-access rule command, see the FortiWeb CLI Reference:

    HTTPs://docs.fortinet.com/product/fortiweb/

    How do I reduce false positives and false negatives?

    If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:

    1. If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting in FortiWeb Administration Guide), disable it.
    2. The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.

      For details, see "Blocking known attacks & data leaks" in FortiWeb Administration Guide.

    3. Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
    4. For details, see "Configuring action overrides or exceptions to data leak & attack detection signatures" in FortiWeb Administration Guide.

    5. If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
    6. Fortinet can resolve the issue by modifying the attack signature.

    If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:

    1. Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
    • All the appropriate signatures are enabled.
    • The enabled signatures do not have exceptions that permit the attack packets.
  • If your signature configuration is correct, capture the packet that FortiWeb did not identify as an attack and contact Fortinet Technical Support for assistance.
  • Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    For additional information about reducing false positives, see "Reducing false positives" in FortiWeb Administration Guide.