Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Modifying Custom Attack Objects Due to Changes Introduced in Signature Update #1972

    This topic describes changes to some service contexts generated by the HTTP protocol decoder. Beginning with Signature Update #1972, the HTTP protocol decoder no longer generates some contexts. If your IDP security policy includes custom signatures that use the contexts that have been removed, you must modify your attack object definitions as described below to avoid policy compilation errors. This topic includes the following information:

    Reference: Removed Contexts

    To improve performance, the HTTP protocol decoder no longer generates the contexts listed in the first column of Table 1. Review this table for guidelines on replacing the contexts in custom attack objects.

    Table 1: HTTP Service Contexts

    Removed

    Replace With

    Guideline

    http-text-html-body

    http-text-html

    Change signatures that use context http-text-html-body to http-text-html. You do not need to make changes to the signature pattern or other properties.

    • http-get-url-parsed-param
    • http-post-url-parsed-param
    • http-head-url-parsed-param
    • http-get-url-parsed-param-parsed
    • http-post-url-parsed-param-parsed
    • http-head-url-parsed-param-parsed

    Use a combination of the following contexts:

    • http-request-method
    • http-url-parsed
    • http-variable-parsed

    Use a compound signature with a Boolean AND to break the signature pattern into multiple pieces. Ensure the Scope field is set to Transaction.

    Using the http-request-method context is optional. You use the http-request-method context to bind detection to http GET or POST or HEAD transactions. For GET method, we use the pattern \[GET\] (case insensitive GET). Use http-request-method only if the results you logged previously matching on Request Method are worth preserving. If not, omit it to improve performance. If you use http-request-method, order it first in the compound chain.

    Use the http-url-parsed context to match an attack signature identifiable in the URL. Use this context to match a pattern in the URL that appears before variable parameters—the part of the URL before the question mark (?).

    Use one or more http-variable-parsed contexts to match the URL variable parameters—the part of the URL after the question mark (?), normally separated by ampersands (&).

    Example: Replacing the Context for Patterns Appearing in HTML Text

    Each context generated by the HTTP detector engine has a performance cost. Contexts http-text-html and http-text-html-body serve the same purpose. Reducing the number of contexts improves performance.

    Table 2 shows the properties of a signature before Update #1972 and the signature after. This is a simple change. You change only the context. You do not need to change the pattern or other properties.

    Table 2: HTTP Service Contexts: HTML Text

    Before Update

    After Update

    Context

    http-text-html-body

    http-text-html

    Pattern

    .*<span></span>.*

    .*<span></span>.*

    Example: Replacing the Contexts for Patterns Appearing in URLs

    This section has two parts:

    Signatures that Match Request Methods

    When modifying custom attack objects that previously matched request methods GET, POST, or HEAD, consider whether matches against these request method patterns were effective for you. Keep in mind, each context generated has a performance cost. If request method is not essential to your results, take this opportunity to recast your signature without it.

    Table 3 and Table 4 show the properties of a signature before Update #1972 and the compound signature after. This example preserves an interest in request method.

    Table 3: HTTP Service Contexts: Request Methods Before Update

    Signature Before Update

    Scope

    Context

    http-get-url-parsed-param

    Pattern

    \[/viper/vegaspalms/\].*

    Table 4: HTTP Service Contexts: Request Methods After Update

    Compound Signature After Update

    m01

    m02

    Scope

    Transaction

     

    Context

    http-request-method

    http-url-parsed

    Pattern

    \[GET\]

    \[/viper/vegaspalms/\].*

    Signatures that Match URL Strings and URL Variables

    In general, breaking a single pattern into multiple contexts could positively or negatively impact performance. You need to test your changes to understand performance impact before deploying the attack objects in a production network. The example shown in Table 5 and Table 6 breaks URL matching into multiple contexts. Our security team has tested performance for the recommendations described here.

    Table 5: HTTP Service Contexts: URL Strings and Variables Before Update

    Signature Before Update

    Scope

    Context

    http-get-url-param-parsed-param

    Pattern

    \[/cvs/index[0-9]?\.php\?option=com_content&do_pdf=1&id=1\]

    Table 6: HTTP Service Contexts: URL Strings and Variables After Update

    Compound Signature After Update

     

    m01

    m02

    m03

    m04

    Scope

    Transaction

       

    Context

    http-url-parsed

    http-variable-parsed

    http-variable-parsed

    http-variable-parsed

    Pattern

    \[/cvs/index[0-9]?\.php\]

    \[option=com_content\]

    \[do_pdf=1\]

    \[id=1\]

    Published: 2011-08-11