config : server-policy pattern suspicious-url-rule
server-policy pattern suspicious-url-rule
Use this command to add one or more predefined suspicious URL rules to a suspicious URL rule group.
Each entry in a suspicious URL group defines a type of URL that the FortiWeb appliance considers to be possibly malicious when gathering data for an auto-learning profile.
HTTP requests for URLs typically associated with administrative access to your web applications or web server, for example, may be malicious if they originate from the Internet instead of your management LAN. You may want to discover such requests for the purpose of designing blacklist page rules to protect your web server.
If you know that your network’s web servers are not vulnerable to a specific type of suspicious URL, such as if the URL is associated with attacks on Microsoft IIS web servers but all of your web servers are Apache web servers, omit it from the suspicious URL group to improve performance. The FortiWeb appliance will not expend resources scanning traffic for that type of suspicious URLs.
To see the regular expressions used in the predefined suspicious URL rules, in the web UI, go to Auto Learn > Predefined Pattern > URL Pattern.
Suspicious URL groups are used by auto-learning profiles. For details, see
“config server-policy policy”.
To use this command, your administrator account’s access control profile must have either
w or
rw permission to the
traroutegrp area. For more information, see
“Permissions”.
Syntax
config server-policy pattern suspicious-url-rule
config type-list
next
end
next
end
next
end
Variable | Description | Default |
<rule-group_name> | Type the name of the suspicious URL rule group. The maximum length is 35 characters. To display the list of existing groups, type: edit ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
server-type { Abyss | Apache | Appweb | BadBlue | Blazix | Cherokee | ColdFusion | IIS | JBoss | Jetty | Jeus_WebContainer | LotusDomino | Tomcat | WebLogic | WebSEAL | WebSiphon | Xerver | ZendServer | aolserver | ghttpd | lighttpd | lilhttpd | localweb2000 | mywebserver | ngnix | omnihttpd | samba | squid | svn | webshare | xeneo | xitami | zeus | zope} | For each rule index, select the type of the web server, application, or servlet. FortiWeb will detect attempts to access URLs that are usually sensitive for that software. | No default. |
<rule_name> | Type the name of a custom suspicious URL rule (see “config server-policy pattern custom-susp-url-rule”). | |
Example
This example configures a suspicious URL rule group named suspicious-url-group1 that detects HTTP requests for administratively sensitive URLs for some common web servers that could represent attack attempts and includes a custom suspicious URL rule.
config server-policy pattern suspicious-url-rule
edit suspicious-url-group1
config type-list
edit 1
set server-type Apache
next
edit 2
set server-type Apache
next
edit 3
set server-type Tomcat
next
edit 4
set server-type WebLogic
next
end
set custom-susp-url-rule "Suspicious URL 1"
next
end
Related topics