Configuring action overrides or exceptions to data leak & attack detection signatures

You can configure FortiWeb to omit attack signature scans in some cases. You can also configure the signature to generate a log or alert only instead of blocking the attack.

Exceptions are useful when you know that some parameters, during normal use, cause false positives by matching an attack signature. Signature exceptions define request parameters that are not subject to signature rules. You can define exceptions using the following request elements:

For example, the HTTP POST URL /pageupload accepts input that is PHP code, but it is the only URL on the host that does. Create an exception that, in the PHP Injection category, disables that specific signature ID for the URL /pageupload in the signature rule that normally blocks all injection attacks.

If you are not sure which exceptions to create, examine your attack log for messages generated by normal traffic on servers that are not actually vulnerable to that attack. Click the Message field content, and then click Add Exception.
Disabling signatures, adding exceptions, or setting the action to Alert Only while viewing the attack log

To configure a signature exception, action override, or disable a signature

1.  Go to Web Protection > Known Attacks > Signatures.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

2.  Select a signature policy and click Edit or View.

A dialog appears.

3.  Click Signature Details.

4.  In the signature tree on the left, click a category folder to open the signature category where you need to disable a specific signature. Select an individual sub-category to display a list of individual signature IDs in the pane to the right. Optionally, in the pane that lists individual signatures, click Search.

5.  Click the row of the signature ID to disable.

The selected signature row is highlighted in yellow.

6.  To disable the signature for this rule, or globally, right-click the signature’s row and select the appropriate option.

7.  On the Signature tab, do the following:

8.  If you want to exempt specific host name/URL combinations, in the Signature ID pane on the right side, select the Exception tab and click Create New.

9.   For Element Type, select the type of element to exempt from this signature, and then configure these settings:

 

Setting name Description
HTTP Method

 

  Operation
  • IncludeFortiWeb does not perform a signature scan for requests that include the specified HTTP methods.
  • ExcludeFortiWeb only performs signature scans for requests that include the specified HTTP methods.
  HTTP Method Select the methods to include or exclude from the signature exemption.
Client IP  
  Operation
  • EqualFortiWeb does not perform a signature scan for requests with a client IP address that matches the value of Client IP.
  • Not EqualFortiWeb only performs a signature scan for requests with a client IP address that matches the value of Client IP.
  Client IP Specify the client IP address that FortiWeb uses to determine whether or not to perform a signature scan for the request.
Host  
  Operation
  • String MatchValue is a literal host name.
  • Regular Expression MatchValue is a regular expression that matches all and only the hosts that the exception applies to.
  Value Specifies the Host: field value to match.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax).
URI  
  Operation
  • String MatchValue is a literal URL.
  • Regular Expression MatchValue is a regular expression that matches all and only the URIs that the exception applies to.
  Value Specifies a URL value to match. The value does not include parameters. For example, /testpage.php, which match requests for http://www.test.com/testpage.php?a=1&b=2.

If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).

Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax).
Full URL  
  Operation
  • String MatchValue is a literal URL.
  • Regular Expression MatchValue is a regular expression that matches all and only the URLs that the exception applies to.
  Value Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for http://www.test.com/testpage.php?a=1&b=2.

If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax).
Parameter  
  Operation
  • String MatchName is the literal name of a parameter.
  • Regular Expression MatchName is a regular expression that matches all and only the name of the parameter that the exception applies to.
  Name Specifies the name of the parameter to match.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax)
  Check Value of Specified Element Select to specify a parameter value to match in addition to the parameter name.
  Value Specifies the parameter value to match.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax).
Cookie  
  Operation
  • String MatchName is the literal name of a cookie.
  • Regular Expression MatchName is a regular expression that matches all and only the name of the cookie that the exception applies to.
  Name Specifies the name of the cookie to match.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax)
  Check Value of Specified Element Select to specify a cookie value to match in addition to the cookie name.
  Value Specifies the cookie value to match.

To create and test a regular expression, click the >> (test) icon (see Regular expression syntax).
Concatenate
  • And — A matching request matches this entry in addition to other entries in the exemption list.
  • Or — A matching request matches this entry instead of other entries in the exemption list.

Later, you can use the exception list options to adjust the matching sequence for entries. See Example: Concatenating exceptions.

10.  Click Apply.

11.  Repeat the previous steps for each entry that you want to add to the signature exception.

FortiWeb generates a dynamic description of the match sequence you created and displays it at the top of the exception list. You can adjust the sequence using the move options (up and down arrows).

See also

Example: Concatenating exceptions

The illustration displays the following signature exception configuration:

The final logic of the example is (1 And 2) OR (3), which means FortiWeb skips the signature when both the URI and HTTP Method exception rules match the request, or the Client IP rule matches.

Filtering signatures

You can filter signatures using a keyword.

You can filter your view of the signatures in a signature policy to quickly find the following items:

To easily locate these kinds of signatures for review or editing, click Filters in the navigation tree, select the type of filter you want to apply, and then click Apply.

See also