-
Cisco ACE Web Application Firewall User Guide (Software Version 6.0)
-
Preface
-
Introducing the Cisco ACE Web Application Firewall
-
Securing Web Applications
-
First Steps
-
Working with Virtual Web Applications
-
Working with Profiles
-
Developing Rules and Signatures
-
XML Threat Defense
-
Working with Ports and Hostnames
-
Configuring Destination Server Settings
-
Securing Traffic with SSL/TLS
-
Managing Resource Files
-
Deploying the Policy
-
Managing the Policy
-
Monitoring System Status
-
Managing Web Console Users
-
Managing Firewall Clusters
-
Configuring the Manager Web Console
-
Table Of Contents
Developing Rules and Signatures
General Signature Development Guidelines
General Rule Development Guidelines
Message Inspection Rule Format
Developing Rules and Signatures
This chapter describes how to develop custom web application security rules and signatures. It covers these topics:
Overview
The Cisco ACE Web Application Firewall includes an extensive library of rules and signatures you can use to secure web applications out-of-the-box. Built-in rules exist for stopping many types of server attacks, such as cross-site scripting attacks, SQL and LDAP injection attacks, and command injection attacks.
Nevertheless, applications often have unique security and content privacy concerns. The built-in resources may not address all requirements specific to your application or environment. For such cases, the Cisco ACE Web Application Firewall enables you to create your own custom rules and signatures. This extensibility enables you to tightly mold the capabilities of the Cisco ACE Web Application Firewall to your specific requirements.
You create custom rules and signatures using the Reactor rules language, as described here. After you have uploaded your rules and signatures into the Manager, they can be applied in web application profiles in the same manner as built-in rules.
In most cases, rule development will be motivated by a requirement to apply new signatures based on new or emerging attack patterns. Therefore, rule development projects will typically involve development of new signatures along with new rules.
The general steps for developing signatures and rules are:
1.
Create the signatures needed to match the traffic you want to be processed or secured by the rules.
Both signatures and rules are created and loaded into the system as text files. However, since the Manager treats rules and signatures as separate resources, you should create them in separate text files.
2.
3.
4.
Once uploaded, the custom rules are available to be applied in profiles. Also, note that the rules can be modified later directly from the Manager interface.
While these steps describe development that includes signatures along with rules, there are cases in which developing new rules will not depend on new signatures. For example, you may need to apply one of the built-in unused rules, or you may want to apply a built-in signature differently from how it is applied by the built-in rules. Most commonly, you may need to write a rule that does not use signatures. For example, to implement a rule that checks for data overflow, you would have a rule statement such as:
REQUEST_PARAMS.count() gt 100
As another example, checking a specific parameter against a regular expression could be achieved with an expression such as:
REQUEST_PARAM['username'] nre '[A-Za-z0-9]+'
The following sections provide more information on the rule development steps and requirements.
Message Normalization
To simplify rule development, the ACE Web Application Firewall automatically normalizes the message before evaluating rules against it. This alleviates you from having to deal with various types of message variations in the rules and signatures you create. For example, you do not need to create one version of a signature or rule for ISO-8859-1-based attacks and another for the same attack in UTF-8. It can also sanitize message content.
Message normalization does not affect the message that is actually passed through the ACE Web Application Firewall to the destination (except for NULL-byte screening and header unfolding); it is performed only on a copy of the message, or, more precisely, on the values from the message used to populate the variables that are used for rule evaluation, such as REQUEST_PARAMS or REQUEST_URL (see Rule Variables).
While normalization does not itself modify the output message (except for header whitespace unfolding), it can affect the output if you use variables in other contexts of the policy, such as in custom error messages or HTTP header processing. For instance, you can normalize a part of a request and use it to populate an outgoing header value.
Messages are subject to two types of message normalization. The first is called passive normalization. It happens to every message automatically. The second type of normalization is invoked directly from rules using the normalize() function.
Passive Normalization
Passive normalization affects messages as follows:
•
•
–
For ASCII characters, to match an argument that contains a percent-encoded character such as %27 (the URL-encoded single tick character), your custom signature can simply look for "'".
You can use Unicode characters in rules and signatures (such as certain cyrillic characters), which will be successfully matched, although the uploaded signature or rules file must be in UTF-8 format.
To look for a non-character decoded value in a signature, you can do so by putting a hex expression in the signature or regular expression, such as \x09, to look for a byte that just represents 9.
–
•
•
–
Note
–
normalize() Function
The purpose of the normalization process described in "Passive Normalization" section is to alleviate signatures and rules from having to be written to contend with many low-level encoding issues in evaluated message content. However, except for path normalization (which helps to assign a request to a handler), this level of normalization is not intended to prevent higher-level obfuscations, such as excessive whitespace, encoded entities (such as using <script instead of <script), and breaking up attack strings with comments.
The second level of normalization, direct normalization, is intended to deal with just this type of obfuscation. To use direct normalization, you invoke the normalize() function on a part of a message, as follows:
VARIABLE['fieldName'].normalize() op testvalue
Such as:
REQUEST_HEADER['My-Header'].normalize(charset|uunicode) re 'attack!'
In this case, the value of the HTTP header, My-Header, is normalized prior to being tested against the regular expression, "attack!".
In the case of GET and POST parameters and POST bodies, many of the normalization processes described here are applied automatically, and do not need to be applied again with this function. However HTTP headers, multipart content disposition, and so on, are not extensively normalized by passive normalization and are subject to manual normalization through the normalize function.
The normalize() function can apply all processing that is applied to GET or POST arguments automatically (that is, URL-decoding and %u-decoding). In addition, it can:
1.
2.
3.
4.
5.
While the primary intent of normalize() is to deter obfuscation attempts, it also eases signature and rule authoring. For instance, instead of writing a regular expression to look for an arbitrary amount of whitespace between an attribute name and its value, you can assume there will be zero or one space.
Executing normalize() on a value when running an expression against it (such as in the example, REQUEST_HEADER['My-Header'].normalize(charset|uunicode) re 'attack!') does not alter the value of the parameter Name. The normalized value will be produced and used only for this particular regular expression evaluation.
In general, you should apply normalize() to any value before running a content-based signature (such as command injection) against it. However, there may be cases where running normalize() renders an attack unrecognizable, and in which the attack can only be caught in its raw form.
You can also use normalize() in any place in the virtual web application configuration in which you an output content, such as in custom error response messages or in headers. For example, you can replace a raw header with a sanitized version in the HTTP header processing configuration, that is, by replacing the value of header Custom-header with REQUEST_HEADER['Custom-header'].normalize(). Thus, while a normalized version of the message is not propagated to the outgoing request, you can use the HTTP header processing feature to normalize the headers propagated to the outgoing message.
Note
To use the normalize() function, you must identify the aspect of normalization you want to apply to the message as a parameter. The supported parameters follow. You can pass multiple parameters using the pipe operator ("|"):
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Developing Signatures
A signature contains at least one content pattern designed to match messages of interest to rules. Messages matched by the signature are subject to the rule action. The system includes numerous built-in signatures. In addition you can create and apply your own, as described here.
You first create signatures in a text file that you then upload to the Manager. The text file may contain one or more signatures, each of which must belong to a signature group. A rule applies a signature through a reference to its signature group, as illustrated in .
Figure 6-1 Ruleset and signature set file
While the system does not impose requirements on how you organize signatures by groups, organizing signatures sensibly can help optimize performance. Since the ACE Web Application Firewall compiles each signature group into a single executable unit, multiple signatures in a single group can be applied to traffic more rapidly than the same number of signatures in multiple groups. As a general rule, signatures that target a particular class of attack should be grouped together into a single signature group. Keep in mind that if a particular signature within a group is not applicable for a given web application, policy developers can use a modifier to exempt the non-applicable signature for the application.
A signature statement consists of an identifier for the signature, its group, and several other properties. One of the properties is the regex attribute, which contains a regular expression to be applied to message content. The regular expression implementation employed by web application security features of the Cisco ACE Web Application Firewall is PCRE (Perl-Compatible Regular Expressions). The regular expression can include PRCE regular expression special characters, such as a dollar ($) to match the end of a string or a caret (^) to match the start of a string. A backslash escapes special characters, causing them to be evaluated as simple characters. Not all PCRE features are supported. Specifically, referencing captured groups is not supported.
Note
Viewing Existing Signatures
When creating your own signatures or rules, it is usually helpful to start from an example provided by one of the built-in resources. There are two views to the source code of the signatures loaded in the policy, the formatted view and the raw view:
•
•
The raw view is helpful when you are first creating the signature source file. The formatted view is useful to quickly find regular expression patterns used in the system for various attack signatures.
Basic Example
As shown in the signature source code view, a basic signature declaration appears as follows:
SQLInjection_m.drop:DROP regex: ;\s*\bDROP\b nocase: true name: DROPThe sample has one signature, drop, which belongs to the signature group SQLInjection_m. Along with the signature name and group declaration, the signature has these properties:
•
•
•
•
A rule applies a signature to traffic by referencing the name of the signature group, as follows:
RULEGROUPNAME.RuleName:REQUEST_ALL sig SQLInjection_mThe identifier following the sig keyword, SQLInjection_m, identifies the signature group.
The following sections provide more information on the parts of a signature.
About the Quick Pattern
A signature can apply a regular expression to message content in two phases: the first is the quick pattern expression. If a message matches the quick pattern and the regex attribute also appears in the signature, the full regular expression in the regex attribute is applied to the message content.
The quick pattern is an optimization feature that allows the ACE Web Application Firewall to quickly disqualify messages from signature applicability. It uses a limited regular-expression-like syntax to do a very fast initial check of the message. If the quick pattern matches a message, the ACE Web Application Firewall applies the full regular expression (if present). Both expressions need to produce a positive match for the rule to be triggered. A signature can have just one of a quick pattern or regex property, in which case only that expression needs to be satisfied by the message content for the rule action to be triggered.
Note
In practice, the quick pattern commonly checks for the minimum character sequence that indicates potential content of interest, while the regular expression provides a more thorough test of the content, as illustrated by the built-in SQL injection signature for the DROP command:
Quick pattern: DROP
Regex pattern: ;\s*\bDROP\b
The quick pattern expression syntax comprises a subset of the PCRE syntax. Besides literal character matching, it includes support for:
•
•
–
–
–
–
–
–
•
•
Built-In Signature Notes
The following notes apply to the built-in signatures included in the base configuration and available for your rule development.
Unused signatures
While most built-in signatures are applied by one of the built-in rules, several are not. They are included in the base configuration and are available for use in your custom rules.
•
•
•
•
These signatures match characters that are often present in legitimate messages. For instance, the single quote character may appear in surnames entered as form data, such as O'Neil. You should use them, therefore, only if you are certain that they are appropriate for your application traffic or if applying the signatures in monitor mode only.
CreditCard Signature group
The built-in signature groups include several credit card signature groups that all look for credit card numbers of various lengths. Notice that the signatures will match any appropriately delimited (with spaces or hyphens) set of numbers of the specified length. They do not apply any checksum formula (such as the Luhn algorithm) to verify that the numeric sequence of a suspected credit card number is actually a valid credit card number.
Uploading Custom Signatures
When finished developing signatures, you upload them to the Manager to make them available in the policy. To upload custom signatures:
Step 1
Step 2
Step 3
Step 4
Step 5
After the signatures are successfully loaded into the policy, they can be used to identify content of interest in messages handled by the ACE Web Application Firewall.
You can update the resource at any time by clicking the edit link next to the resource in the signature list and uploading an updated file in the edit resource page.
General Signature Development Guidelines
Each uploaded signature file comprises a single named resource in the policy. As such, it is subject to version-control and policy archiving features of the Manager.
The following lists general guidelines for signature file composition:
•
# Cisco Signature File v. <majorversion>.<minorversion>
The version numbers should match the system parser version against which you have created the signatures, 1.0 in the current release.
•
•
•
•
Signature Syntax
The format for a signature definition follows:
X-<sig_group_id>.<sig_id>: <quick_pattern> <attribute-name>: <attribute-value><attribute-name>: <attribute-value>...Where:
•
•
•
•
•
–
–
–
–
Each attribute should be on its own line, and should be preceded by one or more whitespaces. While the attributes are optional, it is recommended that all signatures have a name attribute for usability in the web console.
•
•
Sample Signature File
An example signature list file follows:
Example 6-1 Signature list file
# Cisco Signature File v. 1.8 # Copyright Cisco Systems, Inc. All Rights Reserved X-NextThreat_b.exec:exec regex: ;\s*\bexec\b nocase: true name: exec nextthreat command attack X-NextThreat_b.kick: kick nocase: true name: kick nextthreat command attack X-NextThreat_m.start:start nocase: true name: start nextthreat command attack X-NextThreat_m.cmd: cmdshell nocase: true name: cmdshell nextthreat command attack X-PastThreat_m.cmd: dial nocase: true name: dial command attack X-Privacy.USSocialSec:\d\d\d-\d\d-\d\d\d\d name: Social Security number screeningThe example creates four signature groups, X-NextThreat_b, X-NextThreat_m, X-PastThreat_m, and X-Privacy. Following the convention of the built-in signatures, the signature groups are named with the first letter of their severity level appended to the group name, "b" for basic and "m" for moderate.
While the examples set the nocase attribute to true (which means that signatures are applied in a case-insensitive fashion), setting this attribute to true is not strictly necessary since this is the default comparison mode.
You can try loading the sample by copying the text of Example 6-1 into a text file, and loading it into the Manager as described in "Uploading Custom Signatures" section. After loading the signatures, you can apply them in custom rules.
Developing Rules
A rule specifies the signatures to be applied to message content. Custom message inspection rules and message rewriting rules are supported. Message inspection rules are only applicable to requests, whereas message rewrite rules are only applicable to response messages.
A rule includes an expression that defines a condition for the rule action. In most cases, the expression is made up of the identifier for the part of the message to be checked and a reference to the signature to use for the check. It can also include functions, operators, or other advanced features.
As with signatures, custom rules are developed in a text file which, once uploaded to the Manager, comprises a named resource in the Manager. Since a rules file is treated as a single resource in the Manager, if you need to create a large number of rule groups for many applications, it may make sense to organize rule groups across multiple source files.
The following example shows the format of the rule set file:
Example 6-2 Rule set file format
# Cisco Rule File v. <major_version>.<minor_version>GROUP X-<rulegroup_id>:<rulegroup_name>X-<rulegroup_id>.<rule_name>:<message_inspection_scope> sig <siggroup_name>name: <rule_descriptive_name>sev: <severity_level>Rule set files must begin with the Cisco Rule file declaration as its first line. The version numbers should reflect the version of the rule set parser against which the rules are written, 1.0 for the current version of the rule parser. The GROUP keyword declares a rule group, which can contain one or more rules.
User-created signature groups and rule groups must begin with the "X-" characters to ensure uniqueness with built-in rule groups. The rule definition starts by declaring the group to which it belongs. It then specifies the part of the message to be inspected and the signature used for the inspection.
Example 6-3 Rule set file example
# Cisco Rule File v. 1.0 # Group declarations GROUP X-InspectRules: My Inspection Rule group GROUP X-RewriteRules: My Message Rewrite Rule group # rule declarations X-InspectRules.NextThreat1:REQUEST_PARAM_ALL sig X-NextThreat_b name: Parameter inspection for Next Threat sev: 0 X-InspectRules.NextThreat2:REQUEST_HEADER sig X-NextThreat_b name: Header inspection for Next Threat sev: 0 X-InspectRules.NextThreat3:REQUEST_ALL sig X-NextThreat_m | X-PastThreat_m name: Closer Inspection for Next Threat sev: 1 # rewrite rules X-RewriteRules.SsnMask: rewrite X-Privacy name: Prevents SSN leak rewriteChar: X desc: Finds and rewrites SSNThe example defines three message inspection rules and a message rewrite rule. Note that the message inspection rules include a sev, or severity, property. The rule's sev value allows profiles to apply rules in a rule group selectively based on their severity, with values: 0 (basic), 1 (moderate), or 2 (strict). The message rewrite rule includes a rewriteChar value, which is used to replace each character of the matched content in the message.
The first two message inspection rules are distinguished by the part of the message to be inspected for the signature.
You can try loading the sample rules by copying the text of Example 6-3 into a text file, and loading it into the Manager as described in "Uploading Custom Rules" section. Before attempting to load the rules, you will need to upload the signatures listed in Example 6-1. After loading the rules, you can apply them in profiles.
Viewing Existing Rules
As with signatures, when creating your own rules, it is often helpful to start from an example provided by a built-in rule definition. To view the rule definitions, in the Rules & Signature page, click the Details link next to the rule, and then the View Source button at the bottom of the details page. The raw source code of the rule set appears.
Uploading Custom Rules
After you have finished developing rules, as described in the following sections, you will need to upload them to the Manager to make them available in the policy.
To upload custom rule files:
Step 1
Step 2
Step 3
Step 4
The rule source code appears in the Rule Definitions field. Note that while you can type or paste the rule source code directly into this field, in most cases, it will be loaded from an external text file.
Step 5
Step 6
The Manager validates the rules. Any validation errors are indicated at the top of the page. If rules reference signatures that have not been loaded, for instance, a rule validation error results.
The custom rules now appear in the web console page, as shown in . They are also listed in profiles, where they can be enabled to be made applicable to network traffic.
Figure 6-2 Custom rules in the web console
In the Rules & Signatures page, you can view the source code of the resource by clicking the Details link next to the name of the custom rule. After loaded to the policy, the rule source code is modifiable by clicking the Edit Rule File button at the bottom of the details page. You can edit the rule file to add new rules, modify, or remove rules from the rule set resource. Removing a rule group removes its availability from all profiles, including those in which the rule group is enabled.
General Rule Development Guidelines
Each uploaded rule file comprises a single named resource in the policy. As such, it is subject to version-control and policy archiving features of the Manager. The following lists general guidelines for rule file composition:
•
# Cisco Rule File v. <majorversion>.<minorversion>
The version should match the parser version of the system for which the rule are created, 1.0 in the current release.
•
•
•
•
•
Rule Syntax
As previously mentioned, you can create two types of rules for web application security:
•
•
The syntax between the two types varies slightly. However, both start by identifying the rule group to which it belongs, followed by a period, and then the rule's own identifier, as follows:
SQLINJECTION.SqlInjection1:REQUEST_ALL sig SQLInjection
...In the example, a new rule named SqlInjection1 is declared in the rule group SQLINJECTION. After the name is a colon (:) followed by the rule statement, which includes the part of the message to be inspected along with signatures to be applied.
The example is a message inspection rule. A message rewrite rule starts with a similar arrangement of identifiers. However, the keyword rewrite follows the colon.
The following sections provide details on the message syntax.
Rule Group Declaration
A group declaration defines properties for a rule group. The only property applicable to group declaration is desc, a description property.
Note that if there is no GROUP declaration for a rule group ID reference in a rule declaration, the rule group is created automatically. Its name will be set to the same value as its ID, and it will have an empty description.
Rule groups are declared in the following format:
GROUP X-<rule_group_id>: <group name> <wsp>desc: <description><newline>The declaration is made up of the following components:
•
•
–
–
–
–
•
•
•
Message Inspection Rule Format
Message inspection rules use the following format.
<rule_group_id>.<rule_id>: <rule_statement> <attribute-name>: <attribute-value><attribute-name>: <attribute-value>...The rule is made up of the following:
•
•
–
–
–
•
•
Message inspection rules can have the following attributes:
–
–
–
Message Rewrite Rule Format
Rather than acting upon the entire message, message rewrite rules modify the portion of the message content matched by the signature. The signature may be matched multiple times in a single message. These rules are most commonly used to identify and overwrite sensitive content in a message.
Rewrite rules can only use quick pattern expressions to match content. For more information, see "About the Quick Pattern" section.
Message rewrite rules have the following format.
<rule_group_id>.<rule_id>: rewrite <sig_group_id> <attribute-name>: <attribute-value><attribute-name>: <attribute-value>...The rule is made up of the following:
•
•
–
–
–
•
•
Rewrite rules can only apply signatures that use DFA expressions; it cannot apply PCRE expressions. Therefore, the regular expression "\d{4,6}" could not be used, and would have to be replaced with three different signatures, each one for a different pattern length.
•
Rewrite rules can have the following attributes:
–
–
–
Rule Statement Format
The rule statement is generally a conditional expression which, if resolving to true, triggers the rule action. The rule statement appears after the colon following the rule ID:
<rule_group_id>.<rule_id>: <rule_statement>
The rule statement format is:
<variable-expr> <operator> <test-value>
For example:REQUEST_PARAM_ALL sig X-NextThreat_b
In this case, sig is the operator. It applies the test value specified by the signature or signature group name (X-NextThreat_b) to the tested value (all parameters). Rule statements can comprise tests based on other factors than a rule match. For instance, the following statement checks the number of request parameters:
REQUEST_PARAMS.count() gt 128
The sample tests whether the number of parameters in the requests exceeds 128. If true, the rule action is triggered. It is made up of:
•
•
•
These rule expression features provide significant flexibility in defining custom rule behavior, as listed in these sections:
Rule Operators
The following operators apply a binary test to a given test and tested value. If the test resolves to false, the tested content is excluded from rule applicability. The rule operators are listed inthe following table.
Table 6-1 Rule operators
Rule Variables
Rule variables provide access to runtime information. Variables exist, for example, for request parameters, headers, and client information, such as the client IP. Variables allow you to create rule conditions based on these runtime values.
In addition to rule composition, variables can be used in other areas of the policy as well. For example, you can include them in custom error response messages by referencing the variable in this form in the HTML response: $(varname). Also, they are available in header processing fields, so that variable values can be added as HTTP headers to outgoing messages.
Note
Certain variables can provide access to the values of named parameters associated with a request in the following form:
VARIABLE_NAME['param']
Where param is the name of the web form variable.
For example:
REQUEST_HEADER['Referer'] sig CrossScript_m
In this case, the HTTP request header Referer is specifically checked for a content match against the signatures in CrossScript_m. Request parameter values can be retrieved in a similar fashion by passing the name of the parameter as identified in the POST form.
The variables available for rule development are listed in the following table. Where example return values are indicated, the return is based on a request URL of:
http://example.com:8080/details.do?v1=value1&v2=value2&v3=value3
Table 6-2 Rule variables
Rule Functions
Rule functions apply special processing operations to rule values before the rule is evaluated.
The following functions are available for rule composition. Note that they are also available in other contexts of the policy, such as in custom error response text or header processing fields. To apply a function to a variable value in a error response, enter them in the form $(varname.function), such as $(REQUEST_PARAMS.count()).
Table 6-3 Rule functions
count()
Returns the number of items identified by variable, such as REQUEST_PARAMS.count().
size()
Returns the total size of items referenced by variable.
maxsize()
Returns the size of the largest value of items referenced by variable.
urlencode()
Converts all values referenced by variable to their URL-encoded equivalent.
normalize(expr)
Normalizes items specified by the expr parameter. By normalizing a value, the function transforms it into canonical form, removing arbitrary variations or possible harmful content. For more information, see "normalize() Function" section.
