This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

is it possible to handle Linux/windows commands in threat protection policy

Posted on 07-21-2022 08:26 AM
vishnukolli551
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Team,

Can anyone please let me know how to handle Linux/windows patterns using threat protection policy.

Sample Patterns are below mentioned..

Useful Commands: Linux
whoami
ifconfig
uname -a

Useful Commands: Windows
ipconfig
dir
ver

@dino @anilsagar @odinos 

0 1 52
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

You can specify a regular expression that captures those strings, and others like them. You can use the Variable element in the RegularExpressionProtection policy, specifying request.content as the variable. That implies "the entire body of the request". And then specify a number of different regexi to capture those things.

 

 

<RegularExpressionProtection name="REP-1">
  <Source>request</Source> <!-- not sure if necessary when looking at variables only -->
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <!-- request.content holds the entire body, regardless of content-type -->
  <Variable name="request.content">
    <Pattern>whoami</Pattern>
    <Pattern>ipconfig</Pattern>
    <Pattern>uname</Pattern>
     ...
  </Variable>
</RegularExpressionProtection>

 

 

You probably also want to check request.uri - that variable holds the URI - the proxy basepath, followed by all path segments after that, and any query parameters. That's another common attack vector. So also check that for the same kinds of strings or threats. SQL injection and so on.

For commands like ver and dir, those strings might possibly be embedded in benign words, which would mean that using something like this :

 

<!-- captures "version" and "vertical" as well as "ver" -->
<Pattern>ver</Pattern>

 

...would result in "false positives" - the RegularExpressionProtection policy would throw a fault even when there is no fault. To address that you might want to sharpen your regex so that it finds those words only when there is a "word boundary" surrounding them.  This uses the \b operator in regex.  like so: 

 

<Pattern>\bver\b</Pattern>

 

And of course you can use "logical or" within the regex to collapse all those patterns

 

<!-- captures any of the words  -->
<Pattern>\b(ver|dir|whoami|ipconfig)\b</Pattern>

 

Finally, a note on testing. It's important to test your policy configuration and your regexes. I find regexr to be really handy for interactive testing, exploring and learning regex. Here is a source code repo that allows you to test regex expressions against a large variety of input data.  You can use that to test YOUR SPECIFIC regex against a number of US street addresses, to see if your regex will trigger false positives. 

 

Top Solution Authors
View all