topic Re: Quantum Spark IPS question in Spark Firewall (SMB)

Quantum Spark IPS question

Skywatcher — Mon, 17 Jan 2022 16:48:49 GMT

Hi,

I received a question from customer running a 1590 box and R80.20.20 version

Can IPS detect this pattern ( \$\{\s*(j|\$?\{.+?\}) } )

If the test is done:

1. By the request POST

2. In the HTTP header

3. In the HTTP data stream

Or is WAF required for this?

Thank you

Re: Quantum Spark IPS question

G_W_Albrecht — Mon, 17 Jan 2022 18:40:07 GMT

Looks like RegEx - why should IPS match that ?

Re: Quantum Spark IPS question

the_rock — Tue, 18 Jan 2022 01:46:50 GMT

I agree with @G_W_Albrecht . I dont think IPS can match that at all. Not sure if WAF can...maybe.

Re: Quantum Spark IPS question

Skywatcher — Tue, 18 Jan 2022 07:38:09 GMT

Let me see if I can have more info from the customer and see from there

Re: Quantum Spark IPS question

G_W_Albrecht — Tue, 18 Jan 2022 08:29:02 GMT

In the SMB Users & Objects > Applications & URLs page you can define custom applications by Regular Expressions that match URLs - but your example will not match URLs...

Re: Quantum Spark IPS question

Ruan_Kotze — Tue, 18 Jan 2022 08:57:34 GMT

Long shot but perhaps worth investigating is if you can write a Snort signature containing your regex.

Once you have the Snort signature you can import it into your manager, assuming your gateway is centrally managed.

Re: Quantum Spark IPS question

Skywatcher — Tue, 18 Jan 2022 09:16:40 GMT

Thank you, I know that, but I don't think they had that in mind.

I have some assumptions that are on the path of what @Ruan_Kotze wrote, but didn't want to get ahead of myself.

Like I said let me see if I can get more info from the customer which may shed some light