Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Skywatcher
Explorer

Quantum Spark IPS question

Hi,

I received a question from customer running a 1590 box and R80.20.20 version

Can IPS detect this pattern ( \$\{\s*(j|\$?\{.+?\}) } ) 

If the test is done:

1. By the request POST

2. In the HTTP header

3. In the HTTP data stream

Or is WAF required for this?

 

Thank you

 

6 Replies
G_W_Albrecht
Legend Legend
Legend

Looks like RegEx - why should IPS match that ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Skywatcher
Explorer

Let me see if I can have more info from the customer and see from there

G_W_Albrecht
Legend Legend
Legend

In the SMB Users & Objects > Applications & URLs page you can define custom applications by Regular Expressions that match URLs - but your example will not match URLs...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Skywatcher
Explorer

Thank you, I know that, but I don't think they had that in mind.

I have some assumptions that are on the path of what @Ruan_Kotze wrote, but didn't want to get ahead of myself. 

Like I said let me see if I can get more info from the customer which may shed some light

the_rock
Legend
Legend

I agree with @G_W_Albrecht . I dont think IPS can match that at all. Not sure if WAF can...maybe.

Ruan_Kotze
Advisor

Long shot but perhaps worth investigating is if you can write a Snort signature containing your regex.

Once you have the Snort signature you can import it into your manager, assuming your gateway is centrally managed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events