- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Quantum Spark IPS question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quantum Spark IPS question
Hi,
I received a question from customer running a 1590 box and R80.20.20 version
Can IPS detect this pattern ( \$\{\s*(j|\$?\{.+?\}) } )
If the test is done:
1. By the request POST
2. In the HTTP header
3. In the HTTP data stream
Or is WAF required for this?
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like RegEx - why should IPS match that ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me see if I can have more info from the customer and see from there
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the SMB Users & Objects > Applications & URLs page you can define custom applications by Regular Expressions that match URLs - but your example will not match URLs...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I know that, but I don't think they had that in mind.
I have some assumptions that are on the path of what @Ruan_Kotze wrote, but didn't want to get ahead of myself.
Like I said let me see if I can get more info from the customer which may shed some light
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree with @G_W_Albrecht . I dont think IPS can match that at all. Not sure if WAF can...maybe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Long shot but perhaps worth investigating is if you can write a Snort signature containing your regex.
Once you have the Snort signature you can import it into your manager, assuming your gateway is centrally managed.