This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Skywatcher
Explorer
‎2022-01-17 08:48 AM

Quantum Spark IPS question

Hi,

I received a question from customer running a 1590 box and R80.20.20 version

Can IPS detect this pattern ( \$\{\s*(j|\$?\{.+?\}) } ) 

If the test is done:

1. By the request POST

2. In the HTTP header

3. In the HTTP data stream

Or is WAF required for this?

 

Thank you

 

0 Kudos
6 Replies
G_W_Albrecht
Legend
Legend
‎2022-01-17 10:40 AM

Looks like RegEx - why should IPS match that ?

CCSE CCTE SMB Specialist
Skywatcher
Explorer
‎2022-01-17 11:38 PM
In response to G_W_Albrecht

Let me see if I can have more info from the customer and see from there

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-01-18 12:29 AM
In response to Skywatcher

In the SMB Users & Objects > Applications & URLs page you can define custom applications by Regular Expressions that match URLs - but your example will not match URLs...

CCSE CCTE SMB Specialist
0 Kudos
Skywatcher
Explorer
‎2022-01-18 01:16 AM
In response to G_W_Albrecht

Thank you, I know that, but I don't think they had that in mind.

I have some assumptions that are on the path of what @Ruan_Kotze wrote, but didn't want to get ahead of myself. 

Like I said let me see if I can get more info from the customer which may shed some light

0 Kudos
the_rock
Champion
Champion
‎2022-01-17 05:46 PM

I agree with @G_W_Albrecht . I dont think IPS can match that at all. Not sure if WAF can...maybe.

0 Kudos
Ruan_Kotze
Advisor
‎2022-01-18 12:57 AM

Long shot but perhaps worth investigating is if you can write a Snort signature containing your regex.

Once you have the Snort signature you can import it into your manager, assuming your gateway is centrally managed.

0 Kudos