ASM Regex rule

Question

I am attempting to write a series of rules to target SQL injections, due to false positives that are occurring with the inbox rules.&nbsp;
I know that the re2 logic is sound, but I keep getting errors with what I believe is the F5 portion of the logic. What do I precede this statement with to make a valid rule?&nbsp;
re2:[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]&nbsp;
valuecontent:"XXX";nocase;norm;re2:"[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]"&nbsp;
is throwing errors stating there are unescaped characters.&nbsp;

suttonsc · Answer

Within the re2 content you need to delimit the regex with "/":&nbsp;
re2:"/[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]/";&nbsp;
As the rule is written above there will be a conflict between the Value Content and the general content targeted in the regex.&nbsp;
Either set the rule to target a different content type or set the modifier in the re2 to other than general.&nbsp;
Example:&nbsp;
Header content&nbsp;
headercontent:"XXX"; nocase; re2:"/[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]/";&nbsp;
Setting the re2 to parameter and value pairs, or XML or JSON data payloads:&nbsp;
valuecontent:"XXX"; nocase; norm; re2:"/[a,A][n,N][d,D]\W\'[a-z,A-Z]\'=\'[a-z,A-Z]/Vi";&nbsp;
There are a couple of useful resources for review:&nbsp;
https://devcentral.f5.com/articles/asm-custom-signatures-oh-my&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_apx_attack_sig_syntax.html998646&nbsp;

Forum Discussion

ASM Regex rule

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Regex issue

Regex for dynamic URI

ASM logs

Logging all AFM Rules

AFM Protocol Inspection rules for CVE-2022-3602 (aka SpookySSL)