FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
ddsouza_FTNT
Staff
Staff
Article Id 200337

 

Description This article describes how to add an exception for a Signature.
Scope  
Solution

Explanation.

 

There are multiple ways to add an exception in the Signature.

Let’s take a look at a sample attack log (Pic1) generated on ForitWeb and then see how it is possible to add an exception for the triggered HTTP request in the signature.

 

3fc87f19e94945aea5c37fc204153786.png

 

The attack log says fortiweb blocked the HTTP request containing the matching pattern .jsp%00 in the URI.

 

Let’s check what this signature is all about by simply selecting the ‘Message: RAWURI triggered signature ID 050160001 of signature policy Signature_Policy’ and then selecting ‘View Signature’ option.

 
Pic2.png

The description of the signature says: 'This signature prevents information disclosure. This injection can be achieved in HTTP URL.' 

 

To explain in detail, an attacker can make the remote web server discloses the source code of its JSP pages by appending a NULL character to the name of the JSP files requested (eg, 'foo.jsp%00' , ‘test.jsp%00’ ) With this signature enabled, HTTP request contains URI with a NULL character %00 appended to the name of the JSP files request triggers the signature and based on the action set, Fortiweb will perform an action.

 
pic3.png

 

If this type of request is legitimate in the environment, then it is possible to add an exception by using one of the methods mentioned below.

 

Method1:
Select the ‘Message: RAWURI triggered signature ID 050160001 of signature policy Signature_Policy’ and then click on the 'Add Exception' button.

 

 
Pic4.png

 

It is possible to select the desired Element type based on the strictness level of the exception to add.

 

 
Pic5.png

 

Method2:
Make a note of the SubType (Generic Attacks), Signature Subclass type (SRC Disclosure), and Signature ID (050160001) seen in the attack log. 

 

 
Pic6.png

 

Navigate to Web Protection -> Known attacks -> Signatures -> Generic Attacks(SubType) -> SRC Disclosure (Signature Subclass type) and find the Signature ID 050160001 in the list.

 
Pic7.png

Select the Exception button and add an exception.

 
Pic8.png
 
Pic9.png

 

Method3:
The third way to add an exception is by using the search option. Add the Signature ID seen in the attack logs in the search text box and hit 'Search Button'.

 

In this case, the triggered Signature ID is 050160001.

Pic10.png

Once the exception is added, the HTTP request matching the exception rule will not be blocked.