Understandint WAF implementation Jscript_Defs

rwilliams

Hi All,

I am just looking the WAF capabilities of our new 3030S devices. I have implemented a basic policy in Learning mode and our QA testers have raised that some of the web page forms are failing now. looking at the logs I see the following entry

"Javascript pattern detected! test+programme+description matches #91 in s1"

I look at the jscript_defs file in the WAF section and I see on line 91 the following entry:

"s1,script"

but where are the patterns stored? I take it S1 points to another definition file or something where there is some pattern matching going on. But how do I edit this pattern if I wanted to?

Help greatly appreciated

Ryan

dshin

Hi Ryan,

Yes, the xss-check flag on a WAF template indicates that you want to test
header and argument names and values against the patterns in a WAF policy.

By default, the WAF policy is a jscript_defs, which is shipped with the
Thunder. It is a little simplistic so can have false positives. If you
want to modify the definitions then you should do the following:

Copy the file to something of your own like:

ax2(config)#waf copy jscript_defs my_jscript_defs

Then you can edit the file to make it match whatever you want:

ax2(config)#waf edit my_jscript_defs

You will then need to modify your WAF template to use the new policy file
instead of the default:

ax2(config)#slb templ waf waftest
ax2(config-waf)#xss-check reject my_jscript_defs

Hope this helps.

Genard