I am just looking the WAF capabilities of our new 3030S devices. I have implemented a basic policy in Learning mode and our QA testers have raised that some of the web page forms are failing now. looking at the logs I see the following entry
“Javascript pattern detected! test+programme+description matches #91 in s1”
I look at the jscript_defs file in the WAF section and I see on line 91 the following entry:
“s1,script”
but where are the patterns stored? I take it S1 points to another definition file or something where there is some pattern matching going on. But how do I edit this pattern if I wanted to?
Yes, the xss-check flag on a WAF template indicates that you want to test
header and argument names and values against the patterns in a WAF policy.
By default, the WAF policy is a jscript_defs, which is shipped with the
Thunder. It is a little simplistic so can have false positives. If you
want to modify the definitions then you should do the following:
Copy the file to something of your own like:
ax2(config)waf copy jscript_defs my_jscript_defs
Then you can edit the file to make it match whatever you want:
ax2(config)waf edit my_jscript_defs
You will then need to modify your WAF template to use the new policy file
instead of the default: