Product Documentation

The Signatures Editor

Aug 29, 2017

You can use the signatures editor, which is available in the configuration utility, to add a new user-defined (local) signature rule to an existing signatures object, or to modify a previously configured local signature rule. Except that it is defined by the user (you), a local signature rule has the same attributes as a default signature rule from Citrix, and it functions in the same way. You enable or disable it, and configure the signature actions for it, just as you do for a default signature.

Add a local rule if you need to protect your web sites and services from a known attack that the existing signatures do not match. For example, you might discover a new type of attack and determine its characteristics by examining the logs on your web server, or you might obtain third-party information about a new type of attack.

At the heart of a signature rule are the rule patterns, which collectively describe the characteristics of the attack that the rule is designed to match. Each pattern can consist of a simple string, a PCRE-format regular expression, or the built-in SQL injection or cross-site scripting patterns.

You might want to modify a signature rule by adding a new pattern or modifying an existing pattern to match an attack. For example, you might find out about changes to an attack, or you might determine a better pattern by examining the logs on your web server, or from third-party information.

To add or modify a local signature rule by using the Signatures Editor

  1. Navigate to Security > Application Firewall > Signatures.

  2. In the details pane, select the signatures object that you want to edit, and then click Open.

  3. In the Modify Signatures Object dialog box, in the middle of the screen beneath the Filtered Results window, do one of the following:.

    • To add a new local signature rule, click Add.
    • To modify an existing local signature rule, select that rule, and then click Open.
  4. In the Add Local Signature Rule or the Modify Local Signature Rule dialog box, configure the actions for a signature by selecting the appropriate check boxes.

    • Enabled. Enables the new signature rule. If you do not select this, this new signature rule is added to your configuration, but is inactive.
    • Block. Blocks connections that violate this signature rule.
    • Log. Logs violations of this signature rule to the NetScaler log.
    • Stat. Includes violations of this signature rule in the statistics.
    • Remove. Strips information that matches the signature rule from the response. (Applies only to response rules.)
    • X-Out. Masks information that matches the signature rule with the letter X. (Applies only to response rules.)
    • Allow Duplicates. Allows duplicates of this signature rule in this signatures object.
  5. Choose a category for the new signature rule from the Category drop-down list.

    You can also create a new category by clicking the icon to the right of the list and using the Add Signature Rule Category dialog box to add a new category to the list, The rule you are modifying is automatically added to the new category. For instructions, see “To add a signature rule category.”

  6. In the LogString text box, type a brief description of the signature rule to be used in the logs.

  7. In the Comment text box, type a comment. (Optional)

  8. Click More…, and modify the advanced options.

    1. To strip HTML comments before applying this signature rule, in the Strip Comments drop-down list choose All or Exclude Script Tag.
    2. To set CSRF Referer Header checking, in the CSRF Referer Header checking radio button array, select either the If Present or Always radio button.
    3. To manually modify the Rule ID assigned to this local signature rule, modify the number in the Rule ID text box. The ID must be a positive integer between 1000000 and 1999999 that has not already been assigned to a local signature rule.
    4. To assign a version number to the new signature rule, modify the number in the Version Number text box.
    5. To assign a Source ID, modify the string in the Source ID text box.
    6. To specify the source, choose Local or Snort from the Source drop-down list, or click the Add icon to the right of the list and add a new source.
    7. To assign a harm score to violations of this local signature rule, type a number between 1 and 10 in the Harm Score text box.
    8. To assign a severity rating to this local signature rule, in the Severity drop-down list choose High, Medium, or Low, or click the Add icon to the right of the list and add a new severity rating.
    9. To assign a violation type to this local signature rule, in the Type drop-down list choose Vulnerable or Warning, or click the Add icon to the right of the list and add a new violation type.
  9. In the Patterns list, add or edit a pattern.

    • To add a pattern, click Add. In the Create New Signature Rule Pattern dialog box, add one or more patterns for your signature rule, and then click OK.
    • To edit a pattern, select the pattern, and then click Open. In the Edit Signature Rule Pattern dialog box, modify the pattern, and then click OK.

    For more information about adding or editing patterns, see “Signature Rule Patterns.”

  10. Click OK.