The following table lists the possible sections of the class Isapi.
Note 1
An incoming http request can be represented as: http://www.myserver.com/
{url}?{query}. In this document, we refer to {url} as the “url” part of the http request and {query} as the “query” part of the http request. Using this naming convention, we can say that the section “url” will be matched against {url} and the section “query” will be matched against {query}.
For example the following rule would be triggered if the http request http://
www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean would be
user_name { Include “*” } directives -c -d isapi:request }
This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (i.e. abc).
Note 2
Before matching is done, sections “url” and “query” are decoded and normalized so that requests cannot be filled with encoding or escape sequences.
Section Values Notes
Class Isapi
Id 4000 - 7999
level 0, 1, 2, 3, 4
time * user_name user or system account application path + application name
url This section is optional. It
is section is matched against the url part of an incoming request; see notes 1, 2,3, 4.
query This section is optional. It
is matched against the query part of an incoming request; see notes 1, 2,3, 4.
method “GET”, “POST”, “INDEX” and all other allowed http methods
This section is optional.
See note 4.
directives -c -d isapi:request
Note 3
A maximum length restriction can be defined for the sections “url” and “query”. By adding “;number-of-chars” to the value of these sections, the rule can only match if the {url} or {query} have more characters than “number-of-chars”. For example, the following rule will match if the url part of the request contains “abc” and the url part of the request has over 500 characters:
Rule {
user_name { Include “*” } directives -c -d isapi:request}
}
Note 4
A rule needs to contain at least one of the optional sections url, query, method.
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security events for the class Isapi. The values of these parameters can help you understand why a signature is triggered.
The following rule would prevent a request to the web server that has “subject” in the query part of the http request:
GUI name explanation
url Decoded and normalized location part of an incoming HTTP request (the part before the ‘?’).
query Decoded and normalized query part of an incoming HTTP request (the part after the first ‘?’).
web server type Type and version of the Web server application used.
method Method of the incoming HTTP request (such as Get, Put, Post, Query, etc.).
local file Physical name of the file that is retrieved or attempted to be retrieved by the request. Decoded and normalized under IIS.
raw url “Raw” (undecoded and not normalized) Request Line of the incoming HTTP request. Request Line is “<method>
<location[?query]> <http version> CRLF”.
user User name of the client making the request; only available if the request is authenticated.
source Client name or IP address of the computer where the HTTP request originated.
server Information about the Web server where the event is created (that’s the machine where the client is installed) in the manner <host name>:<IP address>:<port>. The host name is the host variable from the HTTP header; it is left blank if not available.
content len Number of bytes in the body of the message part of the query.
175
Rule { Class Isapi Id 4001 level 4
query { Include “*subject*” } method { Include “GET” } time { Include “*” } application { Include “*”}
user_name { Include “*” } directives -c -d isapi:request
}
For example, the GET request http://www.myserver.com/test/
abc.exe?subject=wildlife&environment=ocean would be prevented by this rule.
The various sections of this rule have the following meaning:
Class Isapi: indicates that this rule relates to the Isapi operations class.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.
level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.
query { Include “*subject*” }: Indicates that the rule matches any (GET) request that contains the string “subject” in the query part of the http request. If the rule were to cover multiple query parts files, you would add them in this section in different lines.
method { Include “GET” }: Indicates that the rule can only match GET requests
time { Include “*” }: This section is currently not used, but must be included in this way in the rule.
application { Include “*”}: Indicates that this rule is valid for all processes. If you’d want to limit your rule to specific processes, you would spell them out here, complete with their path name.
user_name { Include “*” }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you’d want to limit your rule to specific user contexts, you would spell them out here in the form Local/user or Domain/user. See paragraph “Mandatory Common Sections” for details.
directives -c -d isapi:request: Indicates that this rule covers an http request. The switches –c and –d must always be used in the directives section.