Security Pattern
SECURITY PATTERN
[TEMPLATE] > [SECURITY PATTERN]
Manages the security patterns used in security policies. Default patterns provided by the system are displayed under SYSTEM, while patterns added by the administrator are shown under USER. User-defined security patterns can be added, modified, or deleted, but system patterns cannot be altered. To add a security pattern, the administrator should use the [ADD PATTERN GROUP] or [ADD PATTERN] function in the USER tab.
The list of policies where security pattern rules are applied is as follows:
| Template | Security Policy Tab | Detailed Policy |
|---|---|---|
| Security Pattern | Domain Security Policy | Header Field Name Policy |
| Header Field Value Policy | ||
| Cookie Policy | ||
| URL Security Policy | Security Pattern Policy | |
| Data Leakage Prevention Policy | ||
| File Pattern Policy |
Default Security Pattern Types
DeepFinder provides the following system patterns by default. Since these are provided by DeepFinder, they cannot be modified or deleted by users.
| ID | Name | Type | Description |
|---|---|---|---|
| 1 | Session Fixation | REQUEST | Detects attacks that attempt to fixate user sessions using cookies, etc. Detects manipulations of session identifiers like jsessionid. |
| 2 | Blind SQL injection | REQUEST | Detects advanced SQL injection techniques that infer database structure based on server responses (e.g., timing, boolean logic) even when error messages are suppressed. |
| 3 | SQL injection | REQUEST | Detects common SQL injection attacks. These occur when attackers manipulate user input to alter backend SQL statements, potentially compromising database integrity, exfiltrating data, or executing commands. |
| 4 | Cross-Site Scripting (XSS) | REQUEST | Detects Cross-Site Scripting attacks. XSS allows attackers to inject malicious scripts (JavaScript, VBScript, etc.) into web pages viewed by other users, enabling theft of session cookies, user information, or page defacement. |
| 5 | Command Injection | REQUEST | Detects attacks attempting to inject and execute operating system commands on the web server. |
| 6 | Code Injection | REQUEST | Detects attacks that inject executable code (e.g., PHP, LDAP, Java) into application inputs to achieve malicious execution on the server. |
| 7 | Insecure Direct Object Reference | REQUEST | Detects attempts to access unauthorized resources (files, directories, database records) by manipulating references like IDs or filenames exposed in URLs or parameters. |
| 8 | Hex Encoding | REQUEST | Detects the use of hexadecimal encoding in requests, often used to obfuscate malicious payloads. |
| 9 | Source Code Leakage | REQUEST | Detects responses that appear to leak application source code. |
| 10 | Directory Information Leakage | RESPONSE | Detects attempts to list directory contents or responses indicating directory traversal/listing vulnerabilities. |
| 11 | DBMS Error Information Leakage | RESPONSE | Detects detailed database error messages (MSSQL, MySQL, Oracle, etc.) in responses, which can reveal internal information. |
| 12 | Application Error Information Leakage | RESPONSE | Detects leakage of application-specific error messages or stack traces that can reveal internal configurations or software versions. |
| 13 | Suspicious Code Injection | RESPONSE | Detects various suspicious code injection patterns, potentially including Remote File Inclusion (RFI) attempts. |
| 14 | User Information Leakage | RESPONSE | Detects responses containing potentially sensitive user information like usernames, passwords, or email addresses. |
| 15 | Required header check | HEADVALUE | Checks for the presence of essential HTTP headers (e.g., Host) in requests. |
| 17 | Spring4Shell | REQUEST | Detects exploits related to the Spring Framework RCE vulnerability (CVE-2022-22965). |
| 18 | SSRF (Server-Side Request Forgery) | REQUEST | Detects attempts to make the server initiate requests to arbitrary internal or external resources. |
| 19 | Log4j | REQUEST | Detects exploits related to the Log4j RCE vulnerability (Log4Shell, CVE-2021-44228). |
| 20 | PHP CMS Vulnerability | REQUEST | Detects attacks targeting known vulnerabilities in popular PHP-based Content Management Systems (CMS). |
| 21 | WebShell - Common | REQUEST | Detects common patterns and signatures found in various types of web shells. |
| 22 | WebShell - ASP | REQUEST | Detects patterns and signatures specific to web shells written in ASP/ASP.NET. |
| 23 | WebShell - PHP | REQUEST | Detects patterns and signatures specific to web shells written in PHP. |
| 24 | WebShell - JAVA | REQUEST | Detects patterns and signatures specific to web shells written in JSP/Java. |
| 25 | Unknown Attack | REQUEST | Detects requests with unusual or malformed syntax that don't match known protocols or patterns. |
| 26 | Apache Struts 2 | REQUEST | Detects attacks targeting known vulnerabilities in the Apache Struts 2 framework, including RCE via Content-Type manipulation. |
| 29 | XML injection | REQUEST | Detects attacks injecting malicious XML content or structures, targeting XML parsers or applications processing XML data (e.g., XXE). |
| 30 | Resident Registration Number Leakage | Social Number | Detects patterns resembling personal identification numbers (like SSN or national ID numbers) in responses, indicating potential data leakage. |
| 31 | Credit Card Number Leakage | Credit Card Number | Detects patterns resembling credit card numbers in responses, indicating potential data leakage. |
| 32 | Upload Allowed Files | REQUEST | Defines patterns for allowed file extensions during uploads (used for allowlisting). |
| 33 | Upload Blocked Files | REQUEST | Defines patterns for blocked file extensions during uploads (used for blocklisting). |
| 40 | Defined Header Field Name | HEADNAME | Detects standard HTTP header field names as defined in RFC specifications (primarily used for validation or anomaly detection). |
| 41 | Web Vulnerability Scanner | HEADNAME | Detects signatures and behaviors associated with various web vulnerability scanning tools. |
| 42 | Header Field Hex Encoding | HEADNAME | Detects the use of hexadecimal encoding within HTTP header values. |
| 43 | Remote Control | HEADNAME | Detects patterns associated with remote control tools or attempts to execute remote commands. |
| 51 | Search Engine Crawler | HEADVALUE | Identifies requests originating from known search engine crawlers/bots based on User-Agent strings. |
| 55 | Email Collector | HEADVALUE | Identifies requests from bots known to scrape email addresses from web pages based on User-Agent strings. |
| 56 | Bot Inspection | HEADVALUE | Identifies requests from various known bots (often malicious or undesirable) based on User-Agent strings or other characteristics. |
| 57 | Browser Detection | HEADVALUE | Detects specific browser signatures in the User-Agent header. |
| 58 | WebServer for DoS | HEADVALUE | Identifies User-Agents or request patterns associated with specific web servers often targeted in Denial-of-Service attacks. |
| 59 | Shell Shock | HEADVALUE | Detects exploits related to the Shellshock bash vulnerability (CVE-2014-6271, CVE-2014-7169). |
| 60 | All Headvalue | HEADVALUE | A pattern that potentially matches all header values, likely used for specific logging, analysis, or as a base for exceptions. |
| 61 | Positive Headvalue | HEADVALUE | General patterns used for allowlisting specific known-good HTTP header values. |
| 62 | Log4j | HEADVALUE | Detects exploits related to the Log4j RCE vulnerability (Log4Shell, CVE-2021-44228) in header values. |
| 63 | Spring4Shell | HEADVALUE | Detects exploits related to the Spring Framework RCE vulnerability (CVE-2022-22965) in header values. |
| 64 | Upload Allowed Files | HEADVALUE | Defines patterns for allowed file extensions during uploads (applied to header values). |
| 65 | Upload Blocked Files | HEADVALUE | Defines patterns for blocked file extensions during uploads (applied to header values). |
| 999 | Positive Pattern | WILDCARD | General patterns used for allowlisting specific known-good data formats or values (wildcard type). |
Managing User Security Pattern Groups
ADD PATTERN GROUP
[TEMPLATE] > [SECURITY PATTERN] > USER > Click [ADD PATTERN GROUP] icon in the upper right
Adds a security pattern group to be used in policy settings. Clicking [ADD PATTERN GROUP] opens a pop-up window where you can add both a pattern group and its initial pattern simultaneously. Enter the group and pattern information, then click [SAVE]. Audit logs are created for the added pattern group and pattern.
| Section | Item | Description |
|---|---|---|
| GROUP INFO | NAME | Enter the security pattern group name (Max 255 characters). |
| TYPE | Select the item to inspect. REQUEST: Client-to-web server request data. RESPONSE: Web server-to-client response data. HEADNAME: Inspect header names. HEADVALUE: Inspect header values. |
|
| Select Company | Set the company to apply this security pattern group to. | |
| ADD PATTERN | NAME | Enter the security pattern name (Max 255 characters). |
| RISK | Select the risk level of the security pattern (High, Medium, Low). | |
| PATTERN | Enter the actual regular expression for the security pattern. To verify the regex, click [CHECK PATTERN].
|
EDIT PATTERN GROUP
[TEMPLATE] > [SECURITY PATTERN] > USER > (Select Pattern Group) > Click [EDIT] icon in the upper right
Modifies a security pattern group used in policy settings. Enter the updated pattern group information and click [SAVE]. An audit log is created for the modified pattern group.
Danger
When you click to edit a pattern group, a list appears showing policies in domain groups, default policies containing the security group, or snapshots using it. After modification, this group may no longer be usable in those specific default policies or domain snapshots. Be cautious.
REMOVE PATTERN GROUP
[TEMPLATE] > [SECURITY PATTERN] > USER > (Select Pattern Group) > Click [REMOVE] icon in the upper right
Deletes a security pattern group. If any pattern within the group is currently used in a security policy, the group cannot be deleted. You must first remove the pattern from the security policy before deleting the group. An audit log is created for the deleted pattern group.
Danger
Patterns currently in use and patterns included in default policies cannot be deleted, as shown below. To delete, remove the default policy and change the pattern to 'None' in the domain group. After deletion, related snapshots will become disabled.
Managing User Security Patterns
ADD PATTERN
[TEMPLATE] > [SECURITY PATTERN] > USER > (Select Pattern Group) > Click [ADD PATTERN] icon in the upper right
Select the pattern group where the pattern will be added, then click [ADD PATTERN]. Enter the security pattern information in the pop-up window and click [SAVE]. An audit log is created for the added security pattern.
| Item | Description |
|---|---|
| NAME | Enter the name of the security pattern (Max 255 characters). |
| RISK | Select the risk level of the security pattern (High, Medium, Low). |
| PATTERN | Enter the actual regular expression for the security pattern (Max 3000 characters). To check if the regex is correct, click [CHECK PATTERN] to test it. |
APPLY PATTERN
[TEMPLATE] > [SECURITY PATTERN] > USER > (Select Pattern Group) > (Select Pattern) > [Apply]
Allows applying a registered pattern to multiple domain security groups simultaneously.
Select the domain security groups to apply to, choose the desired response method, and click the APPLY button. The pattern will be applied to the URL Security Policy – Security Pattern Policy of the selected domain groups.
EDIT PATTERN
[TEMPLATE] > [SECURITY PATTERN] > USER > (Select Pattern Group) > (Select Pattern) > Click [EDIT] icon in the upper right
Modifies a pattern used in policy settings. Select the pattern to modify, click [EDIT], make changes in the pop-up window, and click [SAVE]. An audit log is created for the modified pattern.
Danger
When you click to edit a pattern, a list appears showing policies in domain groups, default policies containing the security group, or snapshots using it. After modification, this pattern may no longer be usable in those specific default policies or domain snapshots.
REMOVE PATTERN
[TEMPLATE] > [SECURITY PATTERN] > USER > (Select Pattern Group) > (Select Pattern) > Click [REMOVE] icon in the upper right
Deletes a security pattern. Select the pattern to delete and click [REMOVE]. If the pattern is currently used in a domain group policy, it cannot be deleted. You must first remove it from the domain group policy before deleting the pattern. An audit log is created for the deleted pattern.
Danger
Patterns currently in use and patterns included in default policies cannot be deleted, as shown below. To delete, remove the default policy and change the pattern to 'None' in the domain group. After deletion, related snapshots will become disabled.
UPLOAD / DOWNLOAD PATTERN
[TEMPLATE] > [SECURITY PATTERN] > USER > Click [UPLOAD] > (Select .df file to upload) > [UPLOAD]
[TEMPLATE] > [SECURITY PATTERN] > USER > Click [DOWNLOAD] > (Select patterns to download) > [DOWNLOAD]
This feature allows backing up user security patterns or sharing them with other Managers.
Select the security patterns to download, then click the [DOWNLOAD] button to download a .df file containing the patterns.
You can upload user security patterns downloaded from another Manager server. Uploaded patterns are marked with [IMPORTED] before their name.
