v14.

7 Database Activity Monitoring User Guide

v14.7 Database Activity Monitoring User

Guide

v14.7 Database Activity Monitoring User Guide 1

 Contents

Contents
Writing Signatures and Regular Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Writing Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Single Part Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Multi Part Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Absolute Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Relative Modifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Regular Expressions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Regular Expressions in SecureSphere. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Regular Expression Syntax in Brief. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Brackets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Parentheses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Character classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Alternatives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Escaping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Anchors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Using Regular Expressions in Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

v14.7 Database Activity Monitoring User Guide

 v14.7 Database Activity Monitoring User Guide

Writing Signatures and Regular Expressions

This Appendix describes the SecureSphere signature language. SecureSphere includes a signature detection and
prevention layer.

SecureSphere comes with a preconfigured database of signatures, which is updated automatically from the Imperva
Web sites on a regular basis. In addition to these preconfigured and automatically downloaded signatures, users can
write their own signatures to detect and block communication consisting of specific information. This appendix
explains the language in which such signatures should be written. The language resembles a Snort™ signature
language, though there are some differences.

This appendix reviews the following:

• Writing Signatures
• Regular Expressions

v14.7 Database Activity Monitoring User Guide 3

 v14.7 Database Activity Monitoring User Guide

Writing Signatures
The following sections describe how to write signatures, including:

• Single Part Signatures

• Multi Part Signatures
• Absolute Modifiers
• Relative Modifiers

v14.7 Database Activity Monitoring User Guide 4

 v14.7 Database Activity Monitoring User Guide

Single Part Signatures

The basic signature unit is part, which contains the actual signature text.

Example: The following signature searches for the text "hello world".

part="hello world"

Use \x<hex value> to add binary characters to the signature.

Example: In the following signature the white space is replaced with \x20.

part="hello\x20world"

To look for the backslash character, enter a double backslash.

Example: The following signature looks for the text "hello\world".

part="hello\\world"

Note: The length of the text searched for by part must be at least three characters.
SecureSphere does not save signatures containing part lengths less than three characters.

v14.7 Database Activity Monitoring User Guide 5

 v14.7 Database Activity Monitoring User Guide

Multi Part Signatures

You can include as many parts as required in a signature to search for a sequence of text strings. The ratio between
these parts is AND.

Example: The following signature:

part="Imperva", part="Secure", part="Sphere"

can match either of the following strings:

• abcdImpervaSecureSphere
• abcdImpervaabcdSecureSphere
• abcdImpervaabcdSecure---Sphere
• abcdImpeRvaSecUreSPhEre
• abcdimpervasecuresphere

Different parts should be separated by a comma. White spaces are allowed before and after the comma.

v14.7 Database Activity Monitoring User Guide 6

 v14.7 Database Activity Monitoring User Guide

Absolute Modifiers

Absolute modifiers limit the part to be matched to a specific area of a stream.

The absolute modifiers that are supported are:

• amin: The absolute position in the stream to start matching this part.
• amax: The absolute position in the stream to stop matching this part.

Example: The following signature searches for the string cmd.exe only from position 10 to position 20 in the stream.

part="cmd.exe", amin="10", amax="20"

You can include absolute modifiers after any part by using commas. You can either add a single modifier or both
modifiers for each part.

v14.7 Database Activity Monitoring User Guide 7

 v14.7 Database Activity Monitoring User Guide

Relative Modifiers

Relative modifiers limit the part to a specific area at the end of the previous part.

The supported relative modifiers are:

• rmin: The position, relative to the end of the previous part to start searching for this part.
• rmax: The position, relative to the end of the previous part to stop searching for this part.

Example: The following signature includes two parts. The second part is searched for in a range of 5 characters from
the first part.

part="cmd", part=".exe", rmax="5"

The strings cmd123.exe and cmd12345.exe match this signature. However the string cmd123456.exe does not
match the signature because the ".exe" part starts 6 characters after the end of the "cmd" part.

You can include relative modifiers after any part by using commas. You can either add a single modifier or both
modifiers for each part. You can also include both relative and absolute modifiers for the same part.

Relative modifiers are ignored for the first part, as the part must be relative to the previous part, which in this case
does not exist.

v14.7 Database Activity Monitoring User Guide 8

 v14.7 Database Activity Monitoring User Guide

Regular Expressions
The following sections describe how regular expressions, including:

• Regular Expressions in SecureSphere

• Using Regular Expressions in Signatures

v14.7 Database Activity Monitoring User Guide 9

 v14.7 Database Activity Monitoring User Guide

Regular Expressions in SecureSphere

Regular expressions are used in SecureSphere for the following purposes:

  See also

Signatures Using Regular Expressions in Signatures

Sensitive data to match

credit card or Social Configuring Sensitive Data Protection
Security Numbers

U2P plugin hpl_u2p and hpl_u2pp - URL to Parameters

Parameter type Editing a URL Parameter Value Type

Host names and URL

Reverse Proxies
prefixes

v14.7 Database Activity Monitoring User Guide 10

 v14.7 Database Activity Monitoring User Guide

Regular Expression Syntax in Brief

SecureSphere supports a simplified form of standard regular expressions.

A regular expression is a text string defining the criteria for matching other text strings.

• Characters other than

. $ ^ { [ ( | ) ] } * + ? \

match themselves.

• A dot (.) matches almost any character, so .gr.y matches grey or gray or gr#y or gr5y
• ? indicates that the preceding char is optional, so </?script> matches <script> or </script>
• + is a multiplier for 1 or more of what is before, so [0-9]+ matches 1 or 123 or 353435
• * is a multiplier for 0 or many of what is before, so [0-9]*abc matches 123abc and abc

Note:

• When it is necessary to specify the minimum and maximum number of repeats

explicitly, the bounds operator "{}" may be used.
• When using a regular expression, it is essential to remember that special
characters must be escaped. For example, the characters ".", "*", "|" and others
should be written as "\.", "\*", "\|" etc. These are the standard rules for writing
regular expressions and are not specific to plugins or to SecureSphere.

v14.7 Database Activity Monitoring User Guide 11

 v14.7 Database Activity Monitoring User Guide

Brackets

[]

• [ ] defines a list or a range of characters, for example:

• [abc] matches a or b or c
• [a-c] matches a or b or c (the - indicates a range)
• [0-9] matches 0 or 1 or 2 or 3
• [a-zA-Z] matches a or b or z or A or B or Z
• [a-zA-Z0-9] matches any alphanumerical character
• [a-cx-z] matches a or b or c or x or y or z but not d
• [Ss]ecure[Ss]here matches all of the following:
• Securesphere
• SecureSphere
• secureSphere
• securesphere

v14.7 Database Activity Monitoring User Guide 12

 v14.7 Database Activity Monitoring User Guide

Parentheses

()

Parentheses serve two purposes:

• To group items together into a sub-expression, for example, (ab)* matches ababab
• To group blocks of characters or words you want to retain for later use, typically for text replacement, for
example, for reordering a list, as follows:

If the regular expression describing the original text is:

first second (fourth) (third)

Each group of ( ) is assigned a sequential number, as follows:

• (fourth) is the first group, denoted by $1

• (third) is the second group, denoted by $2

The replacement string might be:

first second $2 $1

This reverses the sequence of the third and fourth sub-strings in the text, which are denoted by $1 and $2 respectively.

v14.7 Database Activity Monitoring User Guide 13

 v14.7 Database Activity Monitoring User Guide

Character classes

• ‘\s" matches white space (tabs, spaces, etc).

• ‘\d" matches decimal digits (0-9)
• ‘." matches any character
• ‘\w" matches alphanumeric characters and the underscore symbol (‘_").
• ‘\W" matches non-alphanumeric characters.

v14.7 Database Activity Monitoring User Guide 14

 v14.7 Database Activity Monitoring User Guide

Alternatives

Alternatives occur when the expression can match either one subexpression or another. The alternatives are
separated by "|", or "\|".

The scope of an alternative is the largest possible previous sub-expression.

Note: This behavior is exactly the opposite of that of repeat operators, whose scope is the
smallest previous sub-expression.

v14.7 Database Activity Monitoring User Guide 15

 v14.7 Database Activity Monitoring User Guide

Escaping

To specify a special character, prefix the escape character (\).

Binary characters (\x) are also supported, as they are in the basic signature.

v14.7 Database Activity Monitoring User Guide 16

 v14.7 Database Activity Monitoring User Guide

Anchors

An anchor matches the null string at the start or end of a line.

"^" matches the null string at the start of a line

"$" matches the null string at the end of a line

v14.7 Database Activity Monitoring User Guide 17

 v14.7 Database Activity Monitoring User Guide

Using Regular Expressions in Signatures

The use of a regular expression part is optional and only applies to non-stream signatures (that is URL, parameters,
parameter types, and headers). You can only include one regular expression part in a signature. The regular
expression part must be the last part in the signature. One or more non-regular expression parts can precede the
regular expression part. SecureSphere searches for the regular expression only if all the preceding parts are found.

Note: The regular expression is searched for on the entire object (for example URL) and
not on the text following the last part.

For example, if you want to check if the "filename" parameter ends with a ".txt", your signature should be:

'part=".txt", rgxp="filename=[^&]*\.txt(&|$)"

v14.7 Database Activity Monitoring User Guide 18