D1. Signatures – Exploit Detection Based on Patterns and Payloads

3 months ago

D1. Signatures – Exploit Detection Based on Patterns and Payloads

ID	Name	Description / Sub-elements
S1	RCE AV	Remote Command Execution detection via signature matching.
S2	SQLi	SQL Injection detection.
S3	XSS	Cross-Site Scripting detection.
S4	LFI	Local File Inclusion payload detection.
S5	RFI	Remote File Inclusion detection.
S6	Specific exploit signature	Exact match for known CVEs and public exploit payloads.
S7	Generic exploits signature	Detection of generalized patterns for injection/fuzzing attempts.
S8	Informational signature	Indicators like `/admin`, known tools, or outdated software hints.
S9	Global signature – request level	Signatures applied to the full request context.
S10	Param-level signature	Signatures targeting individual parameters.
S11	URL param-level signature	Applied only to query string parameters within URLs.
S12	Signature normalization –	Normalization techniques used to detect obfuscated payloads:
		• lowercase conversion
		• encoding transformations
		• base64 decoding (if app supports it)
		• other evasions (e.g., null byte, whitespace, mixed case)
		• meta characters (`;`, `%`, `--`, `M'C`, etc.)
S13	Signature content-type checks –	Validation against different body types and parsers:
		• `TXT`
		• `HTML`
		• `JSON`
		• `XML`
S14	CVE-based signatures	Targeted rules for known vulnerabilities; 1-day delay before blocking.
S15	Informational/default signatures	Low-risk alerts on suspicious but non-blocking patterns.
S16	CI-triggered signature overload	Detection of excessive sig triggers from single IP/source.
S17	Vul hunting & scanner detection	One-strike, fuzzing, or scan-based trigger identification.

Understanding WAF Scoring & Security Exposure

Signature / Attack signature / Pattern matching

D1. Signatures – Exploit Detection Based on Patterns and Payloads

D1. Signatures – Exploit Detection Based on Patterns and Payloads

Recent Posts

Categories