Start of Content Area

Background documentation Patterns

You can use patterns to restrict the character sets that users can enter. Patterns consist of regular expressions.

In general, you can restrict the character input in the following ways:

      Black Lists

A list of this type contains all impermissible characters for which the system is to search. The disadvantage of this approach is that the list must be constantly updated as soon as new attack variants emerge.

      White Lists

A list of this type contains all permissible characters. That is, all characters not listed are filtered out.

By default, the pattern used by the ICM filter is a black list with the following structure:

<\\s*script[^>]*>(.*)<\\s*/script\\s*>

You can change or override this filter to extend or restrict input options (for example, for Internet forums). To do this, create the file sappattern.dat in the directory that contains the ICM. Enter the impermissible regular expressions (which must correspond to the POSIX 1003.2 standard) or specify impermissible words line by line. You do not need to restart the ICM to activate the entries, but rather send the ICM signal SIGHUP. This reinitializes the filter in accordance with the rules of the file sappattern.dat (if this file exists) or the standard pattern.

Caution

If you create the sappattern.dat file, without filling it, or enter incorrect entries (for example, not regular expressions), you deactivate the standard filter, meaning that no input check takes place. You receive only a corresponding message in the ICM trace.

Example Initialization of the Content Filter

Successful initialization in the ICM (dev_icm):

---------------------------------------------------------------

CsiInit(): Initializing the content scan interface

           Intel x86 with Linux (mt,unicode,SAP_CHAR/size_t/void* = 2/4/4)

CsiInit(): CSA_LIB = "/tmp/icman/build/libsapcsa.so"

---------------------------------------------------------------

Failed initialization:

---------------------------------------------------------------

CsiInit(): Initializing the content scan interface

           Intel x86 with Linux (mt,unicode,SAP_CHAR/size_t/void* = 2/4/4)

CsiInit(): CSA_LIB = "/tmp/icman/build/libsapcsa.so"

*** ERROR => HttpAuthHandlerInit: url: / -> failed -> content filter deactivated [http_auth_mt 292]

---------------------------------------------------------------

 

End of Content Area