cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Regex for Filter Purepath with contains a SQL statements.

alex2
Guide

Hi folks,

We detect purepath with sql statements, we supose was a sql injection attack.
Now we need to create an alert if this ocurs in the future. I need regex to filter uri with contains select, update, insert, from, union, etc.. how I cant create this?

I browse forum but I can't find a solution...

Thanks!


Alex.

4 REPLIES 4

JamesKitson
Dynatrace Leader
Dynatrace Leader

Oh, interesting - nice catch. Since you'll probably want to be able to drill into the PurePaths that have these calls you'll probably want to create a business transaction as opposed to just creating a measure which would allow you to see counts of occurrences. I'm not sure what regex you're planning on using but if you're searching for absolutely any occurrences of those using something like .*select.* that can be very heavy on the server so it would be best if you can narrow down some patterns in some way.

First you'll create a measure you can use as the filter to specify you're only capturing PurePaths that contain web requests with those patterns. You can use the web requests count measure template with the regex specified as below and the upper severe threshold as 1 (this tells the BT to include any PurePaths that meet this criteria).

Then you will create a new business transaction and add that measure into the filter measures section so that only PurePaths that contain a web request that matches your regex pattern will be included.

This should be all you need to do for the business transaction - to test that it matches the PurePaths you already have you can export those into a stored session and when you re-analyze it you should see data in the business transaction results.

After the BT is configured to create the alert you'll add as the incident measures the PurePath Response Time measure associated with that BT but with the 'count' aggregation (which will count the # of PurePaths that have matched your filter and been included - disregard the ms unit it will be for the count as long as you are using that aggregation) and set the threshold as desired. In the incident you'll then set the timeframe and can configure any actions such as email alerts that you want.

James

Excelente James! Good way I have a lot of work to create different cases :),

How I make this regexs? I mean for example if I can filter this purepath -->
3378/-8330%20UNION%20ALL%20SELECT%2078,78,78,78,78,78,78,78,78,78#
In this case may I need to create a regex for filter a web request with contains the words:


1- "Select" and "Union" or

2- "Select" and ","

How I make regex 1 and regex 2?


Thanks!
Alex

There are a ton of possibilities with regex but I'm no expert - I usually just try to get something working with some best practices. Cases like this it would probably be hard to get efficient regex that doesn't have to look through every entire web request to find certain strings so perhaps someone with more experience can add to this.

For something like your case you mention I found the following regex to work in finding those two strings in any order:

^(?=.*\bSELECT\b)(?=.*\bUNION\b).*$

You can play with it here: https://regex101.com/r/FHlzmn/1

Hopefully that helps as a start.

Excelent!!!! Thnks!!