Field format relaxation rule

[Amin Eideh]

Greetings,

 

Been struggling with the field format check, as we already deployed a relaxation rule with the "ANY" field type , length is also at the max.

 

any suggestions on why it may be  still blocking the request.

 

Much Regards

[Rhonda Rowland1709152125]

Share the event that you are seeing will help.

 

Here's the deal with Field Format protection.

If no "default field format" is specified, then ONLY fields listed in the relaxation are protected.  This is the preferrred implementation (so you only use it when neeeded and if there is no other way to protect the field input.)

If a "default field format" is specificed, then every field must meet default requirements unless exempted.

 

Since its easy to misconfigure field formats, usually you leave the "default" off and only use it to provide field content protections if you can't mitigate the attack through any other feature like signatures, start/deny urls, sql injection/cmd injection.  

 

Second depending on how it is implemented (with or without default field requirement) will affect how effective your field pattern will be.

Most common issues when protecting a field is misconfigured regex, not marking field name/contents as regex based, or improper use of anchors and possibly field match length.

 

If you can share the exact log event and the rule settings you've tried to implement you might get a more specific answer. Also share firmware version in case there is a bug.

Be sure it is a field format violation and not a form field consistency.

 

 

 

 

 

 

[Amin Eideh]

The exact message is 

 

"Field Format check failed for field content%3D"%26lt;p style%3D"text-align; center;"%26gt;526lt;span style%3D"font-size."

 

Thank you for the useful information, really appreciate it.