cancel
Showing results for 
Search instead for 
Did you mean: 
haaris
Level 10

Unusual behaviour of webgateway Main release 7.5.2.2.0

Hi,

I have configured access log to have rule/ruleset name but what I find that instead of giving proper rule/ruleset name its giving Gateways anti malware rule in the log.Also when go for rule tracing there also its not hitting the desired rule/ruleset.

11 Replies
McAfee Employee

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Hi Haaris,

Thats not unusual behavior and is probably not specific to 7.5.2.2 as the title eludes.

The "Current.RuleName" or "Current.RulesetName" will always be populated with the last rule/ruleset which MWG "evaluated" last.

"Evaluated" is the keyword there. This does not mean that the rule match, it simply means it was evaluated.

You can use the property "Rules.FiredRules" if you want to see all of the rules which fired for the transaction. This is a comma separated list of rulenames rather than the last rulename which match/fired.

Best Regards,

Jon

0 Kudos
haaris
Level 10

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Thanks  lot Jon as I was not aware of that and I thought this was unusual behaviour .

Let me confirm that u mean to say that Rules.CurrentRule.name will not display the rule from which traffic/URL passing but it will show the last ruleset which MWG evaluated.

When I m trying to edit Rules.Current Rule.Name in event under log handler,I m not getting option Rules.FiredRules in the parameter property.

0 Kudos
haaris
Level 10

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Please help me with this!!

0 Kudos
McAfee Employee

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Rules.CurrentRule.Name is a string

Rules.FiredRules is a list of strings

Logging only can take a string, therefore anything that is not a string must be cast to a string type (like a number, or mediatype, or category, or list of string, etc...).

You must convert Rules.FiredRules to a string by using ListOfString.ToString much like other properties do.

Best Regards,
Jon

haaris
Level 10

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Thanks a lot for that jon...

I checked that and it works but as you said its giving all the rules fired for the transaction.

But what I want is the exact rule through which the particular URL is accessed I.e only one particular rule/ruleset.Is it possible???

0 Kudos
McAfee Employee

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Hi Haaris,

If you're trying to log the last rule which caused a block, then you can use Rules.CurrentRule.Name or Ruleset.Name and it will give you the name of the rule which caused the transaction to be blocked.

If you're trying to log the last rule which caused the URL to be allowed (stop cycle) this gets a lot more complicated because you must take into account the different cycles (Request, Response, Embedded). I don't have an answer for this one, except that it needs to be understood that because a transaction was allowed, simply means that it wasnt blocked.

Based on what your asking for I dont quite follow, I would guess you're asking for the latter. However there seems to be a misunderstanding on transactions flowing through the rule engine.


But what I want is the exact rule through which the particular URL is accessed I.e only one particular rule/ruleset.Is it possible???


Best Regards,

Jon

0 Kudos
haaris
Level 10

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Thanks a lot Jon actually I wanted to log the last rule which caused the URL to be allowed . Thanks a lot for your views

0 Kudos
McAfee Employee

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Add a ruleset to the end of the ruleset called "-", and create a single rule called "-".

Then tell me if Ruleset.Name and Rule.Name are working as expected.

0 Kudos
haaris
Level 10

Re: Unusual behaviour of webgateway Main release 7.5.2.2.0

Hi Jon,

Can y

0 Kudos