Generic Dictionary Groups
- Last UpdatedMar 14, 2025
- 4 minute read
Generic Dictionary groups in SecureSphere are groups of data patterns that can be matched to items such as URLs, headers or other strings and enable you to identify and control suspicious behavior that may be posing a threat to your data or network. Then block this traffic, generate alerts and violations, and mask sensitive data in violations. Generic Dictionaries are similar to signatures in SecureSphere, only more flexible.
Generic dictionaries provide two primary benefits that include:
- Reducing processing overhead: Generic dictionaries search for suspicious strings only under specific conditions and in specific locations (such as an html page). This is different than using signatures which search all traffic. Generic dictionaries only search after all other mechanisms (for example, signatures), have already been run. This makes operation effective and accurate, and saves time and conserves system resources.
- Enabling the use of AND operations: While most criteria in SecureSphere policies can only use a single instance in a policy and enable the use of OR operations with criteria, generic dictionaries can use multiple instances. This enables you to conduct AND operations on two or more criteria defined in a custom policy, providing more advanced detection options.
Note: Using generic dictionaries on all responses could significantly impact SecureSphere performance. It is therefore recommended that you configure a generic dictionary to match under certain conditions and define a new custom policy rule with additional conditions. For example, use a custom rule to set the sensitive data generic dictionary to run only when the profile violation "Parameter Value Length Violation" or "Parameter Type Violation" occur.
The following table lists the main tasks that can be conducted to configure generic dictionary groups.
Configuring Generic Dictionaries Task Overview
|
Action |
Description |
For more information, see... |
---|---|---|---|
1 |
Define a new generic dictionary group (optional). |
Define a new Generic Dictionary group that includes malicious patterns you want to search for. Alternatively, you can use an existing dictionary group. |
|
2 |
Add data patterns to dictionary group. |
Add data patterns to the Generic Dictionary group used to identify patterns. |
Adding Data Pattern Definitions and Validation Method to Dictionary Groups. |
3 |
Attach dictionary group to security policy. |
Attach Generic Dictionary group to a security policy and configure match criteria that determine when the policy is invoked. |
Note: You can view or change only the dictionaries for which you have Edit permissions. |
EXAMPLE: Validating Input Using Multiple Criteria and the AND Function
In this example you have a form on a web site that has a FROM address, a TO address, and a comment. The form is being abused to send spam. While the form contains browser based javascript used to count from 1000 to 0 (the number of characters entered into the comment), someone has been submitting information by bypassing the form and client side validation via a script or other means. This was detected when forms were received with comments that were not empty, yet their counter still read 1000.
To prevent this from happening, you want to write a policy that checks two separate fields and only alerts when both fields match the policy. While this cannot be accomplished using signatures which are limited to the OR function, it can be accomplished by creating two separate generic dictionaries and using them in a custom policy.
To configure a generic dictionary group to validate multiple criteria:
- Create a new generic dictionary global object named Text, with the following parameters.
- Display Name: Text.
- Type: Advanced.
- Pattern:
Part="Text", rgxp="Text=[^\n&]"
- Create a second generic dictionary global object named characterCount, with the following parameters.
- Display Name: characterCount.
- Type: Advanced.
- Pattern:
Part="
characterCount=1000"
- Create a new Web Application Custom Policy named commentValidation.
- Add the criteria Generic Dictionary Search and configure it with the dictionary Text created in step 1 above.
- Add a second instance of the criteria Generic Dictionary Search and configure it with the dictionary counter created in step 2 above.
Note: While most criteria in SecureSphere can only be used once in a policy, both Generic and Sensitive data dictionaries can be used in a policy multiple times.
- Add the criteria URL Prefix and type the URL of the specific page that receives this input. For example, /actionpages/sendForm.asp.
- Click Save. The policy has been configured. It will alert whenever an e-mail message is sent in which not empty but its counter still reads 1000. This test is only conducted on URLs starting with /actionpages/sendForm.asp.