Rules for Data Masking¶
The Wallarm node sends the following data to the Wallarm Cloud:
Serialized requests with attacks
Wallarm system counters
System statistics: CPU load, RAM usage, etc.
Wallarm system statistics: number of processed NGINX requests, Tarantool statistics, etc.
Information on the nature of the traffic that Wallarm needs to correctly detect application structure
Some data should not be transferred outside of the server on which it is processed. Typically, this category includes authorization (cookies, tokens, passwords), personal data and payment credentials.
Wallarm Node supports data masking in requests. This rule cuts the original value of the specified request point before sending the request to the postanalytics module and Wallarm Cloud. This method ensures that sensitive data cannot leak outside the trusted environment.
It can affect the display of attacks, active attack (threat) verification, and the detection of brute force attacks.
Creating and applying the rule¶
You can create and apply the rule both in the Events and Rules section of Wallarm Console.
In the Events section, rules are created with a pre-filled description of endpoints to apply the rule to. The endpoint description corresponds to the request you clicked the Rule button for.
To complete the rule setup, just select the rule action type and make sure all rule components are configured correctly.
In the Rules section, all rule components must be filled in manually.
Example: Masking of a Cookie Value¶
If the following conditions take place:
the application is accessible at the domain example.com
the application uses a PHPSESSID cookie for user authentication
security policies deny access to this information for employees using Wallarm
Then, to create a data masking rule for this cookie, the following actions should be performed:
- Go to the Rules tab
- Find the branch for
example.com/**/*.*and click Add rule
- Choose Mask sensitive data
Select the Header parameter and enter its value
COOKIE; select the cookie parameter and enter its value
PHPSESSIDafter in this part of request
Options sequentally (if several) selected in in this part of request should reflect a sequence of parsers Wallarm would apply to read the required request element.