User-defined detection rules

In some cases, it may prove useful to add a signature for attack detection manually or to create a so-called virtual patch. As such, Wallarm does not use regular expressions to detect attacks, but it allows users to add additional signatures based on regular expressions.

Adding a new detection rule

To do this, you need to create a rule "Define as an attack on the basis of a regular expression" and fill in the fields:

Regex ID — the numeric identifier that characterizes this regular expression. Each regular expression must use its unique ID value. Otherwise, the rules of filtration cannot be compiled and implemented. This identifier can also be used for partial disablement of triggers.

Regex — regular expression (signature). If the value of the following parameter matches the expression, such a request is detected as an attack. Note that the system supports a limited subset of the regular expression syntax.

Attack — the type of attack that will be detected when the parameter value in the request matches the regular expression.

Experimental — this flag allows you to safely check the triggering of a regular expression without blocking requests. The requests won't be blocked even when the filter node is set to the blocking mode. These requests will be considered as attacks detected by the experimental method. They can be accessed using search query experimental attacks.

Point — determines in which parameter of the request the system should detect the corresponding attacks.

Example: blocking all headers with an incorrect X-Authentication header

If

  • the application is accessible at the domain example.com
  • the application uses the X-Authentication header for user authentication
  • the header format is 32 hex symbols

Then, to create a rule for rejecting incorrect format tokens:

  1. Go to Settings -> Rules
  2. Find the branch for example.com/**/*.* and click Add rule
  3. Select Define as an attack on the basis of a regular expression
  4. Set Regex ID value as 42
  5. Set Regex value as [^0-9a-f]|^.{33,}$|^.{0,31}$
  6. Choose VPATCH as the type of Attack
  7. Set the point Header X-AUTHENTICATION
  8. Click Create

Partial disablement of a new detection rule

If the created rule should be partially disabled for a particular branch, this can easily be done by creating the rule Ignore regular expression with the following fields:

  • Regex ID — identifiers of the previously created regular expressions which must be ignored.
  • Point — indicates the parameter which requires setting up an exception.

Example: permit an incorrect X-Authentication header for a designated URL.

Let's say you have a script at example.com/test.php, and you want to change the format of the tokens for it.

To create the relevant rule:

  1. Go to Settings -> Rules
  2. Find or create the branch for example.com/test.php and click Add rule
  3. Choose Ignore regular expressions
  4. Set Regex ID value as 42
  5. Set the point Header X-AUTHENTICATION
  6. Click Create

results matching ""

    No results matching ""