<< PREVIOUS  NEXT >>

 

CREATE PROTECTION PROFILE

 

To create a protection profile, follow the below steps:

GENERATE ACTION (OPTIONAL)

 

If protection action is not desired, proceed with steps in Add Protection Profile page

  1. Navigate to Protection Engine > Action Catalog in the left navigation pane

    Picture 2053

  2. Select the appropriate Action type:

    1. Host - For Library and Process Monitoring

    2. Application – For other vulnerabilities

  3. Click CREATE NEW ACTION

    Picture 2061

  4. Provide the below information:

    1. Name – Name of the profile

    2. A sample action for Vulnerability Type Host is depicted below

      Picture 2062

    3. A sample action for Vulnerability Type Application is depicted below

      Picture 288

    4. A sample action for Vulnerability Type Web is depicted below

      Picture 102

    5. Operating System Platform – Select Windows or Linux

    6. Vulnerability Type – Host or Application, based on the selected tab in Action Catalog page (Read-only)

    7. Vulnerability – Select the appropriate vulnerability from the dropdown

    8. Log File Path – Complete Directory path (along with the file name) where the log file of the script must be created. Previously provided paths are provided in the dropdown

    9. Script Path – Complete Directory path where the protection action script is located along with the file name. Previously provided paths are provided in the dropdown. 

    10. Action Parameters – Parameters for the script. Select all the parameters from the list by clicking each one in the expected order by the script. The table below provides the list of available parameters:

       

      Vulnerability

      Available Parameters

      HOST

      Process Injection, Process Modification, Library Injection, Library Modification, Library Hijack

      Event Type, Mod Start, Mod End, Library Path, Library Name, Process Path, Process Name, Parameters, Process Pid, Parent Pid, Parent Process Name, Process Checksum, Library Checksum

      Parent Process Violation, Child Process Violation, Process Disallowed, Command-Line Violation, Script Monitoring, Access Control Violation

      Event Type, Mod Start, Mod End, Path, Name, Process Path, Process Name, Parameters, Process Pid, Parent Pid, Parent Process Name, Process Checksum, Script Checksum

      Memory Integrity

      Event Type, Checksum, Mod Start, Mod End, Process Path, Process Name, Parameters, Process Pid, Process Checksum

      APPLICATION

      SQL Injection, CRLF Injection, Command Injection, Path Traversal, CSRF, Stored Cross-Site Scripting, Reflected Cross-Site Scripting, DOM XSS, XML Injection, Custom Injection

      HTTP Request, Session token id, Process Id, Thread Id, attackerIP, attackerPort

      Buffer Error

      Process Id, Thread Id, Source Memory Address, Source Module Start Address, Destination Memory Address

      New File, File Renamed, File Removed, File Modified

      filename, filepath, virsechash, ipaddress, filetype, alerytype, symboliclink, linkpath

      Software Exception Logging, Class Load Logging

      NA

      Local File Inclusion, Remote File Inclusion

      HTTP Request, Session token id, Process Id, Thread Id, attackerIP, attackerPort, filepath, Remote HTTP Request

      Protocol Enforcement

      HTTP Request, Unique Transaction ID, attackerIP, attackerPort, Matched Rule File, Threat Description, Severity, Threat Score, Tags

      WEB

      SQL Injection, CRLF Injection, Command Injection, Stored Cross-Site Scripting, Reflected Cross-Site Scripting, Custom Injection

      HTTP Request, Process Id, Thread Id, attackerIP, attackerPort

      Buffer Error

      Process Id, Thread Id, Source Memory Address, Source Module Start Address, Destination Memory Address

      Local File Inclusion, Remote File Inclusion, Protocol Enforcement, XML Injection

      HTTP Request, Unique Transaction ID, attackerIP, attackerPort, Matched Rule File, Threat Description, Severity, Threat Score, Tags

      Table – Protection Action Parameters

       

  5. Click SAVE

  6. The created action will be listed on the Actions page

 

<< PREVIOUS  NEXT >>