CREATE PROTECTION PROFILE
To create a protection profile, follow the below steps:
GENERATE ACTION (OPTIONAL)
If protection action is not desired, proceed with steps in Add Protection Profile page
-
Navigate to Protection Engine > Action Catalog in the left navigation pane
-
Select the appropriate Action type:
-
Host - For Library and Process Monitoring
-
Application – For other vulnerabilities
-
-
Click CREATE NEW ACTION
-
Provide the below information:
-
Name – Name of the profile
-
A sample action for Vulnerability Type Host is depicted below
-
A sample action for Vulnerability Type Application is depicted below
-
A sample action for Vulnerability Type Web is depicted below
-
Operating System Platform – Select Windows or Linux
-
Vulnerability Type – Host or Application, based on the selected tab in Action Catalog page (Read-only)
-
Vulnerability – Select the appropriate vulnerability from the dropdown
-
Log File Path – Complete Directory path (along with the file name) where the log file of the script must be created. Previously provided paths are provided in the dropdown
-
Script Path – Complete Directory path where the protection action script is located along with the file name. Previously provided paths are provided in the dropdown.
-
Action Parameters – Parameters for the script. Select all the parameters from the list by clicking each one in the expected order by the script. The table below provides the list of available parameters:
Vulnerability
Available Parameters
HOST
Process Injection, Process Modification, Library Injection, Library Modification, Library Hijack
Event Type, Mod Start, Mod End, Library Path, Library Name, Process Path, Process Name, Parameters, Process Pid, Parent Pid, Parent Process Name, Process Checksum, Library Checksum
Parent Process Violation, Child Process Violation, Process Disallowed, Command-Line Violation, Script Monitoring, Access Control Violation
Event Type, Mod Start, Mod End, Path, Name, Process Path, Process Name, Parameters, Process Pid, Parent Pid, Parent Process Name, Process Checksum, Script Checksum
Memory Integrity
Event Type, Checksum, Mod Start, Mod End, Process Path, Process Name, Parameters, Process Pid, Process Checksum
APPLICATION
SQL Injection, CRLF Injection, Command Injection, Path Traversal, CSRF, Stored Cross-Site Scripting, Reflected Cross-Site Scripting, DOM XSS, XML Injection, Custom Injection
HTTP Request, Session token id, Process Id, Thread Id, attackerIP, attackerPort
Buffer Error
Process Id, Thread Id, Source Memory Address, Source Module Start Address, Destination Memory Address
New File, File Renamed, File Removed, File Modified
filename, filepath, virsechash, ipaddress, filetype, alerytype, symboliclink, linkpath
Software Exception Logging, Class Load Logging
NA
Local File Inclusion, Remote File Inclusion
HTTP Request, Session token id, Process Id, Thread Id, attackerIP, attackerPort, filepath, Remote HTTP Request
Protocol Enforcement
HTTP Request, Unique Transaction ID, attackerIP, attackerPort, Matched Rule File, Threat Description, Severity, Threat Score, Tags
WEB
SQL Injection, CRLF Injection, Command Injection, Stored Cross-Site Scripting, Reflected Cross-Site Scripting, Custom Injection
HTTP Request, Process Id, Thread Id, attackerIP, attackerPort
Buffer Error
Process Id, Thread Id, Source Memory Address, Source Module Start Address, Destination Memory Address
Local File Inclusion, Remote File Inclusion, Protocol Enforcement, XML Injection
HTTP Request, Unique Transaction ID, attackerIP, attackerPort, Matched Rule File, Threat Description, Severity, Threat Score, Tags
Table – Protection Action Parameters
-
-
Click SAVE
-
The created action will be listed on the Actions page