Contents x
    Protection Engine
    • 08 Sep 2023
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Protection Engine

    • Updated on 08 Sep 2023
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    About this Article
    This article provides information about Protection Engine including create, view, modify and delete Protection Profiles/Actions.


    The ability to detect attacks and malicious activities that target the infrastructure of organizations is the primary responsibility of any security solution. Responding proactively as soon as attacks and threats are detected is the goal of all security solutions. The VSP Protection Engine can be configured to provide appropriate responses to meet the security needs of a business.


    Pre-requisites

    The pre-requisites for protection engine are:

    1. Installation and configuration of VSP Probe on the App Instance
    2. Probe MUST be registered with CMS and be online


    Generate Action

    Follow the steps below to generate specific Protection actions. This is optional. If Protection action is not desired, proceed with steps in Create Protection Profile

    1. Navigate to Manage > Protection Engine > Action Catalag in the left navigation pane 
    2. Select the appropriate Action type and Click CREATE NEW ACTION
      1. Host - For Library and Process Monitoring
      2. Application – For other vulnerabilities
      3. Web – For VSP-Web (on Web Server) vulnerabilities
    3. Provide the below information:
      Field NameDescription
      NameName of the Profile
      Operating System PlatformSelect Windows or Linux
      Vulnerability TypeSelect Host, Web or Application based on the selected tab in Action Catalag Page
      VulnerabilitySelect the appropriate vulnerability from the dropdown against which the protection action should be triggered
      Log File PathComplete Directory path (along with the file name) where the log file of the script must be created. Previously provided paths are provided in the dropdown
      Script PathComplete Directory path where the protection action script is located along with the file name. Previously provided paths are provided in the dropdown
      Action ParametersParameters for the script. Select all the parameters from the list by clicking each one in the expected order by the script.


      The table below provides the list of available parameters:
      VulnerabilityAvailable Parameters
      HOST
      Process Injection, Process Modification, Library Injection, Library Modification, Library HijackEvent Type, Mod Start, Mod End, Library Path, Library Name, Process Path, Process Name, Parameters, Process Pid, Parent Pid, Parent Process Name, Process Checksum, Library Checksum
      Parent Process Violation, Child Process Violation, Process Disallowed, Command-Line Violation, Script Monitoring, Access Control ViolationEvent Type, Mod Start, Mod End, Path, Name, Process Path, Process Name, Parameters, Process Pid, Parent Pid, Parent Process Name, Process Checksum, Script Checksum
      Memory IntegrityEvent Type, Checksum, Mod Start, Mod End, Process Path, Process Name, Parameters, Process Pid, Process Checksum
      APPLICATION
      SQL Injection, CRLF Injection, Command Injection, Path Traversal, CSRF, Stored Cross-Site Scripting, Reflected Cross-Site Scripting, DOM XSS, XML Injection, Custom InjectionHTTP Request, Session token id, Process Id, Thread Id, attackerIP, attackerPort
      Buffer ErrorProcess Id, Thread Id, Source Memory Address, Source Module Start Address, Destination Memory Address
      New File, File Renamed, File Removed, File Modifiedfilename, filepath, virsechash, ipaddress, filetype, alerytype, symboliclink, linkpath
      Software Exception Logging, Class Load LoggingNA
      Local File Inclusion, Remote File InclusionHTTP Request, Session token id, Process Id, Thread Id, attackerIP, attackerPort, filepath, Remote HTTP Request
      Protocol EnforcementHTTP Request, Unique Transaction ID, attackerIP, attackerPort, Matched Rule File, Threat Description, Severity, Threat Score, Tags
      WEB
      SQL Injection, CRLF Injection, Command Injection, Stored Cross-Site Scripting, Reflected Cross-Site Scripting, Custom InjectionHTTP Request, Process Id, Thread Id, attackerIP, attackerPort
      Buffer ErrorProcess Id, Thread Id, Source Memory Address, Source Module Start Address, Destination Memory Address
      Local File Inclusion, Remote File Inclusion, Protocol Enforcement, XML InjectionHTTP Request, Unique Transaction ID, attackerIP, attackerPort, Matched Rule File, Threat Description, Severity, Threat Score, Tags
    4. Click SAVE
    5. The created action is listed on the Actions page


    Create Protection Profile

    To create Protection Profile, follow the steps below

    1. Navigate to Manage > Protection Engine > Profiles in the left navigation pane. Click ADD PROTECTION PROFILE
    2. Provide Profile Name and select the applicable Operating System Platform(s).  Ensure that the Profile Name does not contain any special character
    3. Based on Profile scope, select the tab (Host, Application, Web) and select the required actions for Vulnerabilities from the dropdown. Click SAVE


    Protection Profile List on CMS

    The list of Protection Profiles can be viewed on CMS

    1. Navigate to Manage > Protection Engine > Profiles in the left navigation pane. The list of all the created protection profiles is displayed
    2. The first column indicates the OS type – Windows, Linux or both
      1. The Application Actions Mapping count and Host Action Mapping count are also displayed
    3. Click the listed profiles to view the types of Vulnerabilities configured. Expand the listed type to view more information


    Import/Export Protection Profiles

    Export and import of Protection Profiles can be used when VSP protection is extended to a different environment (Example: Pre-production to Production environment)

    1. Protection Profiles can be imported or exported with .virsec extension
    2. Ensure that import/export operations are carried out in the same VSP version. Import/export feature is compatible across various patches in the same major release (Example:  VSP 2.8.x)


    Clone Action

    1. Click the Clone Protection Action to clone an existing Protection Action
    2. Modify the Action Name and other required information. Click SAVE


    Clone Protection Profile

    1. Click the Clone Protection Profile to clone an already existing Protection Profile
    2. Modify the Profile Name and other required information. Click SAVE
    3. The newly cloned profile is listed in the Profiles page


    Modify Action

    1. To modify a user-defined action, click Edit on the Action Catalag page
    2. Modify as required Click SAVE


    Delete Action

    1. To delete a user-defined action, click Delete on the Action Catalag page
    2. Click YES on the pop-up window to confirm deletion


    Modify Protection Profile

    1. On the Profiles page, click Edit on the profile which requires modification
    2. Modify as needed. Click SAVE
    3. New Operating System Platform can be added. But existing OS platform can not be removed


    Delete Protection Profile

    1. On the Profiles page, click Delete. Click YES on the pop-up window to confirm deletion
    2. Alternatively, for each profile, a vulnerability type can be deleted. Click on the profile and delete the required vulnerability type. Click YES on the pop-up window to confirm deletion



    Was this article helpful?
    What's Next