Contents x
    Web Profiles
    • 23 Jan 2025
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Web Profiles

    • Updated on 23 Jan 2025
    • 6 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    About this Article

    This article provides information about the Web Profile including workflow, creation, modification and deletion of Web Profiles.


    Why are Web Profiles Created?

    Web Profiles are created to define the HTTP Profile, Custom Rules and exceptions (for a specific vulnerability type) during VSP Monitoring. The HTTP profile and custom rules provide the capability to customize VSP-Web (on Web Server) as required.

    Each profile can be associated with one or more exceptions/custom rules. The created profile is associated with the process collective of an Application.

    Once a Web Profile is created and associated with a process collective, requests matching the exceptions are not flagged as threats or attacks in CMS. This feature is provided to enable the user to flag a specific request type as “Not a threat/attack” or an “Exception”.

    Web Profile Workflow is depicted below:


    Create Web Profile

    Create a Web Profile on CMS as described below

    1. Navigate to Manage > Web > Web Profiles in the left navigation pane. Click ADD PROFILE

    2. Provide a suitable Web Profile Name and Click NEXT

    3. HTTP Profile

      NOTE:

      Ensure that the vulnerability “Protocol Enforcement” is in the Application during Process creation. If it is not selected, the configured parameters are not enforced by VSP-Web (on Web Server) on the requests.

      1. Navigate to the tab HTTP Profile

      2. Define constraints on the HTTP protocol elements as described in the table below:

        Parameters

        Description

        Allowed Values

        Allowed HTTP Versions

        All the allowed HTTP version numbers. Example: HTTP/0.9, HTTP/1

        NA

        Allowed HTTP Methods

        All the allowed HTTP Methods. Example: POST, GET, PUT

        NA

        Allowed Content Types

        All the allowed Content Type values. Example: application/json

        NA

        Forbidden File Extension

        Forbidden file extensions during File Upload. Example: .tmp, .exe

        NA

        Max Parameters

        Maximum number of parameters allowed in both URL and request body

        Maximum: 2048
        Minimum: 0
        Default: 256

        Max Parameter Name Length

        Maximum length for any parameter name in URL and request body (in bytes)

        Maximum:4096
        Minimum: 0
        Default: 256

        Max Parameter Value Length

        Maximum length for any parameter value in URL and request body (in bytes)

        Maximum:102400
        Minimum: 0
        Default:512

        Max Upload Files

        Maximum number of file uploads allowed per HTTP request

        Maximum:1024
        Minimum: 0
        Default: 20

        Max Upload File Size

        Maximum size of file uploads allowed per HTTP request (in bytes)

        Maximum:1024
        Minimum: 0
        Default:100

      3. The Profile can be enabled or disabled

      4. The RESET button on the page resets all the fields to the last saved values

      5. Click SAVE

    4. Custom Rules

      1. Navigate to the tab Custom Rules. Click ADD RULE

      2. Select the Rule Type. There are three types of Rules that can be specified

        1. Rate Limit Rule : When the number of requests matching the specified conditions reaches the configured threshold within the specified time, an incident is generated and the request is dropped/blocked

        2. Allow Rule : Requests matching the specified criteria are allowed and no other rule-checks are applied. This rule takes precedence over the Block Rule.

        3. Deny Rule : Requests matching the specified criteria are blocked and incidents are generated

      3. If Rule Type selected is Deny, specify the Vulnerability from the drop-down. In case the vulnerability is not known, the value Custom Injection can be selected.  If the selected Vulnerability is Stored Cross-Site Scripting, the value Applies To is HTTP Response. For all other Rule types and Vulnerabilities, the Applies To is HTTP Request

      4. Provide the Rule Name and Description. The Rule can be enabled or disabled using the toggle button

      5. Conditions can be specified using any one of the below editors:

        1. UI Editor

        2. Json - Text/Form format

      6. The condition Parameters are described in the below table:

        Parameters

        Description

        Field

        Select the required field(s) from the drop-down. Example: Parameter, Request Body

        Operation

        Select “is” OR “is NOT” from the drop-down

        Value Type

        Select the Value Type from the drop-down - RegEx, String, Number, IP Address OR Request Method

        Operator

        Select the required Operator from the drop-down – Match, Contains, Begins With, Ends With

        Value

        Specify the required value

        NOTE:

        For RegEx, the complete PCRE regex syntax is not supported (Intel Hyperscan library is the only regex syntax allowed)

        Four operators can be configured in Custom Rule:

        1. "contains" - matches anywhere

        2. "begins with" - matches in beginning

        3. "ends with" - matches at the end

        4. "match" - exact match

      7. For Rate Limit, provide the Threshold Criteria – Request Threshold (number of requests), Timespan (in secs), Count By (All sources/ per IP Address) and Source IP Header. Also provide the block duration in minutes

      8. Click Add New Condition to add more conditions

      9. The specified conditions are applied with the “AND” operator. If the operator “OR” is desired, add a new Deny Rule with the required condition

      10. Click SAVE

    5. Exceptions

      1. Exceptions can be added from an incident or manually

      2. Add Exception Manually

    1. Navigate to the tab Exceptions. Click ADD EXCEPTIONS

    2. Provide the Exception Name and Description. The Exceptions can be enabled or disabled using the Is Enabled toggle button

    3. Select the Vulnerability Type to be exempted from the Create Vulnerability dropdown

    4. The fields under When Incident Parameter Matches allows to specify matching criteria for the requests. Conditions can be specified using UI or JSON editor

    5. The condition parameters are described in the below table:

      Parameters

      Description

      Field

      Select the HTTP component to be inspected from the drop-down. The Various HTTP Components include:

      • Source IP Address

      • Host - To match specific hostname or host value defined in the HTTP Host Header field

      • URI - To match URI value in the HTTP request.

      Value Type

      Select the Value Type from the drop-down - RegEx, String, Number, IP Address OR Request Method. The field type "Parameter" will accept only strings not  RegEx

      Operator

      Select the required Operator from the drop-down. The options in the dropdown are determined by the Value Type. Four operators can be configured:

      • "contains" - matches anywhere

      • "begins with" - matches in beginning

      • "ends with" - matches at the end

      • "match" - exact match

      Value

      Specify the required value

    6. Click Add New Condition to add more conditions with the AND operator

    7. Click SaveAdd%20Exception%20Web%20Profile

    1. Navigate to the tab Exceptions. Click ADD EXCEPTIONS

    2. Provide information as mentioned in the table below and click SAVE

      Parameter

      Description

      Exception Name

      Preferred name for the exception

      Description

      Suitable description

      Is Enabled

      Toggle to enable or disable the exception

      Vulnerability

      Select the Vulnerability type to be exempted from the drop-down

      Pattern

      Define the pattern to be exempted in the provided Field. Only string values are accepted and Regex patterns are not accepted

      Field

      The HTTP request element to be exempted for the selected vulnerability.
      Note: Multiple Pattern and Field pairs can be added in a single exception

      Source IP Address

      Specific IP Addresses OR subnets can be specified. If the exception is generic, include all IP Addresses using “*”

      Host

      Specific hostname or host value defined in the HTTP Host Header field

      URI

      Specific URI to match in the HTTP request

    1. Add Exception from Incident

      1. If undesired incidents are received, create exceptions for them to prevent receiving such incidents in the future

      2. Click Add Exception on the required incident

        Add%20Exception%20from%20Incident

      3. A pop-up with pre-populated values from the incident information is displayed. Modify conditions as required. Provide Exception Name and Description. Click Save

      4. The exception is now added to the Web Profile associated with the affected process collective as reported in the incident

    2. Exceptions can be enabled or disabled individually. If an exception is in disabled state, attacks/threats matching this exception criteria are still reported as incidents in CMS


    Modify Web Profile

    1. Navigate to Manage > Web > Web Profiles in the left navigation pane on CMS

    2. To modify an existing Web Profile, click Edit

    3. Web Profile name can be modified using the Edit option provided immediately after the Profile name

    4. For Modifying HTTP Profile details, navigate to HTTP Profile tab. Modify as required and click SAVE

    5. Existing Custom Rule can be modified, deleted or disabled using the below options

    6. Existing Exception can be modified, deleted or disabled using the below options


    Delete Web Profile

    1. Navigate to Manage > Web > Web Profiles in the left navigation pane on CMS

    2. To delete an existing Web profile, click Delete

    3. Click YES on the confirmation screen


    Was this article helpful?
    What's Next