Web Profiles

Why are Web Profiles Created?

Web Profiles are created to define the HTTP Profile, Custom Rules and exceptions (for a specific vulnerability type) during VSP Monitoring. The HTTP profile and custom rules provide the capability to customize VSP-Web (on Web Server) as required.

Each profile can be associated with one or more exceptions/custom rules. The created profile is associated with the process collective of an Application.

Once a Web Profile is created and associated with a process collective, requests matching the exceptions are not flagged as threats or attacks in CMS. This feature is provided to enable the user to flag a specific request type as “Not a threat/attack” or an “Exception”.

Web Profile Workflow is depicted below:

Create Web Profile

Create a Web Profile on CMS as described below

1. Navigate to Manage > Web > Web Profiles in the left navigation pane. Click ADD PROFILE
2. Provide a suitable Web Profile Name and Click NEXT
3. HTTP Profile
   NOTE:

   Ensure that the vulnerability “Protocol Enforcement” is in the Application during Process creation. If it is not selected, the configured parameters are not enforced by VSP-Web (on Web Server) on the requests.
   1. Navigate to the tab HTTP Profile
   2. Define constraints on the HTTP protocol elements as described in the table below:

      Parameters	Description	Allowed Values
      Allowed HTTP Versions	All the allowed HTTP version numbers. Example: HTTP/0.9, HTTP/1	NA
      Allowed HTTP Methods	All the allowed HTTP Methods. Example: POST, GET, PUT	NA
      Allowed Content Types	All the allowed Content Type values. Example: application/json	NA
      Forbidden File Extension	Forbidden file extensions during File Upload. Example: .tmp, .exe	NA
      Max Parameters	Maximum number of parameters allowed in both URL and request body	Maximum: 2048 Minimum: 0 Default: 256
      Max Parameter Name Length	Maximum length for any parameter name in URL and request body (in bytes)	Maximum:4096 Minimum: 0 Default: 256
      Max Parameter Value Length	Maximum length for any parameter value in URL and request body (in bytes)	Maximum:102400 Minimum: 0 Default:512
      Max Upload Files	Maximum number of file uploads allowed per HTTP request	Maximum:1024 Minimum: 0 Default: 20
      Max Upload File Size	Maximum size of file uploads allowed per HTTP request (in bytes)	Maximum:1024 Minimum: 0 Default:100

   3. The Profile can be enabled or disabled
   4. The RESET button on the page resets all the fields to the last saved values
   5. Click SAVE
4. Custom Rules
   1. Navigate to the tab Custom Rules. Click ADD RULE
   2. Select the Rule Type. There are three types of Rules that can be specified
      1. Rate Limit Rule : When the number of requests matching the specified conditions reaches the configured threshold within the specified time, an incident is generated and the request is dropped/blocked
      2. Allow Rule : Requests matching the specified criteria are allowed and no other rule-checks are applied. This rule takes precedence over the Block Rule.
      3. Deny Rule : Requests matching the specified criteria are blocked and incidents are generated
   3. If Rule Type selected is Deny, specify the Vulnerability from the drop-down. In case the vulnerability is not known, the value Custom Injection can be selected.  If the selected Vulnerability is Stored Cross-Site Scripting, the value Applies To is HTTP Response. For all other Rule types and Vulnerabilities, the Applies To is HTTP Request
   4. Provide the Rule Name and Description. The Rule can be enabled or disabled using the toggle button
   5. Conditions can be specified using any one of the below editors:
      1. UI Editor
         
      2. Json - Text/Form format
   6. The condition Parameters are described in the below table:

      Parameters	Description
      Field	Select the required field(s) from the drop-down. Example: Parameter, Request Body
      Operation	Select “is” OR “is NOT” from the drop-down
      Value Type	Select the Value Type from the drop-down - RegEx, String, Number, IP Address OR Request Method
      Operator	Select the required Operator from the drop-down – Match, Contains, Begins With, Ends With
      Value	Specify the required value

      NOTE:

      For RegEx, the complete PCRE regex syntax is not supported (Intel Hyperscan library is the only regex syntax allowed)

      Four operators can be configured in Custom Rule:

      1. "contains" - matches anywhere
      2. "begins with" - matches in beginning
      3. "ends with" - matches at the end
      4. "match" - exact match
   7.  For Rate Limit, provide the Threshold Criteria – Request Threshold (number of requests), Timespan (in secs), Count By (All sources/ per IP Address) and Source IP Header. Also provide the block duration in minutes
   8. Click Add New Condition to add more conditions
   9. The specified conditions are applied with the “AND” operator. If the operator “OR” is desired, add a new Deny Rule with the required condition
   10. Click SAVE
5. Exceptions
   1. Exceptions can be added from an incident or manually
   2. Add Exception Manually 
       

      Version 3.0.0 and Above Version 2.11 and Below

      Version 3.0.0 and Above

      1. Navigate to the tab Exceptions. Click ADD EXCEPTIONS
      2. Provide the Exception Name and Description. The Exceptions can be enabled or disabled using the Is Enabled toggle button
      3. Select the Vulnerability Type to be exempted from the Create Vulnerability dropdown
      4. The fields under When Incident Parameter Matches allows to specify matching criteria for the requests. Conditions can be specified using UI or JSON editor
      5. The condition parameters are described in the below table:

         Parameters	Description
         Field	Select the HTTP component to be inspected from the drop-down. The Various HTTP Components include: Source IP Address  Host - To match specific hostname or host value defined in the HTTP Host Header field URI - To match URI value in the HTTP request.
         Value Type	Select the Value Type from the drop-down - RegEx, String, Number, IP Address OR Request Method. The field type "Parameter" will accept only strings not  RegEx
         Operator	Select the required Operator from the drop-down. The options in the dropdown are determined by the Value Type. Four operators can be configured: "contains" - matches anywhere "begins with" - matches in beginning "ends with" - matches at the end "match" - exact match
         Value	Specify the required value

      6. Click Add New Condition to add more conditions with the AND operator
      7. Click Save

      Version 2.11 and Below

      1. Navigate to the tab Exceptions. Click ADD EXCEPTIONS
      2. Provide information as mentioned in the table below and click SAVE

         Parameter	Description
         Exception Name	Preferred name for the exception
         Description	Suitable description
         Is Enabled	Toggle to enable or disable the exception
         Vulnerability	Select the Vulnerability type to be exempted from the drop-down
         Pattern	Define the pattern to be exempted in the provided Field. Only string values are accepted and Regex patterns are not accepted
         Field	The HTTP request element to be exempted for the selected vulnerability. Note: Multiple Pattern and Field pairs can be added in a single exception
         Source IP Address	Specific IP Addresses OR subnets can be specified. If the exception is generic, include all IP Addresses using “*”
         Host	Specific hostname or host value defined in the HTTP Host Header field
         URI	Specific URI to match in the HTTP request

         
   3. Add Exception from Incident
      1. If undesired incidents are received, create exceptions for them to prevent receiving such incidents in the future
      2. Click Add Exception on the required incident
      3. A pop-up with pre-populated values from the incident information is displayed. Modify conditions as required. Provide Exception Name and Description. Click Save
      4. The exception is now added to the Web Profile associated with the affected process collective as reported in the incident
   4. Exceptions can be enabled or disabled individually. If an exception is in disabled state, attacks/threats matching this exception criteria are still reported as incidents in CMS

Modify Web Profile

1. Navigate to Manage > Web > Web Profiles in the left navigation pane on CMS
2. To modify an existing Web Profile, click Edit
3. Web Profile name can be modified using the Edit option provided immediately after the Profile name
4. For Modifying HTTP Profile details, navigate to HTTP Profile tab. Modify as required and click SAVE
5. Existing Custom Rule can be modified, deleted or disabled using the below options
6. Existing Exception can be modified, deleted or disabled using the below options

Delete Web Profile

1. Navigate to Manage > Web > Web Profiles in the left navigation pane on CMS
2. To delete an existing Web profile, click Delete
3. Click YES on the confirmation screen