Web Profiles
  • 26 Dec 2024
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Web Profiles

  • Dark
    Light
  • PDF

Article summary

About this Article
This article provides information about the Web Profile including workflow, creation, modification and deletion of Web Profiles.


Why are Web Profiles Created?

Web Profiles are created to define the HTTP Profile, Custom Rules and exceptions (for a specific vulnerability type) during VSP Monitoring. The HTTP profile and custom rules provide the capability to customize VSP-Web (on Web Server) as required.

Each profile can be associated with one or more exceptions/custom rules. The created profile is associated with the process collective of an Application.

Once a Web Profile is created and associated with a process collective, requests matching the exceptions are not flagged as threats or attacks in CMS. This feature is provided to enable the user to flag a specific request type as “Not a threat/attack” or an “Exception”.

Web Profile Workflow is depicted below:


Create Web Profile

Create a Web Profile on CMS as described below

  1. Navigate to Manage > Web > Web Profiles in the left navigation pane. Click ADD PROFILE
  2. Provide a suitable Web Profile Name and Click NEXT
  3. HTTP Profile
    NOTE:
    Ensure that the vulnerability “Protocol Enforcement” is in the Application during Process creation. If it is not selected, the configured parameters are not enforced by VSP-Web (on Web Server) on the requests.
    1. Navigate to the tab HTTP Profile
    2. Define constraints on the HTTP protocol elements as described in the table below:
      ParametersDescriptionAllowed Values
      Allowed HTTP VersionsAll the allowed HTTP version numbers. Example: HTTP/0.9, HTTP/1NA
      Allowed HTTP MethodsAll the allowed HTTP Methods. Example: POST, GET, PUTNA
      Allowed Content TypesAll the allowed Content Type values. Example: application/jsonNA
      Forbidden File ExtensionForbidden file extensions during File Upload. Example: .tmp, .exeNA
      Max ParametersMaximum number of parameters allowed in both URL and request bodyMaximum: 2048
      Minimum: 0
      Default: 256
      Max Parameter Name LengthMaximum length for any parameter name in URL and request body (in bytes)Maximum:4096
      Minimum: 0
      Default: 256
      Max Parameter Value LengthMaximum length for any parameter value in URL and request body (in bytes)Maximum:102400
      Minimum: 0
      Default:512
      Max Upload FilesMaximum number of file uploads allowed per HTTP requestMaximum:1024
      Minimum: 0
      Default: 20
      Max Upload File SizeMaximum size of file uploads allowed per HTTP request (in bytes)Maximum:1024
      Minimum: 0
      Default:100
    3. The Profile can be enabled or disabled
    4. The RESET button on the page resets all the fields to the last saved values
    5. Click SAVE
  4. Custom Rules
    1. Navigate to the tab Custom Rules. Click ADD RULE
    2. Select the Rule Type. There are three types of Rules that can be specified
      1. Rate Limit Rule : When the number of requests matching the specified conditions reaches the configured threshold within the specified time, an incident is generated and the request is dropped/blocked
      2. Allow Rule : Requests matching the specified criteria are allowed and no other rule-checks are applied. This rule takes precedence over the Block Rule.
      3. Deny Rule : Requests matching the specified criteria are blocked and incidents are generated
    3. If Rule Type selected is Deny, specify the Vulnerability from the drop-down. In case the vulnerability is not known, the value Custom Injection can be selected.  If the selected Vulnerability is Stored Cross-Site Scripting, the value Applies To is HTTP Response. For all other Rule types and Vulnerabilities, the Applies To is HTTP Request
    4. Provide the Rule Name and Description. The Rule can be enabled or disabled using the toggle button
    5. Conditions can be specified using any one of the below editors:
      1. UI Editor
      2. Json - Text/Form format
    6. The condition Parameters are described in the below table:
      ParametersDescription
      FieldSelect the required field(s) from the drop-down. Example: Parameter, Request Body
      OperationSelect “is” OR “is NOT” from the drop-down
      Value TypeSelect the Value Type from the drop-down - RegEx, String, Number, IP Address OR Request Method
      OperatorSelect the required Operator from the drop-down – Match, Contains, Begins With, Ends With
      ValueSpecify the required value
      NOTE:
      For RegEx, the complete PCRE regex syntax is not supported (Intel Hyperscan library is the only regex syntax allowed)

      Four operators can be configured in Custom Rule:

      1. "contains" - matches anywhere
      2. "begins with" - matches in beginning
      3. "ends with" - matches at the end
      4. "match" - exact match
    7.  For Rate Limit, provide the Threshold Criteria – Request Threshold (number of requests), Timespan (in secs), Count By (All sources/ per IP Address) and Source IP Header. Also provide the block duration in minutes
    8. Click Add New Condition to add more conditions
    9. The specified conditions are applied with the “AND” operator. If the operator “OR” is desired, add a new Deny Rule with the required condition
    10. Click SAVE
  5. Exceptions
    1. Exceptions can be added from an incident or manually
    2. Add Exception Manually 
       

      Version 3.0.0 and Above

      1. Navigate to the tab Exceptions. Click ADD EXCEPTIONS
      2. Provide the Exception Name and Description. The Exceptions can be enabled or disabled using the Is Enabled toggle button
      3. Select the Vulnerability Type to be exempted from the Create Vulnerability dropdown
      4. The fields under When Incident Parameter Matches allows to specify matching criteria for the requests. Conditions can be specified using UI or JSON editor
      5. The condition parameters are described in the below table:
        ParametersDescription
        FieldSelect the HTTP component to be inspected from the drop-down. The Various HTTP Components include:
        • Source IP Address 
        • Host - To match specific hostname or host value defined in the HTTP Host Header field
        • URI - To match URI value in the HTTP request.
        Value TypeSelect the Value Type from the drop-down - RegEx, String, Number, IP Address OR Request Method. The field type "Parameter" will accept only strings not  RegEx
        OperatorSelect the required Operator from the drop-down. The options in the dropdown are determined by the Value Type. Four operators can be configured:
        • "contains" - matches anywhere
        • "begins with" - matches in beginning
        • "ends with" - matches at the end
        • "match" - exact match
        ValueSpecify the required value
      6. Click Add New Condition to add more conditions with the AND operator
      7. Click SaveAdd%20Exception%20Web%20Profile

      Version 2.11 and Below

      1. Navigate to the tab Exceptions. Click ADD EXCEPTIONS
      2. Provide information as mentioned in the table below and click SAVE
        ParameterDescription
        Exception NamePreferred name for the exception
        DescriptionSuitable description
        Is EnabledToggle to enable or disable the exception
        VulnerabilitySelect the Vulnerability type to be exempted from the drop-down
        PatternDefine the pattern to be exempted in the provided Field. Only string values are accepted and Regex patterns are not accepted
        FieldThe HTTP request element to be exempted for the selected vulnerability.
        Note: Multiple Pattern and Field pairs can be added in a single exception
        Source IP AddressSpecific IP Addresses OR subnets can be specified. If the exception is generic, include all IP Addresses using “*”
        HostSpecific hostname or host value defined in the HTTP Host Header field
        URISpecific URI to match in the HTTP request
    3. Add Exception from Incident
      1. If undesired incidents are received, create exceptions for them to prevent receiving such incidents in the future
      2. Click Add Exception on the required incidentAdd%20Exception%20from%20Incident
      3. A pop-up with pre-populated values from the incident information is displayed. Modify conditions as required. Provide Exception Name and Description. Click Save
      4. The exception is now added to the Web Profile associated with the affected process collective as reported in the incident
    4. Exceptions can be enabled or disabled individually. If an exception is in disabled state, attacks/threats matching this exception criteria are still reported as incidents in CMS


Modify Web Profile

  1. Navigate to Manage > Web > Web Profiles in the left navigation pane on CMS
  2. To modify an existing Web Profile, click Edit
  3. Web Profile name can be modified using the Edit option provided immediately after the Profile name
  4. For Modifying HTTP Profile details, navigate to HTTP Profile tab. Modify as required and click SAVE
  5. Existing Custom Rule can be modified, deleted or disabled using the below options
  6. Existing Exception can be modified, deleted or disabled using the below options


Delete Web Profile

  1. Navigate to Manage > Web > Web Profiles in the left navigation pane on CMS
  2. To delete an existing Web profile, click Delete
  3. Click YES on the confirmation screen



Was this article helpful?