Action policy is a collection of settings that decide what action to be taken when a violation occurs. It consists of a set of attack groups and associated attack actions with it. The attack action specifies the action to be taken for a particular type of web attack.
To Retrieve Attack Groups
URL: /v1/security_policies/{policy_id}/attack_groups /v1/security_policies/{policy_id}/attack_groups/{attack_group_id} | |||
| Method: GET | |||
| Description: Lists all attack groups if “Attack_Group_ID” is not specified. | |||
| Parameter Name | Data Type | Mandatory | Description |
|---|---|---|---|
| Input Parameters: | |||
| parameters | Alphanumeric | Optional | Any specific parameter name that needs to be retrieved. See Example 2. |
Example 1:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET
Response:
{"object":"ActionPolicy","fields":null,"policy_id":"new_policy","data":[{"name":"domain-not-found-in-profile","response_page":"default","numeric_id":"130","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"domain-not-found-in-profile"},{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjEzODAxNTczOTAiLCJwYXNzd29yZCI6Ijk5ZGNjMDRiZmQ5YTUwMTkxYTVlMTZkMWFi\nMjI2MjZjIiwidXNlciI6ImFkbWluIn0=\n","offset":null}
Example 2:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,deny_response
Response:
{"object":"ActionPolicy","fields":["follow_up_action","deny_response"],"policy_id":"new_policy","data":[{"attack_group":"application-profile-violations","follow_up_action":"none","deny_response":"send_response","id":"domain-not-found-in-profile"},{"attack_group":"application-profile-violations","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjE1MDQ0MDk4NTUiLCJwYXNzd29yZCI6IjNkZjhkYzE5MDhlYWQxOGIxN2UzYWY2OWMx\nNGEwOGIxIiwidXNlciI6ImFkbWluIn0=\n","offset":null}
To Retrieve Attack Actions
URL: /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id} | |||
| Method: GET | |||
| Description: Lists all attack actions for the given attack group if “action_id” is not specified. | |||
| Parameter Name | Data Type | Mandatory | Description |
|---|---|---|---|
| Input Parameters: | |||
| parameters | Alphanumeric | Optional | Any specific parameter name that needs to be retrieved. See Example 2. |
Example 1:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET
Response:
{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc0NjYiLCJwYXNzd29yZCI6Ijk5ODViNjk0ZjIxYjU4MGEyMmY2OWRmMzUz\nNjA2MzA0IiwidXNlciI6ImFkbWluIn0=\n"}
Example 2:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,redirect_url,deny_response,action
Response:
{"attack_group":"application-profile-violations","action":"protect_and_log","redirect_url":"/abc.html","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match","token":"eyJldCI6IjE1MDQzMTYyOTQiLCJwYXNzd29yZCI6IjkwNDNjODQ1MjJjZDlhMzY0MDBhNjJhY2E0\nOWU2MDU2IiwidXNlciI6ImFkbWluIn0=\n"}
To Update an Action Policy
| URL: /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id} | |||
| Method: PUT | |||
| Description: Updates the values of given parameters in the given action policy. | |||
| Parameter Name | Data Type | Mandatory | Description |
|---|---|---|---|
| Input Parameters: | |||
| action | Enumeration | Optional | The action to be taken for an invalid request. The enumerated values include:
|
| deny_response | Enumeration | Optional | The response to be sent to the client if the request is denied. The enumerated values include:
|
| redirect_url | Alphanumeric | Optional | The URL to be used to redirect the request. Note: Required ONLY when deny_response is set to temporary_redirect or permanent_redirect. |
| response_page | Enumeration | Optional | The response page to be sent to the client. The enumerated values include predefined response pages and custom response pages (if any):
Note: Required ONLY when deny_response is set to send_response. |
| follow_up_action | Enumeration | Optional | The follow up action to be taken if the request is denied. The enumerated values include:
|
| follow_up_action_time | Numeric | Optional | The time in seconds to block the client IP. Note: Required ONLY when follow_up_action is set to block_client_ip. |
Example:
Request:
curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"action":"allow_and_log"}'
Response:
{"msg":"Configuration Updated","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc1NTAiLCJwYXNzd29yZCI6IjZkM2IxNGU0ZjhhNGY2MWI1MGNlYjBmNmYz\nM2Q5OWQ1IiwidXNlciI6ImFkbWluIn0=\n"}
The table below lists the attack ID names to be used in the REST API commands:
| Attack name displayed in the web interface | Attack ID to be used in REST API |
|---|---|
| protocol-violations | |
| Directory Traversal Beyond Root | directory-traversal-beyond-root |
| GET Request with Content Length | get-request-with-content-length-header |
| Invalid Header | invalid-header |
| Invalid Method | invalid-method |
| Invalid or Malformed HTTP Request | invalid-or-malformed-http-request |
| Malformed Content Length | malformed-content-length |
| Malformed Cookie | malformed-cookie |
| Malformed Header | malformed-header |
| Malformed Parameter | malformed-parameter |
| Malformed Request Line | malformed-end-of-request-line |
| Malformed Version | malformed-version |
| Missing Host Header | http-1.1-request-without-host |
| Multiple Content Length | multiple-content-length-headers |
| POST without Content Length | post-request-without-content-length |
| Parameter Too Large | large-parameter-in-post-data |
| Pre-1.0 Request | pre-1.0-request |
| request-policy-violations | |
| Cookie Count Exceeded | cookie-count-exceeded |
| Cookie Expired | cookie-expired |
| Cookie Length Exceeded | cookie-length-exceeded |
| Cookie Name Length Exceeded | cookie-name-length-exceeded |
| Cookie Tampered | cookie-tampered |
| Header Count Exceeded | header-count-exceeded |
| Header Name Length Exceeded | header-name-length-exceeded |
| Header Value Length Exceeded | header-value-length-exceeded |
| Invalid URL Encoding | invalid-url-encoding |
| Mismatched Header Cookie Replay Attack | mismatched-header-cookie-replay-attack |
| Mismatched IP Cookie Replay Attack | mismatched-ip-cookie-replay-attack |
| Query Length Exceeded | url-query-length-exceeded |
| Request Length Exceeded | total-request-length-exceeded |
| Session timed out | keepalive-timeout-exceeded |
| Slash-dot in URL Path | slash-dot-in-url-path |
| Tilde in URL Path | tilde-in-url-path |
| Too Many Sessions for IP | too-many-sessions-for-ip |
| Total Request Line Length Exceeded | total-request-line-length-exceeded |
| URL Length Exceeded | url-length-exceeded |
| Unrecognized Cookie | unrecognized-cookie |
| header-violations | |
| Apache Struts Attack in Header | apache-struts-attacks-medium-in-header |
| Cross-Site Scripting in Header | cross-site-scripting-in-header |
| Custom Attack Pattern in Header | custom-attack-pattern-in-header |
| Directory Traversal in Header | directory-traversal-in-header |
| HTTP Specific Attack in Header | http-specific-attacks-medium-in-header |
| LDAP Injection in Header | ldap-injection-medium-in-header |
| Metacharacter Matched in Header | metacharacter-matched-in-header |
| OS Command Injection in Header | os-command-injection-in-header |
| Python PHP Attack in Header | python-php-attacks-medium-in-header |
| Remote File Inclusion in Header | remote-file-inclusion-pattern-in-header |
| SQL Injection in Header | sql-injection-in-header |
| application-profile-violations | |
| No Domain Match in Profile | domain-not-found-in-profile |
| No URL Profile Match | no-url-profile-match |
| url-profile-violations | |
| Apache Struts Attack in URL | apache-struts-attacks-medium-in-url |
| Content Length Exceeded | content-length-exceeded |
| Cross-Site Scripting in URL | cross-site-scripting-pattern-in-url |
| Custom Attack Pattern in URL | custom-attack-pattern-in-url |
| HTTP Specific Attack in URL | http-specific-attacks-medium-in-url |
| LDAP Injection in URL | ldap-injection-medium-in-url |
| Method Not Allowed | forbidden-method |
| No Param Profile Match | no-param-profile-match |
| OS Command Injection in URL | os-command-injection-pattern-in-url |
| Parameter Name Length Exceeded | parameter-name-length-exceeded |
| Python PHP Attack in URL | python-php-attacks-medium-in-url |
| Query String not Allowed | query-string-not-allowed |
| Remote File Inclusion in URL | remote-file-inclusion-pattern-in-url |
| SQL Injection in URL | sql-injection-pattern-in-url |
| Session not Found | session-not-found |
| Too Many Parameters | too-many-parameters |
| Too Many Uploaded Files | too-many-uploaded-files |
| Unknown Content Type | unknown-content-type-in-post-body |
| param-profile-violations | |
| Apache Struts Attack in Parameter | apache-struts-attacks-medium-in-param |
| Cross-Site Request Forgery | cross-site-request-forgery-attack-detected |
| Cross-Site Scripting in Parameter | cross-site-scripting-pattern-in-parameter |
| Custom Attack Pattern in Parameter | custom-attack-pattern-in-parameter |
| Directory Traversal in Parameter | directory-traversal-pattern-in-parameter |
| File Upload Size Exceeded | file-upload-size-exceeded |
| Forbidden File Extension | forbidden-file-extension |
| Forbidden File Mime Type | forbidden-file-mime-type |
| HTTP Specific Attack in Parameter | http-specific-attacks-medium-in-param |
| LDAP Injection in Parameter | ldap-injection-medium-in-param |
| Mandatory Parameter Missing | mandatory-parameter-missing |
| Maximum Instances of Parameter Exceeded | max-instances-of-parameter-exceeded |
| Metacharacter in Parameter | metacharacter-in-parameter |
| OS Command Injection in Parameter | os-command-injection-pattern-in-parameter |
| Parameter Input Validation Failed | parameter-input-validation-failed |
| Parameter Length Exceeded | parameter-length-exceeded |
| Parameter Value not Allowed | parameter-value-not-allowed |
| Python PHP Attack in Parameter | python-php-attacks-medium-in-param |
| Read-Only or Hidden Parameter Tampered | read-only-or-hidden-parameter-tampered |
| Remote File Inclusion | remote-file-inclusion-pattern-in-parameter |
| SQL Injection in Parameter | sql-injection-pattern-in-parameter |
| Session Choice Parameter Tampered | session-choice-parameter-tampered |
| Session Context not Found | session-context-not-found |
| Session Invariant Parameter Tampered | session-invariant-parameter-tampered |
| response-violations | |
| CAPTCHA Validation Required | captcha-response-page |
| Custom Error Response Page | custom-error-response-page |
| Error Response Suppressed | error-response-suppressed |
| Identity Theft Pattern Matched | identity-theft-pattern-matched-in-response |
| Response Header Suppressed | response-header-suppressed |
| advanced-policy-violations | |
| Brute force from All Sources | brute-force-from-all-sources |
| Brute force from IP | brute-force-from-ip |
| CAPTCHA Attempt Limit Exceeded | captcha-tries-exceeded |
| CAPTCHA Session Limit Exceeded | captcha-max-sessions-exceeded |
| Invalid URL Character Set | invalid-url-character-set |
| Rate Control Intrusion | rate-control-intrusion |
| Secure Browsing | secure-browsing |
| Slow Read Attack | slow-read-attack |
| Slowloris Attack | slow-client-attack |
| URL Encryption | url-encryption |
| Unanswered CAPTCHA Limit Exceeded | captcha-max-unanswered-exceeded |
| Virus Found | virus-found-in-post-request |
| xmlfw-dos-violations | |
| DTD Found | dtd-found |
| External URI Reference Found | external-uri-ref-found |
| Malformed XML | malformed-xml |
| Max Attribute Name Length Exceeded | max-attribute-name-length-exceeded |
| Max Attribute Value Length Exceeded | max-attribute-value-length-exceeded |
| Max Document Size Exceeded | max-document-size-exceeded |
| Max Element Attributes Exceeded | max-element-attributes-exceeded |
| Max Element Children Exceeded | max-element-children-exceeded |
| Max Element Name Length Exceeded | max-element-name-length-exceeded |
| Max Elements in Tree Exceeded | max-elements-in-tree-exceeded |
| Max Text Size Exceeded | max-text-size-exceeded |
| Max Tree Depth Exceeded | max-tree-depth-exceeded |
| Min Document Size Limit | min-document-size-limit |
| Processing Instructions Found | processing-instructions-found |
| xmlfw-wsi-assertion-failures | |
| Attribute "MustUnderstand" is Neither 1 nor 0 | mustunderstand-is-nither-1-nor-0 |
| Attributes in SOAP Envelope Header Body | atts-in-soap-env-hdr-body |
| Children Elements in SOAP:Body Have "SOAP:EncodingStyle" Attribute | soap-encodingStyle-in-body-children |
| Children Elements in SOAP:Body are Not Namespace Qualified | soap-body-children-are-not-ns-qualified |
| DOCTYPE Element | DOCTYPE-element |
| EncodingStyle Attribute Found in Grandchild of SOAP Body | encodingStyle-in-rpc-literal-grand-children |
| EncodingStyle in Envelope Namespace Elements | encodingStyle-in-envelope-ns-elements |
| Envelope Does Not Conform to SOAP Schema | envelope-does-not-confirm-to-schema |
| Envelope Namespace is 1998 | env-ns-is-1998 |
| Good Response is Not Using HTTP 200 OK | good-resp-is-not-200ok |
| Message Contains Undefined "SOAPBind:Fault" Element(s) | fault-resp-is-not-defined-in-wsdl-binding |
| Message Contains a WS-I Conformance Claim Which is Not a Child of the SOAP:Header Element | WSI-confirmance-not-in-soap-hdr |
| Message Contains a WS-I Conformance Claim with a "SOAP:MustUnderstand" Attribute | WSI-confirmance-claims-are-not-mustunderstand |
| Message Does Not Include All Headers | msg-does-not-include-allhdrs |
| Message Part Accessors Have No Namespace | msg-part-accessors-have-no-ns |
| Message is Not Sent Using HTTP1.0 or HTTP1.1 | message-is-not-HTTP1.0-or-HTTP1.1 |
| Message is Not Sent Using HTTP1.1 | message-is-not-HTTP1.1 |
| Message is Not UTF8 or UTF16 | message-is-not-UTF8-or-UTF16 |
| Non POST Request Does Not Contain 405 HTTP Status Code | non-POST-req-does-not-get-405 |
| Non XML Request Does Not Contain 415 HTTP Status Code | non-XML-req-does-not-get-415 |
| One-Way Response Contains a SOAP:Envelope | oneway-resp-non-empty-body |
| Part Accessors Have "xsi: nil" Attribute | part-accessors-has-xsi-nil |
| Processed Response Status is Neither 200 nor 202 | processed-resp-status-is-nither-200-nor-202 |
| Request Does Not Match the WSDL:Definition | req-matches-wsdl |
| Request Message is Not an HTTP POST Message | request-is-not-HTTP-POST |
| Response Does Not Match the WSDL:Definition | resp-matches-wsdl |
Response Wrapper Does Not Match the Name Attribute on WSDL:Operation | resp-has-no-wrapper-named-op |
| SOAP 1.1 Dot Notation is Used By the SOAP:Fault Element | faults-use-dot-notation |
| SOAP Message Contains XML Processing Instructions | xml-processing-instructions-in-body |
| SOAP:Body Contains the "SOAPEnc:ArrayType" Attribute | soapenc-arraytype-attr |
| SOAP:Envelope Does Not Have v1.1 Namespace | msg-body-is-not-soap-env-with-ns |
| SOAP:Envelope Has a Direct Child After the "SOAP:Body" Element | envelope-have-children-after-body |
| SOAP:Envelope or SOAP:Body Does Not Conform to XML 1.0 | envelope-and-body-are-not-xml1.0 |
| SOAP:Fault Children Elements are Not Namespace Qualified | soap-fault-does-not-have-allowed-children |
| SOAP:Fault Children are Qualified | soap-fault-children-are-qualified |
| SOAP:Fault Has Non-Foreign Namespace | soap-fault-has-envelope-ns |
| SOAP:Fault Message Not Found in the HTTP 500 Response | soap-fault-is-not-in-HTTP500-resp |
| SOAP:Fault Not Generated for Bad Envelope Namespace | no-fault-for-bad-env-ns |
| SOAP:Faultcode is Not Standard or Namespace Qualified | soap-faultcode-is-not-std |
| SOAPAction Header Does Not Contain Quoted String | soapaction-hdr-is-not-quoted |
| SOAPAction Header Does Not Contain the Correct String Value | soapaction-hdr-does-not-match-op-soapaction |
| WS-I Conformance Claim Does Not Adhere to the WS-I Conformance Claim Schema | WSI-confirmance-is-not-well-formed |
| xmlfw-soap-violations | |
| Additional SOAP Headers Received | additional-soap-headers-rcvd |
| Invalid SOAP Body | invalid-soap-body |
| Invalid SOAP Envelope | invalid-soap-envelope |
| Invalid SOAP Header | invalid-soap-header |
| json-limit-violations | |
| Malformed JSON | malformed-json |
| Max Array Values Exceeded | max-values-in-array-exceeded |
| Max Key Length Exceeded | max-key-length-exceeded |
| Max Number Value Exceeded | max-number-limit-exceeded |
| Max Object Child Exceeded | max-object-children-exceeded |
| Max Object Keys Exceeded | max-keys-in-object-exceeded |
| Max Value Length Exceeded | max-value-length-exceeded |
| Object Depth Exceeded | max-object-depth-exceeded |
| json-violations | |
| Apache Struts Attacks in JSON Data | apache-struts-attack-in-json |
| Cross-Site Scripting in JSON Data | cross-site-scripting-pattern-in-json |
| Custom Attack Pattern in JSON Data | custom-attack-pattern-in-json |
| Directory Traversal Attack in JSON Data | directory-traversal-pattern-in-json |
| HTTP Specific Attacks in JSON Data | http-specific-attack-in-json |
| LDAP Injection in JSON Data | ldap-injection-in-json |
| OS Command Injection in JSON Data | os-command-injection-pattern-in-json |
| Python PHP Attack in JSON Data | python-php-attack-in-json |
| Remote File Inclusion in JSON Data | remote-file-inclusion-pattern-in-json |
| SQL Injection in JSON Data | sql-injection-pattern-in-json |