It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Action Policy

  • Last updated on

Action policy is a collection of settings that decide what action to be taken when a violation occurs. It consists of a set of attack groups and associated attack actions with it. The attack action specifies the action to be taken for a particular type of web attack.

To Retrieve Attack Groups

URL:  /v1/security_policies/{policy_id}/attack_groups

          /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}
Method: GET
Description: Lists all attack groups if “Attack_Group_ID” is not specified.
Parameter NameData TypeMandatoryDescription
Input Parameters:   
parametersAlphanumericOptionalAny specific parameter name that needs to be retrieved. See Example 2.
Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"object":"ActionPolicy","fields":null,"policy_id":"new_policy","data":[{"name":"domain-not-found-in-profile","response_page":"default","numeric_id":"130","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"domain-not-found-in-profile"},{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjEzODAxNTczOTAiLCJwYXNzd29yZCI6Ijk5ZGNjMDRiZmQ5YTUwMTkxYTVlMTZkMWFi\nMjI2MjZjIiwidXNlciI6ImFkbWluIn0=\n","offset":null}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations  -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,deny_response

 

Response:

{"object":"ActionPolicy","fields":["follow_up_action","deny_response"],"policy_id":"new_policy","data":[{"attack_group":"application-profile-violations","follow_up_action":"none","deny_response":"send_response","id":"domain-not-found-in-profile"},{"attack_group":"application-profile-violations","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjE1MDQ0MDk4NTUiLCJwYXNzd29yZCI6IjNkZjhkYzE5MDhlYWQxOGIxN2UzYWY2OWMx\nNGEwOGIxIiwidXNlciI6ImFkbWluIn0=\n","offset":null}

To Retrieve Attack Actions

URL:  /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions

          /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id}
Method: GET
Description: Lists all attack actions for the given attack group if “action_id” is not specified.
Parameter NameData TypeMandatoryDescription
Input Parameters:   
parametersAlphanumericOptionalAny specific parameter name that needs to be retrieved. See Example 2.
Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc0NjYiLCJwYXNzd29yZCI6Ijk5ODViNjk0ZjIxYjU4MGEyMmY2OWRmMzUz\nNjA2MzA0IiwidXNlciI6ImFkbWluIn0=\n"}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match  -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,redirect_url,deny_response,action

 

Response:

{"attack_group":"application-profile-violations","action":"protect_and_log","redirect_url":"/abc.html","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match","token":"eyJldCI6IjE1MDQzMTYyOTQiLCJwYXNzd29yZCI6IjkwNDNjODQ1MjJjZDlhMzY0MDBhNjJhY2E0\nOWU2MDU2IiwidXNlciI6ImFkbWluIn0=\n"}

To Update an Action Policy

URL:  /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id}
Method: PUT
Description:  Updates the values of given parameters in the given action policy.
Parameter NameData TypeMandatoryDescription
Input Parameters:   
actionEnumerationOptional

The action to be taken for an invalid request. The enumerated values include:

  • none
  • protect_and_log
  • allow_and_log
  • protect_with_no_log
deny_responseEnumerationOptional

The response to be sent to the client if the request is denied. The enumerated values include:

  • close_connection
  • send_response
  • temporary_redirect
  • permanent_redirect
redirect_urlAlphanumericOptional

The URL to be used to redirect the request.

 

Note: Required ONLY when deny_response is set to temporary_redirect or permanent_redirect.
response_pageEnumerationOptional

The response page to be sent to the client. The enumerated values include predefined response pages and custom response pages (if any):

  • default
  • default-virus
  • default-error-resp
  • default-captcha-tries-error-page
  • default-captcha-sessions-error-page
  • default-suspected-activity-error-page
  • default-captcha-response-page

 

Note: Required ONLY when deny_response is set to send_response.  
follow_up_actionEnumerationOptional

The follow up action to be taken if the request is denied. The enumerated values include:

  • none
  • block_client_ip
  • challenge_with_captcha
follow_up_action_timeNumericOptional

The time in seconds to block the client IP.

 

Note: Required ONLY when follow_up_action is set to block_client_ip.
Example:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"action":"allow_and_log"}'

 

Response:

{"msg":"Configuration Updated","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc1NTAiLCJwYXNzd29yZCI6IjZkM2IxNGU0ZjhhNGY2MWI1MGNlYjBmNmYz\nM2Q5OWQ1IiwidXNlciI6ImFkbWluIn0=\n"}

The table below lists the attack ID names to be used in the REST API commands:

Attack name displayed in the web interfaceAttack ID to be used in REST API
protocol-violations
Directory Traversal Beyond Rootdirectory-traversal-beyond-root
GET Request with Content Lengthget-request-with-content-length-header
Invalid Headerinvalid-header
Invalid Methodinvalid-method
Invalid or Malformed HTTP Requestinvalid-or-malformed-http-request
Malformed Content Lengthmalformed-content-length
Malformed Cookiemalformed-cookie
Malformed Headermalformed-header
Malformed Parametermalformed-parameter
Malformed Request Linemalformed-end-of-request-line
Malformed Versionmalformed-version
Missing Host Headerhttp-1.1-request-without-host
Multiple Content Lengthmultiple-content-length-headers
POST without Content Lengthpost-request-without-content-length
Parameter Too Largelarge-parameter-in-post-data
Pre-1.0 Requestpre-1.0-request
request-policy-violations
Cookie Count Exceededcookie-count-exceeded
Cookie Expiredcookie-expired
Cookie Length Exceededcookie-length-exceeded
Cookie Name Length Exceededcookie-name-length-exceeded
Cookie Tamperedcookie-tampered
Header Count Exceededheader-count-exceeded
Header Name Length Exceededheader-name-length-exceeded
Header Value Length Exceededheader-value-length-exceeded
Invalid URL Encodinginvalid-url-encoding
Mismatched Header Cookie Replay Attackmismatched-header-cookie-replay-attack
Mismatched IP Cookie Replay Attackmismatched-ip-cookie-replay-attack
Query Length Exceededurl-query-length-exceeded
Request Length Exceededtotal-request-length-exceeded
Session timed outkeepalive-timeout-exceeded
Slash-dot in URL Pathslash-dot-in-url-path
Tilde in URL Pathtilde-in-url-path
Too Many Sessions for IPtoo-many-sessions-for-ip
Total Request Line Length Exceededtotal-request-line-length-exceeded
URL Length Exceededurl-length-exceeded
Unrecognized Cookieunrecognized-cookie
header-violations
Apache Struts Attack in Headerapache-struts-attacks-medium-in-header
Cross-Site Scripting in Headercross-site-scripting-in-header
Custom Attack Pattern in Headercustom-attack-pattern-in-header
Directory Traversal in Headerdirectory-traversal-in-header
HTTP Specific Attack in Headerhttp-specific-attacks-medium-in-header
LDAP Injection in Headerldap-injection-medium-in-header
Metacharacter Matched in Headermetacharacter-matched-in-header
OS Command Injection in Headeros-command-injection-in-header
Python PHP Attack in Headerpython-php-attacks-medium-in-header
Remote File Inclusion in Headerremote-file-inclusion-pattern-in-header
SQL Injection in Headersql-injection-in-header
application-profile-violations
No Domain Match in Profiledomain-not-found-in-profile
No URL Profile Matchno-url-profile-match
url-profile-violations
Apache Struts Attack in URLapache-struts-attacks-medium-in-url
Content Length Exceededcontent-length-exceeded
Cross-Site Scripting in URLcross-site-scripting-pattern-in-url
Custom Attack Pattern in URLcustom-attack-pattern-in-url
HTTP Specific Attack in URLhttp-specific-attacks-medium-in-url
LDAP Injection in URLldap-injection-medium-in-url
Method Not Allowedforbidden-method
No Param Profile Matchno-param-profile-match
OS Command Injection in URLos-command-injection-pattern-in-url
Parameter Name Length Exceededparameter-name-length-exceeded
Python PHP Attack in URLpython-php-attacks-medium-in-url
Query String not Allowedquery-string-not-allowed
Remote File Inclusion in URLremote-file-inclusion-pattern-in-url
SQL Injection in URLsql-injection-pattern-in-url
Session not Foundsession-not-found
Too Many Parameterstoo-many-parameters
Too Many Uploaded Filestoo-many-uploaded-files
Unknown Content Typeunknown-content-type-in-post-body
param-profile-violations
Apache Struts Attack in Parameterapache-struts-attacks-medium-in-param
Cross-Site Request Forgerycross-site-request-forgery-attack-detected
Cross-Site Scripting in Parametercross-site-scripting-pattern-in-parameter
Custom Attack Pattern in Parametercustom-attack-pattern-in-parameter
Directory Traversal in Parameterdirectory-traversal-pattern-in-parameter
File Upload Size Exceededfile-upload-size-exceeded
Forbidden File Extensionforbidden-file-extension
Forbidden File Mime Typeforbidden-file-mime-type
HTTP Specific Attack in Parameterhttp-specific-attacks-medium-in-param
LDAP Injection in Parameterldap-injection-medium-in-param
Mandatory Parameter Missingmandatory-parameter-missing
Maximum Instances of Parameter Exceededmax-instances-of-parameter-exceeded
Metacharacter in Parametermetacharacter-in-parameter
OS Command Injection in Parameteros-command-injection-pattern-in-parameter
Parameter Input Validation Failedparameter-input-validation-failed
Parameter Length Exceededparameter-length-exceeded
Parameter Value not Allowedparameter-value-not-allowed
Python PHP Attack in Parameterpython-php-attacks-medium-in-param
Read-Only or Hidden Parameter Tamperedread-only-or-hidden-parameter-tampered
Remote File Inclusionremote-file-inclusion-pattern-in-parameter
SQL Injection in Parametersql-injection-pattern-in-parameter
Session Choice Parameter Tamperedsession-choice-parameter-tampered
Session Context not Foundsession-context-not-found
Session Invariant Parameter Tamperedsession-invariant-parameter-tampered
response-violations
CAPTCHA Validation Requiredcaptcha-response-page
Custom Error Response Pagecustom-error-response-page
Error Response Suppressederror-response-suppressed
Identity Theft Pattern Matchedidentity-theft-pattern-matched-in-response
Response Header Suppressedresponse-header-suppressed
advanced-policy-violations
Brute force from All Sourcesbrute-force-from-all-sources
Brute force from IPbrute-force-from-ip
CAPTCHA Attempt Limit Exceededcaptcha-tries-exceeded
CAPTCHA Session Limit Exceededcaptcha-max-sessions-exceeded
Invalid URL Character Setinvalid-url-character-set
Rate Control Intrusionrate-control-intrusion
Secure Browsingsecure-browsing
Slow Read Attackslow-read-attack
Slowloris Attackslow-client-attack
URL Encryptionurl-encryption
Unanswered CAPTCHA Limit Exceededcaptcha-max-unanswered-exceeded
Virus Foundvirus-found-in-post-request
xmlfw-dos-violations
DTD Founddtd-found
External URI Reference Foundexternal-uri-ref-found
Malformed XMLmalformed-xml
Max Attribute Name Length Exceededmax-attribute-name-length-exceeded
Max Attribute Value Length Exceededmax-attribute-value-length-exceeded
Max Document Size Exceededmax-document-size-exceeded
Max Element Attributes Exceededmax-element-attributes-exceeded
Max Element Children Exceededmax-element-children-exceeded
Max Element Name Length Exceededmax-element-name-length-exceeded
Max Elements in Tree Exceededmax-elements-in-tree-exceeded
Max Text Size Exceededmax-text-size-exceeded
Max Tree Depth Exceededmax-tree-depth-exceeded
Min Document Size Limitmin-document-size-limit
Processing Instructions Foundprocessing-instructions-found
xmlfw-wsi-assertion-failures
Attribute "MustUnderstand" is Neither 1 nor 0mustunderstand-is-nither-1-nor-0
Attributes in SOAP Envelope Header Bodyatts-in-soap-env-hdr-body
Children Elements in SOAP:Body Have "SOAP:EncodingStyle" Attributesoap-encodingStyle-in-body-children
Children Elements in SOAP:Body are Not Namespace Qualifiedsoap-body-children-are-not-ns-qualified
DOCTYPE ElementDOCTYPE-element
EncodingStyle Attribute Found in Grandchild of SOAP BodyencodingStyle-in-rpc-literal-grand-children
EncodingStyle in Envelope Namespace ElementsencodingStyle-in-envelope-ns-elements
Envelope Does Not Conform to SOAP Schemaenvelope-does-not-confirm-to-schema
Envelope Namespace is 1998env-ns-is-1998
Good Response is Not Using HTTP 200 OKgood-resp-is-not-200ok
Message Contains Undefined "SOAPBind:Fault" Element(s)fault-resp-is-not-defined-in-wsdl-binding
Message Contains a WS-I Conformance Claim Which is Not a Child of the SOAP:Header ElementWSI-confirmance-not-in-soap-hdr
Message Contains a WS-I Conformance Claim with a "SOAP:MustUnderstand" AttributeWSI-confirmance-claims-are-not-mustunderstand
Message Does Not Include All Headersmsg-does-not-include-allhdrs
Message Part Accessors Have No Namespacemsg-part-accessors-have-no-ns
Message is Not Sent Using HTTP1.0 or HTTP1.1message-is-not-HTTP1.0-or-HTTP1.1
Message is Not Sent Using HTTP1.1message-is-not-HTTP1.1
Message is Not UTF8 or UTF16message-is-not-UTF8-or-UTF16
Non POST Request Does Not Contain 405 HTTP Status Codenon-POST-req-does-not-get-405
Non XML Request Does Not Contain 415 HTTP Status Codenon-XML-req-does-not-get-415
One-Way Response Contains a SOAP:Envelopeoneway-resp-non-empty-body
Part Accessors Have "xsi: nil" Attributepart-accessors-has-xsi-nil
Processed Response Status is Neither 200 nor 202processed-resp-status-is-nither-200-nor-202
Request Does Not Match the WSDL:Definitionreq-matches-wsdl
Request Message is Not an HTTP POST Messagerequest-is-not-HTTP-POST
Response Does Not Match the WSDL:Definitionresp-matches-wsdl
Response Wrapper Does Not Match the Name Attribute on WSDL:Operation
resp-has-no-wrapper-named-op
SOAP 1.1 Dot Notation is Used By the SOAP:Fault Elementfaults-use-dot-notation
SOAP Message Contains XML Processing Instructionsxml-processing-instructions-in-body
SOAP:Body Contains the "SOAPEnc:ArrayType" Attributesoapenc-arraytype-attr
SOAP:Envelope Does Not Have v1.1 Namespacemsg-body-is-not-soap-env-with-ns
SOAP:Envelope Has a Direct Child After the "SOAP:Body" Elementenvelope-have-children-after-body
SOAP:Envelope or SOAP:Body Does Not Conform to XML 1.0envelope-and-body-are-not-xml1.0
SOAP:Fault Children Elements are Not Namespace Qualifiedsoap-fault-does-not-have-allowed-children
SOAP:Fault Children are Qualifiedsoap-fault-children-are-qualified
SOAP:Fault Has Non-Foreign Namespacesoap-fault-has-envelope-ns
SOAP:Fault Message Not Found in the HTTP 500 Responsesoap-fault-is-not-in-HTTP500-resp
SOAP:Fault Not Generated for Bad Envelope Namespaceno-fault-for-bad-env-ns
SOAP:Faultcode is Not Standard or Namespace Qualifiedsoap-faultcode-is-not-std
SOAPAction Header Does Not Contain Quoted Stringsoapaction-hdr-is-not-quoted
SOAPAction Header Does Not Contain the Correct String Valuesoapaction-hdr-does-not-match-op-soapaction
WS-I Conformance Claim Does Not Adhere to the WS-I Conformance Claim SchemaWSI-confirmance-is-not-well-formed
xmlfw-soap-violations
Additional SOAP Headers Receivedadditional-soap-headers-rcvd
Invalid SOAP Bodyinvalid-soap-body
Invalid SOAP Envelopeinvalid-soap-envelope
Invalid SOAP Headerinvalid-soap-header
json-limit-violations
Malformed JSONmalformed-json
Max Array Values Exceededmax-values-in-array-exceeded
Max Key Length Exceededmax-key-length-exceeded
Max Number Value Exceededmax-number-limit-exceeded
Max Object Child Exceededmax-object-children-exceeded
Max Object Keys Exceededmax-keys-in-object-exceeded
Max Value Length Exceededmax-value-length-exceeded
Object Depth Exceededmax-object-depth-exceeded
json-violations
Apache Struts Attacks in JSON Dataapache-struts-attack-in-json
Cross-Site Scripting in JSON Datacross-site-scripting-pattern-in-json
Custom Attack Pattern in JSON Datacustom-attack-pattern-in-json
Directory Traversal Attack in JSON Datadirectory-traversal-pattern-in-json
HTTP Specific Attacks in JSON Datahttp-specific-attack-in-json
LDAP Injection in JSON Dataldap-injection-in-json
OS Command Injection in JSON Dataos-command-injection-pattern-in-json
Python PHP Attack in JSON Datapython-php-attack-in-json
Remote File Inclusion in JSON Dataremote-file-inclusion-pattern-in-json
SQL Injection in JSON Datasql-injection-pattern-in-json
Last updated on