We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Action Policy

  • Last updated on

Action policy is a collection of settings that decide what action to be taken when a violation occurs. It consists of a set of attack groups and associated attack actions with it. The attack action specifies the action to be taken for a particular type of web attack.

To Retrieve Attack Groups

URL:  /v1/security_policies/{policy_id}/attack_groups

          /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}
Method: GET
Description: Lists all attack groups if “Attack_Group_ID” is not specified.
Parameter NameData TypeMandatoryDescription
Input Parameters:   
parametersAlphanumericOptionalAny specific parameter name that needs to be retrieved. See Example 2.
Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"object":"ActionPolicy","fields":null,"policy_id":"new_policy","data":[{"name":"domain-not-found-in-profile","response_page":"default","numeric_id":"130","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"domain-not-found-in-profile"},{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjEzODAxNTczOTAiLCJwYXNzd29yZCI6Ijk5ZGNjMDRiZmQ5YTUwMTkxYTVlMTZkMWFi\nMjI2MjZjIiwidXNlciI6ImFkbWluIn0=\n","offset":null}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations  -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,deny_response

 

Response:

{"object":"ActionPolicy","fields":["follow_up_action","deny_response"],"policy_id":"new_policy","data":[{"attack_group":"application-profile-violations","follow_up_action":"none","deny_response":"send_response","id":"domain-not-found-in-profile"},{"attack_group":"application-profile-violations","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjE1MDQ0MDk4NTUiLCJwYXNzd29yZCI6IjNkZjhkYzE5MDhlYWQxOGIxN2UzYWY2OWMx\nNGEwOGIxIiwidXNlciI6ImFkbWluIn0=\n","offset":null}

To Retrieve Attack Actions

URL:  /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions

          /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id}
Method: GET
Description: Lists all attack actions for the given attack group if “action_id” is not specified.
Parameter NameData TypeMandatoryDescription
Input Parameters:   
parametersAlphanumericOptionalAny specific parameter name that needs to be retrieved. See Example 2.
Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc0NjYiLCJwYXNzd29yZCI6Ijk5ODViNjk0ZjIxYjU4MGEyMmY2OWRmMzUz\nNjA2MzA0IiwidXNlciI6ImFkbWluIn0=\n"}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match  -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,redirect_url,deny_response,action

 

Response:

{"attack_group":"application-profile-violations","action":"protect_and_log","redirect_url":"/abc.html","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match","token":"eyJldCI6IjE1MDQzMTYyOTQiLCJwYXNzd29yZCI6IjkwNDNjODQ1MjJjZDlhMzY0MDBhNjJhY2E0\nOWU2MDU2IiwidXNlciI6ImFkbWluIn0=\n"}

To Update an Action Policy

URL:  /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id}
Method: PUT
Description:  Updates the values of given parameters in the given action policy.
Parameter NameData TypeMandatoryDescription
Input Parameters:   
actionEnumerationOptional

The action to be taken for an invalid request. The enumerated values include:

  • none
  • protect_and_log
  • allow_and_log
  • protect_with_no_log
deny_responseEnumerationOptional

The response to be sent to the client if the request is denied. The enumerated values include:

  • close_connection
  • send_response
  • temporary_redirect
  • permanent_redirect
redirect_urlAlphanumericOptional

The URL to be used to redirect the request.

 

Note: Required ONLY when deny_response is set to temporary_redirect or permanent_redirect.
response_pageEnumerationOptional

The response page to be sent to the client. The enumerated values include predefined response pages and custom response pages (if any):

  • default
  • default-virus
  • default-error-resp
  • default-captcha-tries-error-page
  • default-captcha-sessions-error-page
  • default-suspected-activity-error-page
  • default-captcha-response-page

 

Note: Required ONLY when deny_response is set to send_response.  
follow_up_actionEnumerationOptional

The follow up action to be taken if the request is denied. The enumerated values include:

  • none
  • block_client_ip
  • challenge_with_captcha
follow_up_action_timeNumericOptional

The time in seconds to block the client IP.

 

Note: Required ONLY when follow_up_action is set to block_client_ip.
Example:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"action":"allow_and_log"}'

 

Response:

{"msg":"Configuration Updated","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc1NTAiLCJwYXNzd29yZCI6IjZkM2IxNGU0ZjhhNGY2MWI1MGNlYjBmNmYz\nM2Q5OWQ1IiwidXNlciI6ImFkbWluIn0=\n"}

The table below lists the attack ID names to be used in the REST API commands:

Attack name displayed in the web interfaceAttack ID to be used in REST API
protocol-violations
Directory Traversal Beyond Rootdirectory-traversal-beyond-root
GET Request with Content Lengthget-request-with-content-length-header
Invalid Headerinvalid-header
Invalid Methodinvalid-method
Invalid or Malformed HTTP Requestinvalid-or-malformed-http-request
Malformed Content Lengthmalformed-content-length
Malformed Cookiemalformed-cookie
Malformed Headermalformed-header
Malformed Parametermalformed-parameter
Malformed Request Linemalformed-end-of-request-line
Malformed Versionmalformed-version
Missing Host Headerhttp-1.1-request-without-host
Multiple Content Lengthmultiple-content-length-headers
POST without Content Lengthpost-request-without-content-length
Parameter Too Largelarge-parameter-in-post-data
Pre-1.0 Requestpre-1.0-request
request-policy-violations
Cookie Count Exceededcookie-count-exceeded
Cookie Expiredcookie-expired
Cookie Length Exceededcookie-length-exceeded
Cookie Name Length Exceededcookie-name-length-exceeded
Cookie Tamperedcookie-tampered
Header Count Exceededheader-count-exceeded
Header Name Length Exceededheader-name-length-exceeded
Header Value Length Exceededheader-value-length-exceeded
Invalid URL Encodinginvalid-url-encoding
Mismatched Header Cookie Replay Attackmismatched-header-cookie-replay-attack
Mismatched IP Cookie Replay Attackmismatched-ip-cookie-replay-attack
Query Length Exceededurl-query-length-exceeded
Request Length Exceededtotal-request-length-exceeded
Session timed outkeepalive-timeout-exceeded
Slash-dot in URL Pathslash-dot-in-url-path
Tilde in URL Pathtilde-in-url-path
Too Many Sessions for IPtoo-many-sessions-for-ip
Total Request Line Length Exceededtotal-request-line-length-exceeded
URL Length Exceededurl-length-exceeded
Unrecognized Cookieunrecognized-cookie
header-violations
Apache Struts Attack in Headerapache-struts-attacks-medium-in-header
Cross-Site Scripting in Headercross-site-scripting-in-header
Custom Attack Pattern in Headercustom-attack-pattern-in-header
Directory Traversal in Headerdirectory-traversal-in-header
HTTP Specific Attack in Headerhttp-specific-attacks-medium-in-header
LDAP Injection in Headerldap-injection-medium-in-header
Metacharacter Matched in Headermetacharacter-matched-in-header
OS Command Injection in Headeros-command-injection-in-header
Python PHP Attack in Headerpython-php-attacks-medium-in-header
Remote File Inclusion in Headerremote-file-inclusion-pattern-in-header
SQL Injection in Headersql-injection-in-header
application-profile-violations
No Domain Match in Profiledomain-not-found-in-profile
No URL Profile Matchno-url-profile-match
url-profile-violations
Apache Struts Attack in URLapache-struts-attacks-medium-in-url
Content Length Exceededcontent-length-exceeded
Cross-Site Scripting in URLcross-site-scripting-pattern-in-url
Custom Attack Pattern in URLcustom-attack-pattern-in-url
HTTP Specific Attack in URLhttp-specific-attacks-medium-in-url
LDAP Injection in URLldap-injection-medium-in-url
Method Not Allowedforbidden-method
No Param Profile Matchno-param-profile-match
OS Command Injection in URLos-command-injection-pattern-in-url
Parameter Name Length Exceededparameter-name-length-exceeded
Python PHP Attack in URLpython-php-attacks-medium-in-url
Query String not Allowedquery-string-not-allowed
Remote File Inclusion in URLremote-file-inclusion-pattern-in-url
SQL Injection in URLsql-injection-pattern-in-url
Session not Foundsession-not-found
Too Many Parameterstoo-many-parameters
Too Many Uploaded Filestoo-many-uploaded-files
Unknown Content Typeunknown-content-type-in-post-body
param-profile-violations
Apache Struts Attack in Parameterapache-struts-attacks-medium-in-param
Cross-Site Request Forgerycross-site-request-forgery-attack-detected
Cross-Site Scripting in Parametercross-site-scripting-pattern-in-parameter
Custom Attack Pattern in Parametercustom-attack-pattern-in-parameter
Directory Traversal in Parameterdirectory-traversal-pattern-in-parameter
File Upload Size Exceededfile-upload-size-exceeded
Forbidden File Extensionforbidden-file-extension
Forbidden File Mime Typeforbidden-file-mime-type
HTTP Specific Attack in Parameterhttp-specific-attacks-medium-in-param
LDAP Injection in Parameterldap-injection-medium-in-param
Mandatory Parameter Missingmandatory-parameter-missing
Maximum Instances of Parameter Exceededmax-instances-of-parameter-exceeded
Metacharacter in Parametermetacharacter-in-parameter
OS Command Injection in Parameteros-command-injection-pattern-in-parameter
Parameter Input Validation Failedparameter-input-validation-failed
Parameter Length Exceededparameter-length-exceeded
Parameter Value not Allowedparameter-value-not-allowed
Python PHP Attack in Parameterpython-php-attacks-medium-in-param
Read-Only or Hidden Parameter Tamperedread-only-or-hidden-parameter-tampered
Remote File Inclusionremote-file-inclusion-pattern-in-parameter
SQL Injection in Parametersql-injection-pattern-in-parameter
Session Choice Parameter Tamperedsession-choice-parameter-tampered
Session Context not Foundsession-context-not-found
Session Invariant Parameter Tamperedsession-invariant-parameter-tampered
response-violations
CAPTCHA Validation Requiredcaptcha-response-page
Custom Error Response Pagecustom-error-response-page
Error Response Suppressederror-response-suppressed
Identity Theft Pattern Matchedidentity-theft-pattern-matched-in-response
Response Header Suppressedresponse-header-suppressed
advanced-policy-violations
Brute force from All Sourcesbrute-force-from-all-sources
Brute force from IPbrute-force-from-ip
CAPTCHA Attempt Limit Exceededcaptcha-tries-exceeded
CAPTCHA Session Limit Exceededcaptcha-max-sessions-exceeded
Invalid URL Character Setinvalid-url-character-set
Rate Control Intrusionrate-control-intrusion
Secure Browsingsecure-browsing
Slow Read Attackslow-read-attack
Slowloris Attackslow-client-attack
URL Encryptionurl-encryption
Unanswered CAPTCHA Limit Exceededcaptcha-max-unanswered-exceeded
Virus Foundvirus-found-in-post-request
xmlfw-dos-violations
DTD Founddtd-found
External URI Reference Foundexternal-uri-ref-found
Malformed XMLmalformed-xml
Max Attribute Name Length Exceededmax-attribute-name-length-exceeded
Max Attribute Value Length Exceededmax-attribute-value-length-exceeded
Max Document Size Exceededmax-document-size-exceeded
Max Element Attributes Exceededmax-element-attributes-exceeded
Max Element Children Exceededmax-element-children-exceeded
Max Element Name Length Exceededmax-element-name-length-exceeded
Max Elements in Tree Exceededmax-elements-in-tree-exceeded
Max Text Size Exceededmax-text-size-exceeded
Max Tree Depth Exceededmax-tree-depth-exceeded
Min Document Size Limitmin-document-size-limit
Processing Instructions Foundprocessing-instructions-found
xmlfw-wsi-assertion-failures
Attribute "MustUnderstand" is Neither 1 nor 0mustunderstand-is-nither-1-nor-0
Attributes in SOAP Envelope Header Bodyatts-in-soap-env-hdr-body
Children Elements in SOAP:Body Have "SOAP:EncodingStyle" Attributesoap-encodingStyle-in-body-children
Children Elements in SOAP:Body are Not Namespace Qualifiedsoap-body-children-are-not-ns-qualified
DOCTYPE ElementDOCTYPE-element
EncodingStyle Attribute Found in Grandchild of SOAP BodyencodingStyle-in-rpc-literal-grand-children
EncodingStyle in Envelope Namespace ElementsencodingStyle-in-envelope-ns-elements
Envelope Does Not Conform to SOAP Schemaenvelope-does-not-confirm-to-schema
Envelope Namespace is 1998env-ns-is-1998
Good Response is Not Using HTTP 200 OKgood-resp-is-not-200ok
Message Contains Undefined "SOAPBind:Fault" Element(s)fault-resp-is-not-defined-in-wsdl-binding
Message Contains a WS-I Conformance Claim Which is Not a Child of the SOAP:Header ElementWSI-confirmance-not-in-soap-hdr
Message Contains a WS-I Conformance Claim with a "SOAP:MustUnderstand" AttributeWSI-confirmance-claims-are-not-mustunderstand
Message Does Not Include All Headersmsg-does-not-include-allhdrs
Message Part Accessors Have No Namespacemsg-part-accessors-have-no-ns
Message is Not Sent Using HTTP1.0 or HTTP1.1message-is-not-HTTP1.0-or-HTTP1.1
Message is Not Sent Using HTTP1.1message-is-not-HTTP1.1
Message is Not UTF8 or UTF16message-is-not-UTF8-or-UTF16
Non POST Request Does Not Contain 405 HTTP Status Codenon-POST-req-does-not-get-405
Non XML Request Does Not Contain 415 HTTP Status Codenon-XML-req-does-not-get-415
One-Way Response Contains a SOAP:Envelopeoneway-resp-non-empty-body
Part Accessors Have "xsi: nil" Attributepart-accessors-has-xsi-nil
Processed Response Status is Neither 200 nor 202processed-resp-status-is-nither-200-nor-202
Request Does Not Match the WSDL:Definitionreq-matches-wsdl
Request Message is Not an HTTP POST Messagerequest-is-not-HTTP-POST
Response Does Not Match the WSDL:Definitionresp-matches-wsdl
Response Wrapper Does Not Match the Name Attribute on WSDL:Operation
resp-has-no-wrapper-named-op
SOAP 1.1 Dot Notation is Used By the SOAP:Fault Elementfaults-use-dot-notation
SOAP Message Contains XML Processing Instructionsxml-processing-instructions-in-body
SOAP:Body Contains the "SOAPEnc:ArrayType" Attributesoapenc-arraytype-attr
SOAP:Envelope Does Not Have v1.1 Namespacemsg-body-is-not-soap-env-with-ns
SOAP:Envelope Has a Direct Child After the "SOAP:Body" Elementenvelope-have-children-after-body
SOAP:Envelope or SOAP:Body Does Not Conform to XML 1.0envelope-and-body-are-not-xml1.0
SOAP:Fault Children Elements are Not Namespace Qualifiedsoap-fault-does-not-have-allowed-children
SOAP:Fault Children are Qualifiedsoap-fault-children-are-qualified
SOAP:Fault Has Non-Foreign Namespacesoap-fault-has-envelope-ns
SOAP:Fault Message Not Found in the HTTP 500 Responsesoap-fault-is-not-in-HTTP500-resp
SOAP:Fault Not Generated for Bad Envelope Namespaceno-fault-for-bad-env-ns
SOAP:Faultcode is Not Standard or Namespace Qualifiedsoap-faultcode-is-not-std
SOAPAction Header Does Not Contain Quoted Stringsoapaction-hdr-is-not-quoted
SOAPAction Header Does Not Contain the Correct String Valuesoapaction-hdr-does-not-match-op-soapaction
WS-I Conformance Claim Does Not Adhere to the WS-I Conformance Claim SchemaWSI-confirmance-is-not-well-formed
xmlfw-soap-violations
Additional SOAP Headers Receivedadditional-soap-headers-rcvd
Invalid SOAP Bodyinvalid-soap-body
Invalid SOAP Envelopeinvalid-soap-envelope
Invalid SOAP Headerinvalid-soap-header
json-limit-violations
Malformed JSONmalformed-json
Max Array Values Exceededmax-values-in-array-exceeded
Max Key Length Exceededmax-key-length-exceeded
Max Number Value Exceededmax-number-limit-exceeded
Max Object Child Exceededmax-object-children-exceeded
Max Object Keys Exceededmax-keys-in-object-exceeded
Max Value Length Exceededmax-value-length-exceeded
Object Depth Exceededmax-object-depth-exceeded
json-violations
Apache Struts Attacks in JSON Dataapache-struts-attack-in-json
Cross-Site Scripting in JSON Datacross-site-scripting-pattern-in-json
Custom Attack Pattern in JSON Datacustom-attack-pattern-in-json
Directory Traversal Attack in JSON Datadirectory-traversal-pattern-in-json
HTTP Specific Attacks in JSON Datahttp-specific-attack-in-json
LDAP Injection in JSON Dataldap-injection-in-json
OS Command Injection in JSON Dataos-command-injection-pattern-in-json
Python PHP Attack in JSON Datapython-php-attack-in-json
Remote File Inclusion in JSON Dataremote-file-inclusion-pattern-in-json
SQL Injection in JSON Datasql-injection-pattern-in-json
Last updated on