Web Service Custom Policies
-
- Last UpdatedApr 16, 2025
- 11 minute read
Web Service Custom policies provide you with a flexible engine that correlates between the server group and service protection levels and which is based on CAV technology, see Correlated Attack Validation (CAV) Used in Correlation Policies. This is done by creating user-defined policies based on different combinations of the match criteria. Correlation policies can be manually configured or are available as predefined rules that cover certain well-known scenarios.
For example, using custom correlation policies you can limit access to specific URLs and directories based on the source IP address. You can also restrict the permitted HTTP headers, user agents (browsers), and so on. You can define as many custom correlation policies as you want. It is recommended to perform as many operations as possible using predefined profile/protocol violation policies and use custom correlation policies only for operations that are otherwise impossible to perform.
|
Note: SecureSphere does not support matching of white characters used in Asian languages according to UTF8 in web responses. The response content with Asian languages can be matched by SecureSphere only if the application itself uses UTF8. For non UTF-8 format responses use HEX format (\x00). |
Web Custom Policies Match Criteria presents match criteria used in the web custom policies.
EXAMPLE: Automated Vulnerability Scanning
The Automated Vulnerability Scanning policy is one of the predefined web custom policies that is used to detects and prevent scanning attempts. Understanding of how this policy is defined using web custom match criteria can help you to understand how to define web custom policies.
If SecureSphere identifies a number of violations in the predefined period of time that is higher than the predefined number, it indicates that there is a scanning attempt.
To detect and prevent scanning attempts:
- In the Main workspace, select Policies > Security.
- In the Policies pane, click
and select Web Service. The Create New Policy dialog box appears. - Type the name of the new policy, from the Type drop-down box, select Web Service Custom and click Create.
- In the Match Criteria tab, click on the green arrow next to Violations.
- Expand the Violations match criteria and select the violations on which you want to get alerts.
- To define match over time, click on the green arrow next to Occurrence.
- Expand the Occurrence match criteria and define the following parameters:
- Define the reaction settings, see Modifying Policies in the Security Window.
- Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For more information, see Activating Settings.
Option |
Description |
|---|---|
Occurred more than |
Set the maximum number of the violations that you allow in your web site. |
Within |
Set the period of time in seconds in which the violations are permitted. |
In a context of a single |
The number of occurrences within the defined period of time must be a part of the same session. Select Originating Session. |
EXAMPLE: Blocking Traffic from a Specific Geographic Location
Malicious attacks can come from any location. Though every day concerted attacks whether for profit are often launched from a specific geographic locations. You can use the SecureSphere Source GeoLocation criteria to configure a custom Security Policy to block undesired traffic originating from a specific geographic location based on country name.
|
Note: You must have an active ThreatRadar Reputation Services license to use the GeoLocation feature and configure the below settings. |
To configure a policy based on geographic location:
- In the Main workspace, select Policies > Security.
- In the Policies pane, click and select Web Service. The Create New Policy dialog box appears.
- In the Name field, type the name of the new policy.
- Select From Scratch and from the Type drop down select Web Service Custom.
- Click Create. The policy is created and appears under the Web Service Custom section in the Policies pane.
- To block all traffic from a specific geographic location (e.g. Syria):
- From the Action drop down, select Block.
- From the Available Match Criteria list, click on the green arrow next to Source GeoLocation.
- Expand the Source GeoLocation match criteria and from the Operation drop down select At least one.
- In the Country pane, select the country you want to block traffic from (e.g. Syria) and move it to the Selected pane.
- Repeat step d for all countries you want to block traffic from.
- Click Save. Any traffic that emanates from the selected countries is blocked.
- To allow all traffic from a specific geographic location (e.g. USA) and from your private network:
- From the Action drop down, select Block.
- From the Available Match Criteria list, click on the green arrow next to Source GeoLocation and Source IP Addresses.
- Expand the Source GeoLocation match criteria and from the Operation drop down select Exclude all.
- In the Country pane, select the country you want to allow traffic from (e.g. USA) and move it to the Selected pane.
- Repeat step d for all countries you want to allow traffic from.
- Expand the Source IP Addresses match criteria and from the Operation drop down select Exclude all.
- In the IP Groups pane, select Internal IP Addresses and move it to the Selected pane.
- Click Save. Any traffic that emanates from the selected countries and from your private network is allowed.
EXAMPLE: Tuning the HTTP Protocol Validation policy
Sometimes the custom policies mechanism can be used not only to define new custom policies, but also to tune the existing policies. For example, you do not want to block your incoming traffic or to get alerts when the Abnormally Long Request violation is detected, which is a part of the HTTP Protocol Validation policy. It is important for you to get alerts, but only during the working hours. In addition, you do not want to get alerts on the traffic that arrives from the development team.
To define the custom policy:
- In the Main workspace, select Policies > Security. In the Policies pane, click and select Web Service. The Create New Policy dialog box appears.
- Type the name of the new policy, from the Type drop-down box, select WEB Service Custom and click Create.
- In the Match Criteria tab, click on the green arrow next to Violations.
- Expand the Violations match criteria and select Abnormally Long Request.
- To define match over time, click on the green arrow next to Occurrence.
- Expand the Occurrence match criteria and define the parameters in the table Occurrence Parameters below.
- Select Time of Day, expand it and highlight the days and hours in which you want to get alerts.
- Define the reaction settings, see Modifying Policies in the Security Window.
- To avoid applying this policy on the development team, select Source IP Addresses and set the parameters in Source IP Address Parameters below.
- Click Save. Settings are saved. If you are in delayed activation mode, you need to activate these settings. For more information, see Activating Settings.
Occurrence Parameters
Option |
Description |
|---|---|
Occurred more than |
Set the maximum number of violations that you want to allow within the predefined period of time. |
Within |
Set the period of time in seconds in which the violations are permitted. |
In a context of a single |
The number of occurrences within the defined period of time must be a part of the same session. Select Originating Session. |
Source IP Address Parameters
Option |
Description |
|---|---|
Operations |
Select Exclude All. |
IP Groups |
Select the predefined IP group that contains IP addresses of the development team, see Configuring IP Groups. |
The following table presents the predefined policies that can help you to protect your web services against specific attacks and threats.
Predefined Web Service Custom Policies