Deception Rules

Deception provides an alternative approach for security that can deliver a useful additional layer of protection.

PreviousCorrelation Rules NextScript Rules

Last updated 3 years ago

Was this helpful?

Deception Rules

Deception provides an alternative approach for security that can deliver a useful additional layer of protection.

Overview

Deception strategies will be implemented as a deception rule. This rule is capable of generating and injecting deception data automatically into HTTP traffic.

The goal of deception is to deceive and manipulate attackers inducing them to take actions that result in blocking the requests coming from them.

The attacker should believe that fake parameters are genuine and really belong to the real application and should try to modify them in a malicious way.

The rule will have to do the following :

Intercept HTTP responses of the original application and inject fake parameters before delivering the response to the client. The possible fake parameter values will try to have attractive names and values.

For GET requests, the parameters will be added to existing <a href> link values.
For POST requests, the parameters will be added as hidden input type parameters of existing forms.

How to use

Go to WAF > Listener > Security Profiles > Rules > Deception Rules.
Click on Add Rule and set relevant parameters described in the table below.
Click on Save Changes.

PARAMETERS

ACCEPTED VALUES

Default Value

Rule Name

String

Name eg. Example Rule

Rule Message

String

Brief Description eg. This Rule is used for Allowing Example API

Rule Priority

Integer

Priority value

Match URI

URI

Blank

Method

Drop Down

HTTP method

Rule Action

Drop Down

RECORD

Decoy URI

URI

Blank

Decoy Method

Drop-down

GET

Fields

String

Blank

Description:

Rule Name

Users can specify a rule name to identify the rule which is to be created. The rule name takes alpha-numeric input.

Rule Message

Users can specify a rule message containing a detailed description to identify the rule which is to be created.

Match URI

Users can specify the URI to match with the rule to invoke the action accordingly.

Rule Action

Action that should be performed when the Rule Condition is Satisfied. The valid values for action are:

DROP AND RECORD REQUEST : If the rule matches then drop & record the request
RECORD REQUEST: If the rule matches then put the request in record mode.
TEMPORARY BLACKLIST SRC IP: If the rule matched temporarily blacklist the user IP. This will only work if you already have set a temporary blacklist duration else it will not be considered.
TARPIT SRC IP : If the rule matches, source IP will be tarpit for the specified time.

Decoy URI

Users can specify the smoke URI for the rule. The smoke URI will be the one that could be used by attackers to attack.

Decoy Methods

Users can specify the HTTP methods for the rule to be created.

Fields

Users can specify the fields for which the rule will be applicable.

PreviousCorrelation Rules NextScript Rules

Last updated 3 years ago

Was this helpful?

Overview

Deception strategies will be implemented as a deception rule. This rule is capable of generating and injecting deception data automatically into HTTP traffic.

The goal of deception is to deceive and manipulate attackers inducing them to take actions that result in blocking the requests coming from them.

The attacker should believe that fake parameters are genuine and really belong to the real application and should try to modify them in a malicious way.

The rule will have to do the following :

For GET requests, the parameters will be added to existing <a href> link values.
For POST requests, the parameters will be added as hidden input type parameters of existing forms.

How to use

Go to WAF > Listener > Security Profiles > Rules > Deception Rules.
Click on Add Rule and set relevant parameters described in the table below.
Click on Save Changes.

PARAMETERS

ACCEPTED VALUES

Default Value

Rule Name

String

Name eg. Example Rule

Rule Message

String

Brief Description eg. This Rule is used for Allowing Example API

Rule Priority

Integer

Priority value

Match URI

URI

Blank

Method

Drop Down

HTTP method

Rule Action

Drop Down

RECORD

Decoy URI

URI

Blank

Decoy Method

Drop-down

GET

Fields

String

Blank

Description:

Rule Name

Users can specify a rule name to identify the rule which is to be created. The rule name takes alpha-numeric input.

Rule Message

Users can specify a rule message containing a detailed description to identify the rule which is to be created.

Match URI

Users can specify the URI to match with the rule to invoke the action accordingly.

Rule Action

Action that should be performed when the Rule Condition is Satisfied. The valid values for action are:

DROP AND RECORD REQUEST : If the rule matches then drop & record the request
RECORD REQUEST: If the rule matches then put the request in record mode.
TEMPORARY BLACKLIST SRC IP: If the rule matched temporarily blacklist the user IP. This will only work if you already have set a temporary blacklist duration else it will not be considered.
TARPIT SRC IP : If the rule matches, source IP will be tarpit for the specified time.

Decoy URI

Users can specify the smoke URI for the rule. The smoke URI will be the one that could be used by attackers to attack.

Decoy Methods

Users can specify the HTTP methods for the rule to be created.

Fields

Users can specify the fields for which the rule will be applicable.