/
Action Policy

Action Policy

Nov 14, 2016

Action policy is a collection of settings that decide what action to be taken when a violation occurs. It consists of a set of attack groups and associated attack actions with it. The attack action specifies the action to be taken for a particular type of web attack.

To Retrieve Attack Groups

URL:  /v1/security_policies/{policy_id}/attack_groups

          /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}

Method: GET

Description: Lists all attack groups if “Attack_Group_ID” is not specified.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved. See Example 2.

Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"object":"ActionPolicy","fields":null,"policy_id":"new_policy","data":[{"name":"domain-not-found-in-profile","response_page":"default","numeric_id":"130","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"domain-not-found-in-profile"},{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjEzODAxNTczOTAiLCJwYXNzd29yZCI6Ijk5ZGNjMDRiZmQ5YTUwMTkxYTVlMTZkMWFi\nMjI2MjZjIiwidXNlciI6ImFkbWluIn0=\n","offset":null}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations  -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,deny_response

 

Response:

{"object":"ActionPolicy","fields":["follow_up_action","deny_response"],"policy_id":"new_policy","data":[{"attack_group":"application-profile-violations","follow_up_action":"none","deny_response":"send_response","id":"domain-not-found-in-profile"},{"attack_group":"application-profile-violations","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match"}],"limit":null,"token":"eyJldCI6IjE1MDQ0MDk4NTUiLCJwYXNzd29yZCI6IjNkZjhkYzE5MDhlYWQxOGIxN2UzYWY2OWMx\nNGEwOGIxIiwidXNlciI6ImFkbWluIn0=\n","offset":null}

To Retrieve Attack Actions

URL:  /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions

          /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id}

Method: GET

Description: Lists all attack actions for the given attack group if “action_id” is not specified.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

parameters

Alphanumeric

Optional

Any specific parameter name that needs to be retrieved. See Example 2.

Example 1:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X GET

 

Response:

{"name":"no-url-profile-match","response_page":"default","numeric_id":"131","attack_action_deny_response":"send_response","follow_up_action_time":"60","attack_group":"application-profile-violations","follow_up_action":null,"redirect_url":"","action":"protect_and_log","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc0NjYiLCJwYXNzd29yZCI6Ijk5ODViNjk0ZjIxYjU4MGEyMmY2OWRmMzUz\nNjA2MzA0IiwidXNlciI6ImFkbWluIn0=\n"}

Example 2:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match  -u 'eyJldCI6IjE1MDE5MDUxMzkiLCJwYXNzd29yZCI6IjUwN2I1ZDRhMTc3Mzc4Zjc5NGY2ZmM3NTNh\nYTczM2IxIiwidXNlciI6ImFkbWluIn0=\n:' -X GET -G -d parameters=follow_up_action,redirect_url,deny_response,action

 

Response:

{"attack_group":"application-profile-violations","action":"protect_and_log","redirect_url":"/abc.html","follow_up_action":"block_client_ip","deny_response":"temporary_redirect","id":"no-url-profile-match","token":"eyJldCI6IjE1MDQzMTYyOTQiLCJwYXNzd29yZCI6IjkwNDNjODQ1MjJjZDlhMzY0MDBhNjJhY2E0\nOWU2MDU2IiwidXNlciI6ImFkbWluIn0=\n"}

To Update an Action Policy

URL:  /v1/security_policies/{policy_id}/attack_groups/{attack_group_id}/actions/{action_id}

Method: PUT

Description:  Updates the values of given parameters in the given action policy.

Parameter Name

Data Type

Mandatory

Description

Input Parameters:

 

 

 

action

Enumeration

Optional

The action to be taken for an invalid request. The enumerated values include:

  • none

  • protect_and_log

  • allow_and_log

  • protect_with_no_log

deny_response

Enumeration

Optional

The response to be sent to the client if the request is denied. The enumerated values include:

  • close_connection

  • send_response

  • temporary_redirect

  • permanent_redirect

redirect_url

Alphanumeric

Optional

The URL to be used to redirect the request.

 

Note: Required ONLY when deny_response is set to temporary_redirect or permanent_redirect.

response_page

Enumeration

Optional

The response page to be sent to the client. The enumerated values include predefined response pages and custom response pages (if any):

  • default

  • default-virus

  • default-error-resp

  • default-captcha-tries-error-page

  • default-captcha-sessions-error-page

  • default-suspected-activity-error-page

  • default-captcha-response-page

 

Note: Required ONLY when deny_response is set to send_response.  

follow_up_action

Enumeration

Optional

The follow up action to be taken if the request is denied. The enumerated values include:

  • none

  • block_client_ip

  • challenge_with_captcha

follow_up_action_time

Numeric

Optional

The time in seconds to block the client IP.

 

Note: Required ONLY when follow_up_action is set to block_client_ip.

Example:

Request:

curl http://192.168.0.1:8000/restapi/v1/security_policies/new_policy/attack_groups/application-profile-violations/actions/no-url-profile-match -u 'eyJldCI6IjEzODAxNTYzNzQiLCJwYXNzd29yZCI6IjU1ZTkxMDA5NDAzMGVlOTY1N2QzMTI4NDQw\nNWZmMDkyIiwidXNlciI6ImFkbWluIn0=\n:' -X PUT -H Content-Type:application/json -d '{"action":"allow_and_log"}'

 

Response:

{"msg":"Configuration Updated","id":"no-url-profile-match","token":"eyJldCI6IjEzODAxNTc1NTAiLCJwYXNzd29yZCI6IjZkM2IxNGU0ZjhhNGY2MWI1MGNlYjBmNmYz\nM2Q5OWQ1IiwidXNlciI6ImFkbWluIn0=\n"}

The table below lists the attack ID names to be used in the REST API commands:

Attack name displayed in the web interface

Attack ID to be used in REST API

Attack name displayed in the web interface

Attack ID to be used in REST API

protocol-violations

Directory Traversal Beyond Root

directory-traversal-beyond-root

GET Request with Content Length

get-request-with-content-length-header

Invalid Header

invalid-header

Invalid Method

invalid-method

Invalid or Malformed HTTP Request

invalid-or-malformed-http-request

Malformed Content Length

malformed-content-length

Malformed Cookie

malformed-cookie

Malformed Header

malformed-header

Malformed Parameter

malformed-parameter

Malformed Request Line

malformed-end-of-request-line

Malformed Version

malformed-version

Missing Host Header

http-1.1-request-without-host

Multiple Content Length

multiple-content-length-headers

POST without Content Length

post-request-without-content-length

Parameter Too Large

large-parameter-in-post-data

Pre-1.0 Request

pre-1.0-request

request-policy-violations

Cookie Count Exceeded

cookie-count-exceeded

Cookie Expired

cookie-expired

Cookie Length Exceeded

cookie-length-exceeded

Cookie Name Length Exceeded

cookie-name-length-exceeded

Cookie Tampered

cookie-tampered

Header Count Exceeded

header-count-exceeded

Header Name Length Exceeded

header-name-length-exceeded

Header Value Length Exceeded

header-value-length-exceeded

Invalid URL Encoding

invalid-url-encoding

Mismatched Header Cookie Replay Attack

mismatched-header-cookie-replay-attack

Mismatched IP Cookie Replay Attack

mismatched-ip-cookie-replay-attack

Query Length Exceeded

url-query-length-exceeded

Request Length Exceeded

total-request-length-exceeded

Session timed out

keepalive-timeout-exceeded

Slash-dot in URL Path

slash-dot-in-url-path

Tilde in URL Path

tilde-in-url-path

Too Many Sessions for IP

too-many-sessions-for-ip

Total Request Line Length Exceeded

total-request-line-length-exceeded

URL Length Exceeded

url-length-exceeded

Unrecognized Cookie

unrecognized-cookie

header-violations

Apache Struts Attack in Header

apache-struts-attacks-medium-in-header

Cross-Site Scripting in Header

cross-site-scripting-in-header

Custom Attack Pattern in Header

custom-attack-pattern-in-header

Directory Traversal in Header

directory-traversal-in-header

HTTP Specific Attack in Header

http-specific-attacks-medium-in-header

LDAP Injection in Header

ldap-injection-medium-in-header

Metacharacter Matched in Header

metacharacter-matched-in-header

OS Command Injection in Header

os-command-injection-in-header

Python PHP Attack in Header

python-php-attacks-medium-in-header

Remote File Inclusion in Header

remote-file-inclusion-pattern-in-header

SQL Injection in Header

sql-injection-in-header

application-profile-violations

No Domain Match in Profile

domain-not-found-in-profile

No URL Profile Match

no-url-profile-match

url-profile-violations

Apache Struts Attack in URL

apache-struts-attacks-medium-in-url

Content Length Exceeded

content-length-exceeded

Cross-Site Scripting in URL

cross-site-scripting-pattern-in-url

Custom Attack Pattern in URL

custom-attack-pattern-in-url

HTTP Specific Attack in URL

http-specific-attacks-medium-in-url

LDAP Injection in URL

ldap-injection-medium-in-url

Method Not Allowed

forbidden-method

No Param Profile Match

no-param-profile-match

OS Command Injection in URL

os-command-injection-pattern-in-url

Parameter Name Length Exceeded

parameter-name-length-exceeded

Python PHP Attack in URL

python-php-attacks-medium-in-url

Query String not Allowed

query-string-not-allowed

Remote File Inclusion in URL

remote-file-inclusion-pattern-in-url

SQL Injection in URL

sql-injection-pattern-in-url

Session not Found

session-not-found

Too Many Parameters

too-many-parameters

Too Many Uploaded Files

too-many-uploaded-files

Unknown Content Type

unknown-content-type-in-post-body

param-profile-violations

Apache Struts Attack in Parameter

apache-struts-attacks-medium-in-param

Cross-Site Request Forgery

cross-site-request-forgery-attack-detected

Cross-Site Scripting in Parameter

cross-site-scripting-pattern-in-parameter

Custom Attack Pattern in Parameter

custom-attack-pattern-in-parameter

Directory Traversal in Parameter

directory-traversal-pattern-in-parameter

File Upload Size Exceeded

file-upload-size-exceeded

Forbidden File Extension

forbidden-file-extension

Forbidden File Mime Type

forbidden-file-mime-type

HTTP Specific Attack in Parameter

http-specific-attacks-medium-in-param

LDAP Injection in Parameter

ldap-injection-medium-in-param

Mandatory Parameter Missing

mandatory-parameter-missing

Maximum Instances of Parameter Exceeded

max-instances-of-parameter-exceeded

Metacharacter in Parameter

metacharacter-in-parameter

OS Command Injection in Parameter

os-command-injection-pattern-in-parameter

Parameter Input Validation Failed

parameter-input-validation-failed

Contact Us
Barracuda Campus
Barracuda Support