Creating custom rules for detection
Published a year ago
Published a year ago
ernesto
Updated a year ago
0
Hi, is it possible to create custom rules for detection and alerting? Currently i only see Allow/Deny Rules.
Thanks,
Brr Brr Patapim
Carrie
Updated a year ago
0
In Rate Limiting, you can set up block or challenge rules when it triggers the limit you customize.
In BOT PROTECT & Auth for each app, you can also set specific rules to trigger anti-bot challenge or Authentication.
Are there any other detection rules you want to configure?
Notification/Alerting rules can be configured here (like the image below)
ernesto
Updated a year ago
0
Good morning, thank you for your comprehensive answer.
I wanted to know how to create custom detection rules that do not break the connection but trigger an alert, so that the WAF operates in “passthrough” mode.
Thanks.
Carrie
Updated a year ago
First, if you want to log but allow all attack requests for a specific application, you can switch the detection mode from “Defense” to “Audited”.
Audited mode means the attack will be logged but not blocked. And an alert will be pushed to you as long as you have enabled attack notification.
Carrie
Updated a year ago
0
Second, if you want to allow but still log attack requests when certain conditions are met, there is an option in the allow rule settings:
“Continue to detect and log attack requests even when whitelisting.”
If you check this option, the system will still log and alert on attacks, even though the requests are allowed through.
If I misunderstood your use case, please give a specific example to clarify.
ernesto
Updated a year ago
0
Thank you for the timely responses.
I am currently testing Safeline and wanted to ask if there were specific rules for Bruteforce attack detection and if it was possible to put a filter to events by response code type.
I hope I was clear, in case I remain available for further information.
Thank you.
Carrie
Updated a year ago
The status code for blocked events in SafeLine is always 403.
For Bruteforce attack, you can set up some rules. e.g. Rate limiting based on response status codes; deny rule when user-agent matches "curl/" or "python-requests/" and path = /login; anti-bot challenge, etc.