Snapt provides a default ruleset which can be used as is and does not need any modification to function correctly. We advise against changing any setting unless you are an advanced user because changes can compromise your systems security and allow exploits. That said, we have tried to make it as simple as possible to get you started with using the web application firewall module.
By following the steps set out, you can improve you systems security and prevent users from attacking common security exploits.
Here are some terms you need to understand.
- Ruleset – Global rules used across all your Accelerator front-ends;
- Rules – Rules in the rule set;
- Triggers – Triggers are counters which accumulate a score when a rule has been triggered by a user – these determine how long before a user gets blocked;
- Exceptions – Exceptions are used to define specific criteria when a rule should not be triggered (usually when there is a key word being used that should not be triggered);
- Weights – Weights are the scores set to each trigger.
Creating a Ruleset
Rulesets should only be created if there are rules in which you want to modify, add or remove. In order to do this, we have made it possible to clone the default ruleset to keep current security integrity. Once you have created the ruleset, you can then edit it to make changes.
Rulesets are global configurations so only one can be enabled at a time. Simply click on “Enable” to set the ruleset you want to activate. Edit will allow you to modify the rules within that ruleset.
From here you can edit/delete a core rule. If you delete a default rule, you can add it back from the list right at the bottom. This was added to help reset default rules to their original state or add back if they were removed by accident.
Here you can define the matching criteria, what message should be displayed, in which areas the check should be done, and what this rule will contribute to the total block score.
New rules can be created by navigating to WAF -> WAF Management -> Rule Definitions, from the menu option.
Using Trigger sets on your Front-end Servers
Triggers define when a user should be blocked by setting up what the maximum scores should be before a user is blocked. Each rule hit will add up to make a total score for a specific trigger and when that trigger has hit its maximum score, it will block a users request.
You can create different types of triggers to be used for different front-ends. This is especially useful if you have a front-end being blocked because of a certain behaviour being seen as malicious. Simply disable the trigger and link it to your front-end.
If you have a specific keyword being used that is being blocked by a rule, you can create an exception to ignore it. This is referred to as whitelisting.
Linking trigger to front-end
From your front-end settings you will now see your trigger available for selection. This will apply all the settings based off the ruleset rules to your front-end, using the trigger to determine when a user should be blocked.