# Security exception

# Concept

The Security Exceptions are used in Workflows to manage exception rules used to handle false positives generated by security engines.

Those configurations are composed of rules and each rule contains filters based on security event logs attributes, it describes conditions when an event must not be considered as an attack and have to be excepted.

---
apiVersion: core/v1beta
kind: SecurityException
metadata:
  name: my-exceptions
spec:
  rules:
  - name: "Exception for ICX Engine: command injection in Var_GET 'a'"
      filters:
        - uri == "/webmail/message"
        - token.matchingParts.Contains(token.part == "Var_GET" && token.partKey == "a" && token.attackFamily == "Command Injection")
1
2
3
4
5
6
7
8
9
10
11

# Rules

Rules have a name and filters. A filter describes a condition that works on a part or a token of a security event.

# Operators & functions

Basic operators: ==, !=, <, <=, >, >=, &&, ||, (, )

Match: to configure regexp based filters you have to use the Match() function.

uri.Match("^/math/.*$")
1

Contains: the matchingPart token is in array format. To configure filters on matchingParts sub tokens you have to use the Contains() function.

token.matchingParts.Contains(token.part == "Var_GET" && token.partKey == "content" && token.partValuePatternName == "Html Injection")
1

# Workflow Context

  • SrcIP: The source IP of the request
  • DstIP: The destination IP of the request
  • DstPort: The destination Port of the request
  • Method: The method requested
  • Protocol: The protocol requested
  • Hostname: The Hostname requested
  • Path: The Path/URI of the request
  • Query: The Query String of the request
  • Header: Some Header of the request
  • Cookie: Some Cookie of the request
  • Var_GET: Some GET variable (extracted from the query string of the request)
  • Var_POST: Some POST variable (extracted from the body of the request)
  • Var_XML: Some XML variable (extracted from the body of the request)
  • Var_TOKEN: Token from a security event (filtered by security exceptions)
  • URI: Part built and used by the Blacklist and Scoringlist engines

# Tokens

Tokens represent information about a security event. They are used to describe the precise threat detected by security engines.

Here is a list of the most important ones :

  • engineUid: Uid of the engine
  • engineName: Name of the engine
  • attackFamily: Attack family of the event
  • part: Part request where the event has been detected
  • partKey: The part key where the event has been detected (cookie or header name, variable name, etc...)
  • partValue: The part value where event has been detected (cookie or header value, variable value, etc...)
  • reason: Reason why the event has been triggered
  • matchingParts: List of the parts matched by a rule, with their matching conditions
  • partKeyMatch: The string matched in the key of the part
  • partKeyOperator: The operator used to match the key of the part
  • partKeyPattern: The pattern used to match the key of the part
  • partKeyPatternName: The name of the pattern used to match the key of the part
  • partValueMatch: The string matched in the value of the part
  • partValueOperator: The operator used to match the value of the part
  • partValuePattern: The pattern used to match the value of the part
  • partValuePatternName: The name of the pattern used to match the value of the part
Last Updated: 12/23/2021, 4:39:01 PM