Links

Intrusion Prevention System (IPS)

In addition to the Contextual Machine-Learning based engine, open-appsec provides traditional signature-based protections for over 2800 web-based CVEs (Common Vulnerabilities and Exposures). One specific benefit of these signatures is the ability to see logs that indicate a specific CVE number.

How to change Intrusion Prevention settings

When defining a new Web Application or a new Web API asset to protect, IPS was already defined to enforce its security as part of step 3 of the wizard. However - a security administrator may choose to fine tune the default behavior of the IPS engine.

Step 1: Browse to Assets and edit the Web API or Web Application asset

Once the asset edit window opens, select the Threat Prevention tab and scroll to the Intrusion Prevention sub-practice.

Step 2: Edit the settings of the Intrusion Prevention sub-practice

The settings allow:
  • Changing which protections will be active according to their:
    • Performance Impact
    • Severity
    • Year of the CVE they protect against
  • Changing the exact behavior upon detection of signature according to its confidence level (Prevent/Detect/Inactive)
When making the first change to the default Web Application/API Best Practice's configuration such as making changes to the default configuration of the IPS engine settings, you will be prompted to change the name of the Practice to your own custom practice name

Step 4: Make sure the Mode of the Intrusion Prevention sub-practice is as desired

Setting the Mode to As Top Level means inheriting the primary mode of the practice.
Otherwise you can override it only for this specific sub-practice to Detect/Prevent/Disable.

Step 5: Enforce Policy

Click Enforce above the top banner of the open-appsec portal.