Comment on page
Setup Custom Rules and Exceptions
The most common use case of exception configuration is when a log is issued and as a security administrator decided that traffic matching one of the log fields (for example, the URI field) should not be detected or blocked by the open-appsec engine.
A common change might be to generalize the exception to all sources by deleting the condition for "Source Identifier", or to change the action from "Skip" (relevant only for the "Matched Parameter" field) to "Accept".
An exception configured this way applies to the combination of the specific open-appsec security practice that caught the original event and the Asset relevant for the same traffic.
For further information on how to configure exceptions from asset view and the full options an exception can provide, please read further.
- Accept - Traffic matching the exception's conditions will be accepted.
- Drop - Traffic matching the exception's conditions will be blocked.
- Skip - Relevant only for specific keys like "Parameter Name", "Parameter Value" and "Indicator. Allows skipping the value of the matching parameter from being inspected by the AppSec engines. The rest of the traffic will be inspected for malicious behavior.
- Suppress Log - Traffic matching the exception's condition will not activate their Log Trigger object/s upon event.
There are several keys allowed to be set in exceptions rules, each of them may be relevant to a different security practice or sub-practice.
The following is only relevant for keys where the table states their value is a regular expression.
When an exception key expects a regular expression value (regex), it should be configured according to PCRE 2.0, which will undergo a partial search unless the '^' or '$' regular expression operators are used.
A complex logical expression with "AND" and "OR" between conditions can be created.
In addition - the following operators are available for each condition:
- Not Equals
- Key Exists
When clicking the 3 dotted lines you will see the logical operators available for multiple conditions:
When clicking on the ':' between key and value you will see the additional value-based operators for a single condition:
Add a comment for view purposes and click OK.
When exceptions are configured, the same location in the asset provides a view of the exceptions for the practice used by the asset. The view shows the comment and the last administrator that edited the exception:
It is possible to save a group of exception rules under a global name, and then use the same object by multiple assets and practices.
The global exceptions objects can be viewed and edited under Behaviors: