open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • Configuring Exceptions Upon Log
  • Possible actions for exception rules
  • Possible conditions for exception rules
  • Keys
  • Regular Expression Values
  • Operators
  • View And Configure Exceptions In Assets
  • Configuring exceptions
  • Viewing Exceptions
  • Save Exception for Reuse In Additional Assets/Practices
  • Configure an Existing Exception as Global
  • View and Manage Global Exceptions Objects

Was this helpful?

  1. SETUP INSTRUCTIONS

Setup Custom Rules and Exceptions

PreviousSetup Web Application SettingsNextSetup Web User Response Pages

Last updated 3 months ago

Was this helpful?

Configuring is easily done via the configuration wizard, and in the vast majority of the cases, is enough to fully protect the web assets without additional manual changes.

However, as event logs appear, a security administrator might want to make specific exceptions to the default behavior of the system, regardless of the .

Configuring Exceptions Upon Log

The most common use case of exception configuration is when a log is issued and as a security administrator decided that traffic matching one of the log fields (for example, the URI field) should not be detected or blocked by the open-appsec engine.

Step 1: From the events view, perform a "Right Click" on the relevant parameter in the log according to which the exclusion should occur and select "Add Exception"

Step 2: Review the exception details and click OK

A common change might be to generalize the exception to all sources by deleting the condition for "Source Identifier", or to change the action from "Skip" (relevant only for the "Matched Parameter" field) to "Accept".

An exception configured this way applies to the combination of the specific open-appsec security practice that caught the original event and the Asset relevant for the same traffic.

For further information on how to configure exceptions from asset view and the full options an exception can provide, please read further.

Possible actions for exception rules

  • Accept - Traffic matching the exception's conditions will be accepted.

  • Drop - Traffic matching the exception's conditions will be blocked.

  • Skip - Relevant only for specific keys like "Parameter Name", "Parameter Value" and "Indicator. Allows skipping the value of the matching parameter from being inspected by the AppSec engines. The rest of the traffic will be inspected for malicious behavior.

  • Suppress Log - Traffic matching the exception's condition will not activate their Log Trigger object/s upon event.

Possible conditions for exception rules

Keys

There are several keys allowed to be set in exceptions rules, each of them may be relevant to a different security practice or sub-practice.

For open-appsec:

Exception Key
Value String Search Location
Relevant for Skip Action
Relevant Practices

Host

Regular expression of the HTTP Host name

No

All open-appsec Security

URI

HTTP full URI in request

No

All open-appsec Security

Source Identifier

No

All open-appsec Security

Source IP

IP address of the request's source in IP address or CIDR format (e.g. "<IP address>/<number of bits for network>")

No

All open-appsec Security

Parameter Name

Regular Expression of a parameter name is a key in the HTTP request body's XML or JSON file

Yes

All open-appsec Security

Parameter Value

Regular Expression of a parameter value is the value to a key in the HTTP request body's XML or JSON file

Yes

All open-appsec Security

Parameter Location

A value that matches the "Matched Location" field values in a the open-appsec Log (e.g. "body", "cookie", "url", etc.)

Yes

All open-appsec Security

Indicator

Regular expression of indicator/s to be be used with the "Skip" action. Allows exclusion of desired indicators while continuing to provide security for all other traffic.

Yes

All open-appsec Security

Protection Name

The protection name used by the security sub-practice

No

IPS and Snort Rules only

Country Code

No

All open-appsec Security

Country Name

No

All open-appsec Security

File Hash

SHA-256 string of the file the exception should apply to.

No

File Security only

File Name

The file name to match the configured exception.

No

File Security only

Response Body Note - Scanning response traffic adds a performance impact.

Regular expression of a pattern within the HTTP Response Body

No

Header Value

Regular expression of the HTTP header value

Not on its own

All open-appsec Security

Header Name

Regular expression of the HTTP header name

Not on its own

All open-appsec Security

Regular Expression Values

The following is only relevant for keys where the table states their value is a regular expression.

Operators

A complex logical expression with "AND" and "OR" between conditions can be created.

In addition - the following operators are available for each condition:

  • Equals

  • Not Equals

  • Key Exists

View And Configure Exceptions In Assets

Configuring exceptions

Step 1: Browse to Assets, edit an existing asset and click on the "Custom Rules and Exceptions" tab

Step 2: Click to add a new exception

Step 3: Create the exclusion according to the options described in this page

When clicking the 3 dotted lines you will see the logical operators available for multiple conditions:

When clicking on the ':' between key and value you will see the additional value-based operators for a single condition:

Add a comment for view purposes and click OK.

Viewing Exceptions

When exceptions are configured, the same location in the asset provides a view of the exceptions for the practice used by the asset. The view shows the comment and the last administrator that edited the exception:

Save Exception for Reuse In Additional Assets/Practices

It is possible to save a group of exception rules under a global name, and then use the same object by multiple assets and practices.

Configure an Existing Exception as Global

Step 1: Click on the 3 dots in the top right corner of the exceptions view

Step 2: Click Save and give a name to the new global "Exceptions" object

Step 3: In additional assets you can now click "Load" in the same location and select an existing "Custom Rules and Exceptions" object

View and Manage Global Exceptions Objects

The global exceptions objects can be viewed and edited under Behaviors:

Regular Expression the identifier, according to the definition of

Country is resolved according to the source IP address. Code is the recommended use for country-based exceptions and can be searched according to the Alpha-2 code of ISO-3166.

Country is resolved according to the source IP address. Name is less recommended for country-based exceptions, but is more readable. Exact names can be searched according to ISO-3166.

All AppSec Security. In addition, this key allows .

When an exception key expects a regular expression value (regex), it should be configured according to , which will undergo a partial search unless the '^' or '$' regular expression operators are used.

For a nicer tutorial about PCRE regular expression crafting, visit .

PCRE 2.0
here
Source Identifier in the Asset's configuration
here
here
adding manually Data Loss Prevention (DLP) rules
Web Application security
automatic learning mechanism