A guide to using the cloud API to manage Nemesida WAF settings.
The settings management functionality is enabled by default (not available for Light plan), but it can be disabled by sending an email request.
The Cloud API allows managing Nemesida WAF settings.
Allows managing:
- Nemesida WAF dynamic module settings;
- Nemesida AI MLC settings;
- behavioral models;
- synchronization of the settings of the dynamic module Nemesida WAF, Nemesida AI MLC between servers;
- signature exclusion rules and extended blocking rules.
Settings are managed using specially compiled queries. Each request must contain the license key of the installed copy of Nemesida WAF. It is allowed to transfer it SHA256 hash instead of the license key.
Management commands
Action log
Get action log contents:
# curl https://nemesida-security.com/nw/agent/get_event_log --data 'key=%License key or SHA256 hash%'
If you use an invalid license key, the response will be returned with the 401
code.
Nemesida WAF dynamic module
Allows managing the settings of the Nemesida WAF dynamic module. Supports the following control commands:
# curl https://nemesida-security.com/nw/agent/get_dyn_settings?format=json --data 'key=%License key or SHA256 hash%'
Get the settings hash sum:
# curl https://nemesida-security.com/nw/agent/get_dyn_settings_hash --data 'key=%License key or SHA256 hash%'
Receiving the hash amount is necessary to confirm the changes made.
Set settings:
# curl https://nemesida-security.com/nw/agent/public/set_dyn_settings --header 'Content-type: application/json' --data '{"token": "%Identification token%", "set": {"nwaf_ip_wl": "127.0.0.1, 127.0.0.2", "nwaf_ai_extra_host_lm": "example.com", "active": "true"}}'
where:
set
– settings parameters in JSON format.
Delete settings:
# curl https://nemesida-security.com/nw/agent/public/set_dyn_settings --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": "nwaf_ip_wl"}'
where:
del
– settings parameters in JSON format.
The identification token is available in the Cloud WebApp.
The following parameters are available for control:
Sets the limit of blocked requests. If the allowed number of requests specified by the rate
option is exceeded, the IP address will be blocked for the time (in seconds) specified in block_time
.
Example:
{... "nwaf_limit": "rate=5r/m block_time=600" ...}
The domain
parameter is optional and is only required to set the limit of blocked requests for a specific domain. To do this, need to bring the parameter to the form: nwaf_limit rate=... block_time=... domain=...
. Strict matching and wildcard values are allowed: *
, example.com
, .example.com
, *.example.com
.
Example:
{... "nwaf_limit": "domain=example.com rate=5r/m block_time=600" ...}
To set different limits for different domains, specify parameters for each of them.
Example:
{... "nwaf_limit": "domain=a.example.com rate=5r/m block_time=300, domain=example.com rate=5r/m block_time=300" ...}
or
{... "nwaf_limit": "rate=10r/m block_time=600, domain=example.com rate=5r/m block_time=300" ...}
In the last example, limits will be set for 5
requests per minute for the domainexample.com
(followed by blocking the attacker’s IP address for 300 seconds), as well as limits on 10
requests per minute for all other domains (followed by blocking the attacker’s IP address for 600 seconds).
Deactivation of the request analysis mechanism by Nemesida WAF for a specific IP address or subnet.
Example:
{... "nwaf_ip_wl": "127.0.0.1, 192.168.0.1" ...}
{... "nwaf_ip_wl": "127.0.0.1, 192.168.0.1" ...}
When using "nwaf_ip_wl": "domain=example.com 127.0.0.1"
the analysis mechanism will be deactivated only when accessing from a specific IP address to a specific domain. The domain
option is optional. It is allowed to use strict compliance and wildcard values: *
, example.com
, .example.com
, *.example.com
. An address with a subnet mask or a range of addresses can be used as an IP address.
Example:
{... "nwaf_ip_wl": "127.0.0.1, 192.168.61.0/24, 192.168.61.1-192.168.61.255" ...}
To reduce the number of false positives, it is recommended to specify the static IP address of users (administrators, content managers, editors) in the parameter nwaf_ip_wl
. Requests that fall under the action of the parameter will not be blocked, passed to RabbitMQ, and, as a result, analyzed by the Nemesida AI module. Be extremely careful when using the parameter.
IPv6 and IPv4 addresses are allowed.
Configuring request processing for a specific IP address or subnet with fixation in the DBMS, but without actual blocking (IDS mode).
Example:
{... "nwaf_ip_lm": "127.0.0.1, 192.168.0.1" ...}
When using "nwaf_ip_lm": "domain=example.com 127.0.0.1"
the pass will be made only when accessing from a specific IP address to a specific domain. The domain
option is optional. Strict matching and wild card values are allowed: *
, example.com
, .example.com
, *.example.com
. An address with a subnet mask or a range of addresses can be used as an IP address.
Example:
{... "nwaf_ip_wl": "127.0.0.1, 192.168.61.0/24, 192.168.61.1-192.168.61.255" ...}
IPv6 and IPv4 addresses are allowed.
Deactivation of the request analysis mechanism by Nemesida WAF for a virtual host. With the parameter nwaf_host_wl *
, skipping will be performed for all virtual hosts.
Example of using a single value:
{... "nwaf_host_wl": "*" ...}
or
{... "nwaf_host_wl": "example.com" ...}
or
{... "nwaf_host_wl": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_host_wl": "example.com, a.example.com" ...}
or
{... "nwaf_host_wl": "example.com, *.example.com" ...}
Configuring request processing for a specific virtual host with a commit in the DBMS, but without actual blocking (IDS mode). With the parameter nwaf_host_lm *
, skipping will be performed for all virtual hosts.
Example of using a single value:
{... "nwaf_host_lm": "*" ...}
or
{... "nwaf_host_lm": "example.com" ...}
or
{... "nwaf_host_lm": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_host_lm": "example.com, a.example.com" ...}
or
{... "nwaf_host_lm": "example.com, *.example.com" ...}
The parameter that activates the LM mode (IDS) for requests defined by the Nemesida AI MLA module as illegitimate.
If the name of the virtual host from the request falls under the action of the parameter, then such a request is fixed in the database management system, but is not blocked.
Example of using a single value:
{... "nwaf_mla_host_lm": "*" ...}
or
{... "nwaf_mla_host_lm": "example.com" ...}
or
{... "nwaf_mla_host_lm": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_mla_host_lm": "example.com, a.example.com" ...}
or
{... "nwaf_mla_host_lm": "example.com, *.example.com" ...}
A parameter that activates the WL mode for requests defined by the Nemesida AI MLC module as illegitimate.
If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.
Example of using a single value:
{... "nwaf_ai_extra_host_wl": "*" ...}
or
{... "nwaf_ai_extra_host_wl": "example.com" ...}
or
{... "nwaf_ai_extra_host_wl": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_ai_extra_host_wl": "example.com, a.example.com" ...}
or
{... "nwaf_ai_extra_host_wl": "example.com, *.example.com" ...}
A parameter that activates LM mode (IDS) for requests defined by the Nemesida AI MLC module as illegitimate.
If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.
Example of using a single value:
{... "nwaf_ai_extra_host_lm": "*" ...}
or
{... "nwaf_ai_extra_host_lm": "example.com" ...}
or
{... "nwaf_ai_extra_host_lm": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_ai_extra_host_lm": "example.com, a.example.com" ...}
or
{... "nwaf_ai_extra_host_lm": "example.com, *.example.com" ...}
A parameter that activates the LM mode for requests defined by the Nemesida AI MLC module as brute force attacks (BT 7) and flood (BT 9).
If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.
Example of using a single value:
{... "nwaf_bf_detect_host_lm": "*" ...}
or
{... "nwaf_bf_detect_host_lm": ".example.com" ...}
or
{... "nwaf_bf_detect_host_lm": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_bf_detect_host_lm": "example.com, *.example.org" ...}
A parameter that activates LM mode for requests defined by the Nemesida AI MLC module as DDoS attacks (BT 10).
If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.
Example of using a single value:
{... "nwaf_ddos_detect_host_lm": "*" ...}
or
{... "nwaf_ddos_detect_host_lm": ".example.com" ...}
or
{... "nwaf_ddos_detect_host_lm": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_ddos_detect_host_lm": "example.com, example.org" ...}
A parameter that excludes sending some requests to the RabbitMQ server (the nwaf
queue).
If the name of the virtual host from the request falls under the action of the parameter, then such a request is not passed to the nwaf
queue, and, accordingly, is not processed by the Nemesida AI MLC module (it is not analyzed for anomalies and brute force attacks, does not participate in the construction of behavioral models).
Example of using a single value:
{... "nwaf_rmq_host_exclude": "*" ...}
or
{... "nwaf_rmq_host_exclude": "example.com" ...}
or
{... "nwaf_rmq_host_exclude": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_rmq_host_exclude": "example.com, a.example.com" ...}
or
{... "nwaf_rmq_host_exclude": "example.com, *.example.com" ...}
The parameter that excludes the analysis of the BODY zone by the signature method, as well as sending its contents in the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful if it is not possible to change the value of the client_body_buffer_size
parameter in the /etc/nginx/nginx.conf
file.
Example:
{... "nwaf_body_exclude": "*" ...}
or
{... "nwaf_body_exclude": "example.com/uploads.php" ...}
or
{... "nwaf_body_exclude": "example.com/uploads" ...}
When applying the parameter, the exact match of the path (vhost/path).
For example, with the value: example.com/uploads
the BODY zone analysis exception will be applied for requests to example.com/uploads
, but for example.com/uploads.php
and example.com/uploads/index.php
the parameter will not be applied. With the value *
, the BODY zone analysis exception will be applied to any address.
The parameter that excludes the signature method from analyzing the contents of the BODY
zone for INPUT
requests, as well as sending the contents of the zone to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful when interacting with ownCloud web applications or similar ones that allow the client to upload a file to the server over the HTTP protocol.
Example of using a single value:
{... "nwaf_put_body_exclude": "*" ...}
or
{... "nwaf_put_body_exclude": "example.com" ...}
or
{... "nwaf_put_body_exclude": "*.example.com" ...}
Example of using multiple values:
{... "nwaf_put_body_exclude": "example.com, a.example.com" ...}
or
{... "nwaf_put_body_exclude": "example.com, *.example.com" ...}
Nemesida AI MLC
Allows managing the settings of the Nemesida AI MLC module. The following control commands are supported:
# curl https://nemesida-security.com/nw/agent/get_mlc_settings?format=json --data 'key=%License key or SHA256 hash%'
Get the settings hash sum:
# curl https://nemesida-security.com/nw/agent/get_mlc_settings_hash --data 'key=%License key or SHA256 hash%'
Set a list of virtual hosts for which models will be created and applied:
# curl https://nemesida-security.com/nw/agent/public/set_vhosts_list --header 'Content-type: application/json' --data '{"token": "%Identification token%", "vhosts_list": "example.com, example.org"}'
where:
vhosts_list
– list of virtual hosts for which models will be created and applied.
Set settings:
# curl https://nemesida-security.com/nw/agent/public/set_mlc_settings --header 'Content-type: application/json' --data '{ "token": "%Identification token%", set": {"main__ai_extra": "false", "brute_interval": "11", "brute__brute_detect": ["example.com/a1", "example.com/b1"], "active": "true"}}'
where:
set
– settings parameters in JSON format.
Delete settings:
# curl https://nemesida-security.com/nw/agent/public/set_mlc_settings --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": "brute_detect"}'
where:
del
– settings parameters in JSON format.
The identification token is available in the Cloud WebApp.
Activate/deactivate the additional request analysis functionality, which allows detecting missed attacks and temporarily blocking their source by IP address. If the additional analysis functionality is inactive, all unblocked requests will be included in the training sample (with the exception of requests that fall under the WL mode, or illegitimate requests that fall under the LM mode).
Example:
{... "main__ai_extra": "true" ...}
Example:
{... "ddos__enable": "true" ...}
1.2.3.4
, for which the DDoS detection will be disabled. Each subsequent value is separated by a space.
Example:
{... "ddos__wl_ip": "127.0.0.1" ...}
vhost
and vhost/path
, where:
vhost
– virtual host for which the DDoS detection will be disabled.
path
– resource address occurrence.
Strict matching and wildcard values are allowed: example.com
, .example.com
, *.example.com
.
Example:
{... "ddos__wl_url": ["example.com/feed", ".example.com"/feed, "*.example.com/feed", "*/feed"] ...}
Example:
{... "ddos__interval": "10" ...}
false
, all blocked requests for each IP address are transmitted to the Nemesida WAF API.
Example:
{... "ddos__latest_only": "true" ...}
Possible DDoS
. If the value false
, requests to the Nemesida WAF API will not be transmitted.
Example:
{... "ddos__send_possible": "true" ...}
The prefix Possible
is added to the name of the attack if its type has not been reliably established.
Example:
{... "brute__enable": "true" ...}
example.com
, .example.com
, *.example.com
.
Example:
{... "brute__wl_host": ["example.com", ".example.org", "*.example.us"] ...}
Example:
{... "brute__interval": "10" ...}
Example:
{... "brute__mav_val": "15" ...}
host/path
, where path
is the occurrence of the resource address on the web server. Strict matching and wildcard values are allowed: example.com
, .example.com
, *.example.com
.
Example:
{... "brute__brute_detect": ["example.com/auth", ".example.com/auth"] ...}
or
{... "brute__brute_detect": ["*.example.com/auth"] ...}
Thus, with the set value example.com/auth
, brute force attacks will be monitored as for example.com/auth
, and for example.com/auth/reset_password
.
The parameter is used to detect brute force attacks, but does not block duplicate requests with the same content in the ARGS
or BODY
zones.
brute_detect
parameter, but is designed to detect flood attempts or similar attacks with repeated requests. The only difference is that during the analysis of requests that fall under the action of the flood_detect
parameter, duplicates are not deleted.
Thus, in case of repeated sending of identical requests (for example, multiple attempts to recover a password by SMS), requests with similar content and falling under the action of the flood_detect
parameter will not be deleted, unlike requests with similar content, but falling under the action of the brute_detect
parameter.
Example:
{... "brute__flood_detect": ["example.com/auth", ".example.com/auth"] ...}
or
{... "brute__flood_detect": ["*.example.com/auth"] ...}
false
, all blocked requests for each IP address are transmitted to the Nemesida WAF API.
Example:
{... "brute__latest_only": "true" ...}
Possible DDoS
. If the value false
, requests to the Nemesida WAF API will not be transmitted.
Example:
{... "brute__send_possible": "true" ...}
The prefix Possible
is added to the name of the attack if its type has not been reliably established.
Signature exclusion rules management
Allows configuring signature exclusion rules. The following control commands are supported:
# curl https://nemesida-security.com/nw/agent/get_dyn_wl --data 'key=%License key or SHA256 hash%'
Get extended information about the rule:
# curl https://nemesida-security.com/nw/agent/get_dyn_wl?extended=yes --data 'key=%License key or SHA256 hash%'
Get the rule list hash sum:
# curl https://nemesida-security.com/nw/agent/get_dyn_wl_hash --data 'key=%License key or SHA256 hash%'
Create rule:
# curl https://nemesida-security.com/nw/agent/public/set_dyn_wl --header 'Content-type: application/json' --data '{ "token": "%Identification token%", "add": { "rl_id": "50001", "domain": "example.com", "mz": "URL", "extension": "$URL_X:/test"}}'
where:
add
– settings parameters in JSON format;rl_id
– ID of the signature (blocking rule) to which the exclusion rule applies. When using the value * the exclusion rule will apply to all signatures.
More detailed information on creating rules is available in the corresponding section of the documentation.
Update rule:
# curl https://nemesida-security.com/nw/agent/public/set_dyn_wl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "upd": {"rid": "50001", "pattern": "ABC"}}'
where:
upd
– settings parameters in JSON format.
Delete rule:
# curl https://nemesida-security.com/nw/agent/public/set_dyn_wl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": {"rid": "50001"}}'
where:
del
– settings parameters in JSON format.
The identification token is available in the Cloud WebApp.
Extended request blocking rules
The mechanism of extended request blocking rules allows you to use additional conditions for a more accurate result when drawing up personal rules. For example, you can create a rule by which the request will be blocked if:
- corresponds to a geographical location based on an IP address (determining the country by the attacker’s IP address);
- there is an appeal to a specific domain or URL;
- contains a specific header (for example,
User-Agent
,Cookie
,Referrer
, etc.) and/or the contents of these headers.
For a more accurate result, the parameters can be combined with each other. In this case, the rule will only work if all the conditions are met.
ip
– Attacker’s IP address;api
– send the result of the rule triggering to the Nemesida WAF API module;lm
– processing of the rule in theLM
mode (the rule is triggered, but the request is not blocked);noban
– with the valuefalse
, when the rule is triggered, the request will be blocked, but the counterrate
of the parameternwaf_limit
required to block the IP address of the request source will not increase;no_cookie
– with the valuetrue
the rule applies only to a request with an emptyCookie
zone;country
– country (for the functionality of determining the geographical location based on the IP address, you need to connect a file with the GeoIP2 database in/etc/nginx/nwaf/conf/global/nwaf.conf
);domain
– domain;url
– the occurrence of a string in the contents of theURL
zone;args
– the occurrence of a string in the contents of theARGS
zone;body
– the occurrence of a string in the contents of theBODY
zone;cookies
– the occurrence of a string in the contents of theCookie
zone;ua
– the occurrence of a string in the contents of theUser-Agent
zone;referer
– the occurrence of a string in the contents of theReferer
zone;other_headers
– the occurrence of a string in the contents of theHEADERS
zone, with the exception of theCookie
,User-Agent
andReferer
zones.
For the domain
field, strict matching and wildcard values are allowed: *
, example.com
, .example.com
, *.example.com
.
Example:
{... "domain": "base64(*.example.com)" ...}
With this value, the rule will apply to all subdomains (a.example.com
, b.example.com
, etc.), excluding the main domain example.com
. If the value of the domain
field is empty, the rule will be applied to all requests.
The prefix
base64
before the parameter means that the parameter value must be passed in the formatbase64
when composing the rule. For example:"domain": "base64(*.example.com )"
will look like"domain": "Ki5leGFtcGxlLmNvbQ=="
For all parameters (except api
,lm
, noban
and no_cookie
), it is allowed to use multiple values in one parameter using the logical operators of the conditions “not” (!
), “and” (&
), “or” (|
). Operators have no priority and are executed in turn, from left to right.
Example:
{... "ip": "192.168.61.0/24|192.168.62.0/24" ...}
With this value, the rule will apply to all IP addresses from the ranges 192.168.61.1-192.168.61.255
or 192.168.62.1-192.168.62.255
.
Example:
{... "country": "!base64(RU)&!base64(US)" ...}
With this value, the rule will apply to all requests in which the IP address of the request source is not from Russia and not from the USA.
Example:
{... "cookie": "!base64(abc)&!base64(def)" ...}
With this value, the rule will apply to all requests that do not contain abc
and def
in the Cookie
.
When the extended request blocking rule is checked, all fields except ip
, country
, api
, lm
and noban
are checked for the contents of the field from the blocking rule to be checked in the request field. For example, with "url": "base64(/abc)"
, a request with the occurrence of /abcd
in the URL will be blocked.
other_headers
field format:
{... "other_headers": ["base64(header_name):base64(header_value)", "base64(header_name):base64(header_value)" ...] ...}
where:
base64(header_name)
– header name inbase64
;base64(header_value)
– header value inbase64
.
For the other_header
field, the contents of the base64(header_name)
and the base64(header_value)
sections are optional, but you must specify at least one of the sections. For example, if there is a header header_name
, the contents of header_value
of only this header will be checked, and if there is no header, the contents of all headers will be checked.
Example:
{... "other_headers": ["base64(example_header):base64(abcd)"] ...}
With this value, the abcd
content will be searched in the example_header
header.
Example:
{... "other_headers": [":base64(abcd)"] ...}
With this value, the contents of abcd
will be searched in any header.
If base64(header_name)
is specified without a subsequent value, then the request will be blocked at any value of the header header_name
(blocking by the presence of the header).
Example:
{... "other_headers": ["base64(example_header):"] ...}
Example:
{... "other_headers": ["base64(example1_header):base64(abc)","base64(example2_header):base64(def)"] ...}
With this value, the request will be blocked if there are headers example1_header
, which contains abc
and example2_header
, which contains def
.
Example:
{... "other_headers": ["base64(example1_header):","base64(example2_header):"] ...}
With this value, the request will be blocked if there are headers example1_header
and example1_header
with any values.
The logical operation is allowed for the header name !!
, which means that there is no header with that name in the request. Blocking the request will work if there is no header with the specified name among all the request headers. At the same time, the header value is ignored, even if it is present in the rule.
Example:
{... "other_headers": ["!!base64(example_header):"] ...}
Example:
{... "other_headers": ["base64(example_header):base64(abc)&base64(def)"] ...}
With this value, the request will be blocked if there is a example_header
header that contains abc
and def
.
Example:
{... "other_headers": ["base64(example_header):!base64(abc)"] ...}
With this value, the request will be blocked if there is a example_header
header that does not contain abc
.
Example:
{... "other_headers": ["base64(example_header):!base64(a)&!base64(b)&!base64(c)"] ...}
With this value, the request will be blocked if there is a example_header
header that does not contain a
, b
and c
.
Example:
{... "other_headers": ["base64(example_header):!base64(a)|base64(b)"] ...}
With this value, the request will be blocked if there is a example_header
header that does not contain a
or contains b
.
If it is not possible to get any field specified in the extended blocking rule in the request, the request will be skipped.
The following control commands are supported:
# curl https://nemesida-security.com/nw/agent/get_erl --data 'key=%License key or SHA256 hash%'
Get extended information about the rule:
# curl https://nemesida-security.com/nw/agent/get_erl?extended=yes --data 'key=%License key or SHA256 hash%'
Get the rule list hash sum:
# curl https://nemesida-security.com/nw/agent/get_erl_hash --data 'key=%License key or SHA256 hash%'
Create rule:
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "add": {"ip": "1.1.1.1|2.2.2.2", "active": "true"}}'
where:
add
– settings parameters in JSON format.
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "add": {"ip": "!1.1.1.0/24", "domain": "ZXhhbXBsZS5jb20=" "active": "true"}}'
The request will be blocked if on example.com
a request will be received from any IP address except 1.1.1.1-1.1.1.255
.
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "add": {"ip": "1.1.1.1", "domain": "ZXhhbXBsZS5jb20=", "other_headers": ["dGVzdC1oZWFkZXI=:YWJj"], "active": "true"}}'
The request will be blocked by the rule if example.com
a request will be received from the IP address 1.1.1.1
and the header test-header
contains the string abc
.
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token", "add": {"сountry": "Q0g=|UlU=", "domain": "ZXhhbXBsZS5jb20=", "other_headers": ["dGVzdC1oZWFkZXI=:YWJj"], "cookie": "!dGVzdF9jb29raWU=", "referer": "!aHR0cDovL2V4YW1wbGUuY29t" "active": "true"}}'
The request will be blocked by the rule if a request for example.com
will be received from an IP address, from the region RU
or CH
, the header test-header
contains the string abc
, the header Cookie
does not contain the string test_cookie
and the header Referer
does not contain http://example.com
.
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{ "token": "%Identification token%", "add": { "ip": "1.1.1.1", "other_headers": ["VGVzdC1GaWVsZA==:"], "referer": "aHR0cDovL2V4YW1wbGUuY29tLw==", "ua": "TW96aWxsYS81LjA=", "cookie": "dGVzdF9jb29raWU=", "body": "YmM9MyZjYz0x", "args": "P3BhZ2U9Mw==", "url": "aW50ZXJuYWx0ZXN0", "domain": "ZXhhbXBsZS5jb20=", "api": false, "country": "Q0g=|VFc=", "active": true}}'
The request will be blocked by the rule if a request for example.com
will be received from the IP address 1.1.1.1
, from the region RU
or CH
, which will contain:
- header
Referer
withhttp://example.com/
content; - header
Test-Field
with any content; - header
User-Agent
withMozilla/5.0
content; - header
Cookie
withtest_cookie
content; - request body content
bc=3&cc=1
; - request argument
?page=3
.
Update rule:
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "upd": {"id": "1", "ip": "1.1.1.1", "active": "true"}}'
where:
upd
– settings parameters in JSON format.
Delete rule:
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": {"id": "1"}}'
where:
del
– settings parameters in JSON format.
The identification token is available in the Cloud WebApp.
Incorrect training of behavioral models or significant changes in the web application can lead to a lot of false positives. To improve the accuracy of detecting attacks, it is recommended to retrain models once a week. The commands below allow you to perform actions on models. The following control commands are supported:
# curl https://nemesida-security.com/nw/ml/mgmt/get_event_log --data 'key=%License key or SHA256 hash%'
Get a virtual hosts list with models:
# curl https://nemesida-security.com/nw/ml/mgmt/get_models_list_uri --data 'key=%License key or SHA256 hash%'
Delete a model for a virtual host example.com
:
# curl 'https://nemesida-security.com/nw/ml/mgmt/del_models_uri' --data 'key=%License key or SHA256 hash%&vhost=example.com'
where:
vhost
– the name of the virtual host for which you want to delete the behavioral model.
Copy a behavioral model for a virtual host:
# curl 'https://nemesida-security.com/nw/ml/mgmt/rep_models_uri' --data 'key=%License key or SHA256 hash%&src=example.com&dst=example.ru'
where:
src
is a virtual host whose behavioral model is being copied;dst
is a virtual host for which the model needs to be copied.
Copying behavioral models between virtual hosts is performed only within one
WAF ID
.
Get the model training status for a virtual host:
# curl 'https://nemesida-security.com/nw/ml/mgmt/get_training_uri' --data 'key=%License key or SHA256 hash%&vhost=example.com'
Set for a virtual host example.com
the training period is 4 days:
# curl 'https://nemesida-security.com/nw/ml/mgmt/set_training_uri' --data 'key=%License key or SHA256 hash%&vhosts=example.com&duration=4'
where:
duration
– training period in days.
Activate model training for a virtual host *.example.com
:
# curl 'https://nemesida-security.com/nw/ml/mgmt/set_training_uri' --data 'key=%License key or SHA256 hash%&vhosts=*.example.com&complete=no'
where:
complete
– the training status of the model.
Set the training period and activate model training for the virtual host .example.com
:
# curl 'https://nemesida-security.com/nw/ml/mgmt/set_training_uri' --data 'key=%License key or SHA256 hash%&vhosts=.example.com&duration=4&complete=no'
Executing the command with the value of the parameter complete=no
allows you to start the process of retraining the model, and complete=yes
interrupts the learning process.
Before starting the model learning process, the virtual host must be added to the list of virtual hosts. The command that allows you to set a list of virtual hosts is given in the section Nemesida AI MLC (Management commands).