Search this site

Sample Rule Set
User Guide‎ > ‎

Getting Started

Starting VasPatch

Contents

  1. 1 Starting VasPatch
  2. 2 Running At First Time
  3. 3 Sample Rules
    1. 3.1 Import Rule Using Patch Rule ID (PRID)
  4. 4 Custom Rules
    1. 4.1 Add Rule
      1. 4.1.1 Create Basic Rule
      2. 4.1.2 Create Advanced Rule
  5. 5 Alerts
  6. 6 System Setting
    1. 6.1 Change Password
    2. 6.2 Global Setting

After installation, please ensure that:

  1. VasPatch Windows services (VasPatchDataService and VasPatchAnalysis) are up. Port 8731 is used.
  2. IIS is started
  3. VasPatch Web UI website is up

 

Running At First Time

After starting the above services, open a browser and access VasPatch Web UI. The path of the login page should be http://localhost:<port>/login.aspx.

Note that, for the first time successful login, you must access the login page locally on the local server. You can only login the Web UI remotely after the default password is changed.

In the login page, use the following default username and password for the first time.

Username: admin
Password: admin

After login, you will be asked to change the password. Enter the new password and confirm password to process to the next step. After changing the password, you need to login again with the new password.

Note: you cannot use the functions unless you have changed the password.

After login, you will see several menu items, sample rules, custom rulesalerts and system setting, on the menu bar. The items will be further explained in the following sections.

There should be no rules in the system after first installation. There are 3 ways to create rules:

  1. Download sample rules from VasPatch Repository Server via a known Patch Rule ID (PRID)
  2. Create a new rule using the "Create Basic Rule" function in the Web UI
  3. Create a new rule using the "Create Advanced Rule" function in the Web UI

Sample Rules

Sample Rules are a set of predefined sample rules from VasPatch Repository. These sample rules are created by MileSCAN or web application vendors. Using these sample rules can protect your web application from known vulnerabilities.

On the top menu, click “Sample Rules” to view the Rule List page. For first time running, this page will not show anything as there are no rules in the system.

You could following the next section "Import Rule" to add some sample rules from VasPatch Repository. Afterwards, a list of rules would be shown in this page. For  each rule, there are several control actions:

  • Enabled – Disable or enable a rule, disabled rule will not be used to filter web requests
  • Delete – Delete a rule from the system
  • Detail – Show the detailed information of a rule

Administrator may also search the sample rules in VasPatch Repository by rule name, Bugtraq ID, CVE or attack type.

Import Rule Using Patch Rule ID (PRID)

On the top menu, mouse over “Sample Rule” and there is a submenu for importing new predefined rules from VasPatch Repository.

In the import rule page, enter the PRID of a rule and click Search button. PRID is a unique Patch Rule ID which is assigned to each rule added to VasPatch Repository. You can search a known vulnerability from VasPatch Repository using CVE ID or Bugtraq ID, and then find out the corresponding PRID.

The rule details will be shown if the inputted PRID can be found on the VasPatch Repository. If the rule is the one you want to import, press the Confirm button and save the rule to the system. If the rule you want to import is already existed in your system, you would be asked to update the previous rule or not.


Custom Rules

Sometimes there may not be any predefined sample rules which can patch your web application vulnerabilities. Then user can still create a custom rule to virtually patch your specific web application.

On the top menu, click “Custom Rules” to access Rule List page. For first time running, this page will not show anything as there are no rules in the system.

After some rules were added to the system, a list of rules will be shown in this page. In the list, there are some basic information and several controls for each rule.

  • Enabled – Disable or enable a rule. Disabled rule will not be used to filter web requests
  • Edit – Modify the content of a rule
  • Delete – Delete a rule from the system
  • Detail – Show the detailed information of a rule

Administrator may also search the rules by rule name, domain or action type.

Add Rule

On the top menu, mouse over “Custom rule” and there are two submenu, Basic and Advanced, for creating new rules. 

Create Basic Rule

This is a create rule wizard that help administrators, who are not familiar with the rule syntax, to create a custom rule easily. Using the basic rule creation wizard, administrators can create rules to filter the two common types of vulnerabilities, i.e., Cross site scripting and SQL Injection.

In Create Basic Rule page, administrator has to provide the following information:

  • Name – Name of the rule
  • Description – Detail information of this rule, leave it blank if no additional information is needed
  • URL – The vulnerable URL including parameter, e.g. http://www.test.com/form.html?name=peter&email=test@test.com
  • Parameter – The name of the parameter, e.g. email or name from the above example
  • Method – The HTTP method used for this URL, POST or GET
  • Type – Type of the rule, Cross Site Scripting or SQL Injection
    • Cross Site Scripting – The rule filters the following characters: <>()'"
    • SQL Injection – The rule filters the following characters: ()'"

Save the setting, then the rule will be created and enabled.

In order to customize the Filter Action, it is allowed to Edit the rule in Rule List page.

Create Advanced Rule

For IT security professionals, this function can provide a higher degree of customization to create complex rules. Rules created by this could be customized to fix vulnerabilities of custom web applications.

Before using this function to create a rule, administrator may have to understand the syntax of our rule Conditions and Filter Actions. Please refer to Rule Syntax for more information.

In Create Advanced Rule page, administrator has to specify the following information:

  • Name – Name of the rule
  • Description – Detail information of this rule, leave it blank if no additional information is needed
  • Domain – The domain that this rule will be applied to, leave it blank if apply the rule to any domain
  • Attack Type – The type of the vulnerability, e.g. XSS (for Cross site scripting), SQLi (for SQL Injection)
  • Application Name – The name of your application
  • Application Description – Detail Information of the application, leave it blank if no additional information is needed
  • Conditions – The conditions that trigger the action
  • Action Type – Action will be taken when condition matched. The action will be applied only when the all given conditions was matched. There are 3 action types:
    • BLOCK – block the request.
    • FILTER – filter the request according to the specified Filter Actions.
    • NOOP – do nothing.
  • Filter Action – The filter actions can be specified only if the Action Type is FILTER
  • Priority – The order of the rules to be used. A number within a range of 1-100 can be specified. A higher number means higher priority. (Default: 1). Rule with higher priority will be checked first.
  • Enabled – Enable or disable this rule

Save the setting, then the rule will be created.

Alerts

On the top menu, select “Alerts” to access alert list page.

In this page, a list of alerts will be shown. Whenever a request matches the conditions of a rule in Action Mode or Log Mode, it will trigger an alert and add to this alert list.

Within the list, summary including alert date, request URL, action and rule ID was shown. Clicking the detail hyperlink will show the alert detail.

Administrator may also search the alerts by Request URL, Action Type, Rule name. 

 

System Setting

On the top menu, select “System” to access system setting page.

In this page, administrator can change the global setting and login password.

Change Password

Administrator can change the login password here. Enter old password, new password and confirm new password to change the password of administrator.

Note: The system will be redirected to the login page after changing the password. You need to login with the new password.

Global Setting

Administrator can change the mode of all rules. Here are the modes that can be selected:

  • Log – System will log all requests which match the conditions of rules
  • Action – System will log and filter request whenever the request match the conditions of rules
  • Silent - System will not log anything but the system will still filtering malicious request
  • Disable – Disable all rules, no log and filter action will be taken
Save the changes to apply the modification immediately.

Sign in  |  Recent Site Activity  |  Terms  |  Report Abuse  |  Print page  |  Powered by Google Sites