Chapter 5. Profense™ Proxy reference

In learn mode the proxy is automatically learning from requests. No requests are blocked and only requests maching a set of negative criteria are logged and classified.

When no new information is gained from additional requests a policy is generated and the proxy automatically switches to detect mode, if configured to do so (default).

	Note
	If the Profense™ node is part of a cluster with synchronization enabled the learner will only sample learn data if the node has the `teacher` role. If it has the `learn` role it will receive the policy when generated by the `teacher node`.

Detect

In detect mode the proxy behaves as if it was running in block mode with the prominent exception that nothing actually gets blocked. It only logs the actions that would have been taken if it was running in block mode. The detect mode can be compared to an intrusion detection system. It detects but does not prevent policy violations. This mode is useful for testing a policy before going into block mode.

Block

In block mode blocking and logging is performed according to the access policy.

Auto

In Auto mode the proxy automatically adapts to changes in the web applications. Auto mode offers instant protection by employing a combination of positive and negative policy rules. At first a general negative policy is enforced but as Profense maps a profile of the web applications and the web site in general the policy becomes more specific and shift towards a positive security model for specific applications.

Auto mode is only available in Profense™ Professional (and trial).

	Note
	If the Profense™ node is part of a cluster with synchronization enabled the learner will only sample learn data if the node has the `teacher` role. If it has the `learn` role it will receive the policy when generated by the `teacher node`.

1.1. Changing operating mode

The operating mode can be changed in several places: In the list of configured proxies select the new operating mode in the Mode drop-down box for the proxy to be changed.

Proxy overview: In the list of configured proxies shown when selecting Proxy -> Manage the mode can be changed by selecting the new operating mode in the Mode drop-down box for the proxy to be changed.
Learner: In the Learner configuration and overview page ( Proxy -> Manage -> Policy -> Learning ) the mode can be changed by selecting the new operating mode in the Mode drop-down box.
Web Application Firewall configuration: In the Web application firewall configuration section ( Proxy -> Manage -> Settings -> Web application firewall ) the mode can also be changed via a Mode drop-down box.
Automatic change by learner: If the Learner is configured (default) to automatically build an access policy when information sampling thresholds are reached the operating mode will automatically be changed from Learn to Detect by the Learner when the sampled data is analyzed and a policy has been built.

2. Monitor

GUI Path: Proxy -> Monitor

The monitor window provides an overview of configured proxies. The overview includes real time traffic information.

Name	Total number of requests.
Services	Number of services configured.
Requests	Total number of HTTP requests received.
Responses	Total number of HTTP responses sent.
Received	Total data received.
Sent	Total data sent.
Compression	Total compression ratio for the proxy. Eg. 60% means that the total original data was compressed to the 60% of it's original size.
Status	`OK` or `ERROR`.
Mode	The mode (Section 1, “Operating mode”) the proxy is running in.
Details icon	Click to manage proxy settings.
Graph icon	Click to display traffic information graphs.

3. Manage

GUI Path: Proxy -> Manage

The Proxy menu gives access to all configuration options related to proxy management, ACL administration, security logging and settings.

To manage proxies select Proxy -> Manage in the left menu pane. This will take you to the proxy overview page.

3.1. Defined proxies

Displays the list of configured proxies in the system. The list shows the id, virtual host, real host and current running mode for each configured proxy.

3.2. Selecting a proxy for management

To manage a configured proxy simply click on it in the defined proxies list.

3.3. Changing operating mode

In the list of configured proxies select the new operating mode in the Mode drop-down box for the proxy to be changed.

A proxy can operate in one of four different modes:

Pass

In pass mode all requests are passed through the proxy. No requests are blocked and no logging is performed.

When a proxy is added this mode is selected per default.

Learn

In learn mode the proxy is learning from requests. No requests are blocked and only requests maching a set of negative criteria are logged and classified.

When no new information is gained from additional requests a policy is generated and the proxy automatically switches to detect mode, if configured to do so (default).

Detect

Block

In block mode blocking and logging is performed according to the access policy.

Auto

In Auto mode the proxy automatically adapts to changes in the web applications. Auto mode offers instant protection by employing a combination of positive and negative policy rules. At first a general negative policy is enforced but as Profense maps a profile of the web applications and the web site in general the policy becomes more specific and shift towards a positive security model for specific applications.

Auto mode is only available in Profense™ Professional (and trial).

3.4. Adding a proxy

Path: Proxy -> Manage + Add Proxy .

Follow the steps below.

3.4.1. Adding an HTTP proxy

3.4.1.1. Virtual server settings

In the Virtual server section

Select HTTP as the protocol.
Enter the fully qualified domain name (e.g. www.mydomain.com) or IP address in the Virtualhost/IP field - that is: The public address of the web server you want to add a proxy for.
Select the port the TCP/IP port number assigned for the proxy. Default: <HTTP=80, HTTPS=443)

3.4.1.1.1. Virtual host aliases

When the proxy is created virtual host aliases can be added in Proxy -> Manage -> Settings -> Servers .

For more information see Section 10.3, “Virtual host aliases”

3.4.1.2. Real web server settings

In the Real web server section

Select the protocol you want Profense™ to use for traffic between Profense™ and the web server. HTTP is the default selection but HTTPS is also possible if you want the traffic to be SSL-encrypted.
Enter the IP address or domain name of the web server domain name requires a name server to be configured for Profense™ - see page 41)
Enter the port number the web server is listening to.

Please refer to the proxy management section for details on configuring the proxy.

When the HTTP-proxy is configured click the save proxy button.

3.4.1.3. Mode and initial configuration

Select operating mode (Section 1, “Operating mode”), initial configuration (Section 5.1, “Initial configuration”) and, if necessary, set buggy web server options (Section 3.7, “Adding a Proxy”).

3.4.2. Adding an HTTPS proxy

3.4.2.1. Virtual web server settings

In the Virtual server section

Select HTTPS as the protocol.
Enter the fully qualified domain name (e.g. www.mydomain.com) or IP address in the Virtualhost/IP field - that is: The public address of the web server you want to add a proxy for.
Select the port the TCP/IP port number assigned for the proxy. Default: <HTTP=80, HTTPS=443)
Select the IP address for the SSL-proxy in the bind drop-down box. Be sure not to select an address which is bound to another SSL-proxy.

Initially the proxy will be created with a temporary "self signed" certificate. The real SSL certificate will be imported when the proxy is added to the system.

3.4.2.2. Real server settings

In the Real web server section

Select the protocol you want Profense™ to use for traffic between Profense™ and the web server. HTTP is the default selection but HTTPS is also possible if you want the traffic to be SSL-encrypted.
Enter the IP address or domain name of the web server domain name requires a name server to be configured for Profense™
Enter the port number the web server is listening to.

Please refer to the proxy management section for details on configuring the proxy.

3.4.2.3. Mode and initial configuration

When the HTTPS-proxy is configured click the Save proxy button.

3.4.2.4. Exporting certificate from web server

When creating a proxy for an existing HTTPS web server you need to move the SSL-certificate from the web server to Profense™. This is done by exporting the SSL-certificate from the web server and importing it into Profense™.

Profense™ supports importing of PKCS12 and PEM encoded server certificates.

3.4.2.4.1. Export web servers certificate

To export a certificate from the web server please refer to the vendors guidelines:

Microsoft

Microsoft guidelines can be found on these addresses:

IIS 5.0

Export the certificate to a .PFX file (default) which is PKCS12 encoded.

Apache

For web servers running Apache:

Obtain the SSL-certificate file from the web servers file system. By default the file is PEM-encoded.

3.4.2.5. Importing the SSL certificate

To import a certificate go to Proxy -> Manage -> Settings -> Servers .

In the section Virtual web server select Update certificates .

Depending on the format of the certificate select the appropriate action in the bullet list.

3.4.2.5.1. Importing the PKCS12 format

If the certicifate is in the PKCS12 format follow the guidelines below:

Enter the path to the certificate file in the PKCS12 file input field.
Enter Passphrase in the Passphrase input field.
Click Save settings in the lower button pane.

3.4.2.5.2. Importing the PEM format

If the certificate is in the PEM format follow the guidelines below:

Open the .PEM file in a text-editor. Copy the public certificate section of the certificate.

The public key/certificate is the section of the certificate file between (and including) the certificate start and end tags. Example:
```
-----BEGIN CERTIFICATE-----

Certificate characters

-----END CERTIFICATE----- 
```
Select Import SSL certificate In the Profense™ management interface

Paste the SSL public key/certificate into the SSL-certificate field.
Go back to the text editor and copy the (SSL) private key section of the certificate. The (SSL) private key is the section of the certificate file between (and including) the private key start and end tags. Example:
```
-----BEGIN RSA PRIVATE KEY-----

Private key characters

-----END RSA PRIVATE KEY-----
```
Enter the passphrase for the private key in the passphrase field (if the original private key was encrypted).

3.5. Removing a proxy

In the proxy overview, click on the trashcan symbol shown to the right of the proxy you want to remove.

4. Global patterns

GUI Path: Proxy -> Manage + Policy -> Global patterns

The Global patterns section allows for defining filters matching URLs and parameters on a proxy global basis.

Incoming requests are validated in the following order:

Static content rules: If the extension of the requested filename extension matches one of the extensions defined in static content settings and the request has no parameters, the request is allowed.
Global URL rules: If the request has no parameters and one of the global URL rules matches it it is allowed. If the request matches a global blocking rule it is denied.
Access policy: If the request (including possible parameters) matches an entry in the detailed access policy it is allowed.
Access policy + global parameters: If a request matches an entry in the detailed access policy but one or more parameters are offending, these parameters are checked against the global parameters rules. If there is a combined match the request is allowed.
Global URL rules + global parameters: If a requested URL with parameters matches a global URL rule and all supplied parameters match global parameter rules the request is allowed.
In Auto mode, if a query (a request parameter) does not match any rules it is validated using negative signature based policy rules. If it allowed it is added to the learning sample population and when enough samples are recorded the parameter is included in the positive policy.
No match: The request is denied.

4.1. Static content policy

The Static content policy allows requests without parameters based on file extension (i.e. .gif) and allowed path characters .

To define a static content policy enter or edit file extensions and allowed path characters .

File extension

The file extension is defined as a list of comma separated values.

Allowed path characters

Allowed path characters are defined by selecting them on a list.

The letter A denotes all international alphanumeric characters and other characters are represented by their glyph, their UTF-8 number and a description.

As static content is not supposed to have any parameters (hence the denotation "static") only requests without parameters and with the method GET are validated against this rule.

It is possible to allow static requests in general.

Allow all static requests

If checked, requests without parameters like requests for graphic elements, stylesheets, javascript, etc. are allowed in general.

File extension

The file extension is defined as a list of comma separated values.

Valid input: A list of comma seperated file extensions without a trailing period.
Input example: css,png,ico,jpg,js,jpeg,gif,swf
Default value: If initial policy configuration is selected: css,png,ico,jpg,js,jpeg,gif,swf

Allowed path characters

Allowed path characters are defined by selecting them on a the list which appears when activating the button Edit .

In the list the letter A denotes all international alphanumeric characters and other characters are represented by their glyph, their UTF-8 number and a description.

Valid input

All characters in the list

Input example

Hyphen-minus ("-", UTF-8: 2d)
All international alphanumeric
Space (" ", UTF-8: 20)

Default value

When initial policy configuration with rules is selected the path characters in the input example above are allowed.

4.2. Global URL path policy

4.2.1. Allowed paths

The URL regular expressions filter matches URLs without parameters on a proxy global basis. If a request matches any of the defined regular expressions, it will be marked as valid by Profense™ and forwarded to the back-end server.

For examples of global URL regular expressions, please refer to Table 3.6, “Examples of global URL regular expressions”

	Note
	Full match is implied for each regular expression, meaning that each will match from the start to the end of the request (a caret ^ and dollar $ will be appended if not already present).

Enable global URL signature based negative matching

Check or uncheck the checkbox Enable global URL signature based negative matching to enable validation of the path element of the URL against negative signatures.

Only available in Profense™ Professional (and trial).

Enable global URL regexp matching

Check or uncheck the checkbox Enable global URL regexp matching to enable global URL regexp matching.

Global URL path policy patterns

In the input area enter one or more regular expressions defining the global path policy.

Valid input

Valid regular expressions separated by new-line.

Input example

(/[\w\-]+)+\.(htm|html|shtml|pdf|asp|aspx|php|jsp)

Default value

If initial policy configuration is selected:

(/[\w\-]+)+\.(htm|html|shtml|pdf|asp|aspx|php|jsp)
(/[\w\-]+)+/?

4.2.2. Denied paths

The URL regular expressions block filter matches URLs without parameters on a proxy global basis. If a request matches any of the defined regular expressions it will instantly be blocked.

	Note
	The expressions are matching from left to right. Full match is not implied but matching always start at start of line. This implies that for instance the expression /admin will match any URI starting with /admin.

Enable global URL regexp blocking	Check or uncheck the checkbox Enable global URL regexp blocking to enable blocking on a global basis.
Global URL path policy patterns	In the input area enter one or more regular expressions defining the global denied path policy. Valid input Valid regular expressions separated by new-line. Input example /admin (any request starting with "/admin") /testarea (any request starting with "/testarea") .+\.php (any request for files with the extension ".php") .+\.htm([^l]\|$) (block .htm but allow .html) Default value `none`

4.3. Global parameters policy

In the global parameters section, parameters which all or many URLs have in common can be added. For instance in many CM systems an URL can be viewed in a printer friendly version by adding a specific parameter to the URL.

When adding parameters to the list both the name and the value of the parameter is interpreted by Profense™ as regular expressions. Like with the global URL-regular expressions full match from start to end is implied.

Enable global parameter signature based negative matching	Check or uncheck the checkbox Enable global parameter signature based negative matching to enable signature bases matching of parameter names and corresponding values. When the Proxy is running in `Auto mode` this option is disabled as it is enabled per default for parameters not matcing any other policy rules. In other words: In auto mode this option is used in combination with positive matching but is only used for validating parameters whose name does not match any other policy rules.
Enable global parameter regexp matching	Check or uncheck the checkbox Enable global parameter regexp matching to enable global parameter regexp matching.
Name	In the list enter a regular expression matching the parameter name or names you want to match. Valid input A valid regular expression. Input example `\w{1,32}_btn` - matches all parameter names which start with a string of up to 32 characters and ends with the specific string '_btn'. `print` - matches the specific name print. Default value When initial policy configuration with rules is selected: `\w{1,32}`
Value	In the list enter a regular expression matching the value corresponding to the parameters name or name pattern. Valid input A valid regular expression. Input example `\w{1,32}` - matches all parameter values containing an alphanumeric string of up to 32 characters. `\d{1,32}` - matches all parameter values containing up to 32 digits. Default value When initial policy configuration with rules is selected: `[\w\s_,/:()+@$\.\-]`

For examples of specifying global parameters using regular expressions please refer to Table 3.8, “Examples of global parameters regular expressions”.

For more general examples using regular expressions for input validation please refer to Table 3.7, “Examples of regular expressions for input validation”.

	Note
	Full match is implied for each regular expression, meaning that each will match from the start to the end of the request (a caret ^ and dollar $ will be appended if not already present).

4.4. Signature usage

The use of attack signatures can be enabled or disabled for each request method supported.

4.4.1. Negative filtering column

The checkboxes in the negative filtering column enable or disable the use of attack signatures for validating input. The settings only applies to requests or or request parts for which negative filtering is enabled.

Attack Class	The name of the signature attack class
HEAD Check box	Check or uncheck to enable signature for method `HEAD`. Default: Signature dependent.
GET Check box	Check or uncheck to enable signature for method `GET`. Default: Signature dependent.
POST Check box	Check or uncheck to enable signature for method `POST`. Default: Signature dependent.

The negative filtering column is not displayed in Profense™ Base licenses.

4.4.2. Classification column

The checkboxes in the classification column enable or disable the use of attack signatures for classifying log records and learning samples. If for instance the website takes HTML as in input like some CMS'es and bulletin board systems does this is likely to trick the Cross Site Scripting (XSS) signature. If it is not possible to white-list the IP address(es) from which the input originates or to only allow access to the CMS via VPN it might be neccessary to disable the XSS signature in order to ensure that the Learner gets the data samples.

Attack Class	The name of the signature attack class
HEAD Check box	Check or uncheck to enable signature for method `HEAD`. Default: Signature dependent.
GET Check box	Check or uncheck to enable signature for method `GET`. Default: Signature dependent.
POST Check box	Check or uncheck to enable signature for method `POST`. Default: Signature dependent.

4.5. IP pass through

IP pass through allows for configuring overriding of filter actions based on the source of the request.

Enable Pass through mode

Check box

Enable / disable access logging.

With Pass Through mode enabled, all requests will be forwarded to the real server, but will be otherwise handled the usual way (ie. Profense™ will learn about the site and log any blocked requests not matching the applied access control list).

Default: <disabled>

Whitelist

Input field

Per default, requests originating from any IP address (0.0.0.0/0) is affected when Pass Through Mode is enabled.

The whitelist allows for the definition of specific IP address(es) or networks for which Pass Through Mode is enabled.

Valid input

IP address with net mask (IP/mask) in CIDR notation

Input example

192.168.0.8/32 - the IP address 192.168.0.8

192.168.0.0/24 - IP addresses 192.168.0.0 - 255

192.168.0.8/29 - IP addresses 192.168.0.8-15

Default value

<none>

Allow all

Button

Allow all requests.

The button Allow all resets the the whitelist to any IP address (0.0.0.0/0).

4.6. General request settings

These settings specify more general filtering criteria like headers content and length, POST payload size limit, etc.

Maximum header length Input field	Defines the maximum length values for each inbound HTTP header. If a given header fails this check, the entire request is blocked and handled accordingly. Valid input An integer specifying size in bytes Input example `2048` Default value `4096`
Enforce strict HTTP/1.0 and HTTP/1.1 compliant headers Check box	Enable / disable enforcement of strict HTTP/1.0 and HTTP/1.1 compliant headers. If enabled, Profense™ will enforce strict HTTP 1/0 and HTTP/1.1 header compliance according the RFC standards and deny any custom HTTP header is sent in the request. If a given header fails the check, the entire request is blocked and handled accordingly. Default: `<disabled>`
Pragmatic HTTP headers checking Check box	Enable / disable pragmatic HTTP headers checking. If enabled, inbound HTTP headers are checked according to a more loose definition. Custom HTTP headers are allowed. Default: `<disabled>`
Enable file upload support Check box	Enable / disable file upload support. If enabled, Profense™ will simply pass file upload requests from clients. Default: `<disabled>`
Block multiple and %u encoded requests Check box	Enable / disable blocking of multiple (or %u) encoded requests. In an attempt to evade detection attackers often try to encode requests multiple times. If enabled, Profense™ will block requests which after being decoded still contains encoded characters. Default: `<enabled>`
POST form payload limit Input field	Defines the maximum allowed POST content length. If a given POST request length fails the check, the entire request is blocked and handled accordingly. Valid input An integer specifying payload limit in bytes Input example `16384` Default value `32768`
POST upload payload limit Input field	Defined the maximum allowed POST content length for file uploads. If a given file size is larger than the specified, the request will be denied. Valid input An integer specifying upload payload limit in bytes Input example