In this very short edition of our WAF Gateway Fundamentals, I will cover (very succinctly) MX Alerts Data Structure, before we move on to Web Profiling in the next edition. If you have any questions, I'd love to hear them in the comment section. Don't forget you can see the rest of the "WAF Gateway Fundamentals" blog series here.
Definitions
I will start with a few key definitions
Event:
Event is the basic entity when discussing alerts, it represents the traffic seen by the Gateway. For example HTTP request, SQL query, file operation, TCP stream.
Irregular Behaviour:
Also known as a violation (this is how it is called on the UI), it represents the reason why the GW sends this event to the MX. i.e. what's wrong with the specific event. For example Cross-Site Scripting on parameter X
Alert:
Alert is an aggregation of several irregularities (from several events).
Different aggregation logic is defined for each irregular type, but they all share the following:
aggregation will not last more than 12 hours
(i.e. event with a timestamp later than 12 hours after the alerts creation time will result in the creation of a new alert).
For example:
Cross-Site Scripting is aggregated by the following fields: session, parameter value --> all events with cross-site scripting with same parameter value and the same session will be aggregated to the same alert (within 12 hours time window)
Relations between the Entities
So how do these relate to each other in MX Alerts Data Structure?
-
- An Event can be connected to a single Alert or multiple Alerts.
- An Irregular Behaviour is connected to both an Event and an Alert.
- The Irregular Behaviours of a single Event are distributed among the Alerts which are connected to this Event.
- An Irregular Behaviour usually has an Alert, except possibly for rare cases.
Sample Event XML
This is an example of the XML sent from GW to MX on WAF event (HTTP request).
See the full event here
#fundamentals
#On-PremisesWAF(formerlySecuresphere)