Imperva Cyber Community

Expand all | Collapse all

Threat Radar Malicious IP Policy

  • 1.  Threat Radar Malicious IP Policy

    Posted 09-18-2020 10:23
    Hi Everyone,

    I would like to know why HTTP Protocol 1.x policy is hitting before the Threat radar Policy. As it does not make sense to open a packet if the IP seems to be found as malicious.

    can someone please comment on this?
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Nishanth Minikkaran
    Allianz technology
    ------------------------------


  • 2.  RE: Threat Radar Malicious IP Policy

    Imperva Employee
    Posted 28 days ago
    Hi Nishanth,

    Imperva On-Premises WAF implements a multistage processing path, along which packets, streams and messages are assembled, parsed, normalized and analyzed.

    Along this path there are various "hookpoints", where the messages are matched against the various security policies, and where the policy actions are executed.

    These hookpoints are organized in a particular order:

    • Hookpoints with lower ordinals are processed before hookpoints with higher ones.
    • When a policy blocks a message, that message is not sent to the processing path further than that policy's hookpoint, which means that the message is not matched against policies that run at upstream hookpoints. 
    • However, if the message reaches a given hookpoint, all the policies that run at that hookpoint are applied to the message, regardless of those policies order and of each policy action.

    Hope this helps,

    Best

    ------------------------------
    Ira Miga
    Imperva
    Knowledge Engineer
    ------------------------------