All Products
Search
Document Center

Security Center:Handle attack alerts

Last Updated:Jun 18, 2024

The Runtime Application Self Protection (RASP) agent obtains the application runtime context and the parameters that are configured for hook functions. Then, the RASP agent analyzes the obtained data by using technologies such as semantic analysis and behavioral baseline check to detect threats in a protected application. The RASP agent has a low false positive rate. In most cases, the alerts reported by the RASP agent indicate actual attacks, known as attack alerts. The application protection feature provides attack details, including attacker IP addresses, malicious attack characteristics, input parameters, and call stack information. We recommend that you handle attack alerts at the earliest opportunity based on the information on the alert details page. This topic describes how to handle attack alerts.

View and handle attack alerts

The following example describes how to view and handle an attack alert that is generated for a malicious file upload.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the Attack Alerts tab, find the alert that you want to view and click Details in the Actions column.

  4. On the alert details page, view the alert information.

    Take note of the following fields to determine whether the alert is a true positive.

    image.png

    Section

    Field

    Description

    Solution

    Basic Alert

    Attacker IP Address

    The source IP address that is used to access your application.

    Determine whether the IP address is a normal IP address that is used to access your application.

    CVE ID

    The ID of the vulnerability that is exploited by attackers during the access. A vulnerability ID is available only for attacks that are launched by exploiting the vulnerability.

    To reduce the attack surface that can be exploited by attackers, we recommend that you handle application vulnerabilities at the earliest opportunity. You can click the vulnerability ID to view the vulnerability details.

    Advanced Alert

    Malicious Characteristics

    The malicious data that is sent by attackers to your application.

    View information in the Advanced Alert section to determine whether the alert indicates normal service requests.

    In this example, check whether the request to upload the addservlet.jsp file in the /tmp/addservlet.jsp directory is normal.

    • If the request is normal, you can add the characteristics to a whitelist. After you add the characteristics to the whitelist, the application protection feature no longer generates alerts for the requests that have the characteristics.

    • If the request is abnormal, the request may be a reconnaissance attack or an actual attack.

      • If you set the protection mode to Monitor, a malicious file may be executed. In this case, you must manually delete the file at the earliest opportunity.

      • If you set the protection mode to Block, the application protection feature blocks the attack, and the file cannot be stored on your server.

    Trigger Function

    The security-sensitive function within the application. When this function is called, an alert is triggered. When the RASP agent detects the calls of the function, the agent checks and processes the invocations to detect for risks.

    Specified Parameters

    The behavior and event logs generated by the application when the application processes requests. This field is a JSON object that contains a key-value pair.

    Stack Calling

    The call stack of the application when an event occurs, which records the sequence of function calls.

    More Information

    Request URL

    The information about the request to access the application.

    View the information about the request to access the application and check whether the request is sent from a legitimate source. If the request is sent from an illegitimate source, implement access control on or deny the requests from the source.

Add an attack alert to a whitelist

If you confirm that an attack alert is triggered by a normal access request, you can add the attack alert to a whitelist to prevent similar alerts from being triggered. You can add an attack alert to a whitelist based on the following alert information: malicious attack characteristics, input parameters, and request URL. Before you add an attack alert to the whitelist, obtain the information on the alert details page.

Note

If you want to configure whitelists based on malicious attack characteristics and input parameters, you must upgrade the version of the RASP agent to 0.5.2 or later. You can restart the protected application to automatically upgrade the RASP agent to the latest version. For more information, see View the version of the RASP agent.

The following section describes how to add an attack alert to a whitelist. If you want to configure a whitelist for multiple application groups at a time, click Whitelists in the upper-right corner of the alert list. On the Whitelists page, click Configure Whitelist.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the Attack Alerts tab, find the alert that you want to manage and choose Handle > Add to Whitelist in the Actions column.

  4. In the Add to Whitelist panel, configure the whitelist rules and click OK.

    • Before you configure the whitelist rules, take note of the following items:

      You can configure the whitelist rules in one of the following whitelist modes: Malicious Characteristics, Specified Parameters, and Request URL. The application protection feature automatically populates the whitelist rule fields based on the data that is obtained from the alert details. The whitelist rules that use the automatically populated fields can identify and control similar requests in an accurate manner.

      If you want to enlarge the scope of requests on which a whitelist rule takes effect, you can modify the Match Mode and Content to Match fields.

      For example, the Malicious Characteristics field of the alert that is triggered by a malicious file upload is /usr/local/tomcat/webapps/upload/1.jsp. If you confirm that all access requests to the upload directory are normal, perform the following steps:

      • Change the value of the Match Mode field to Prefix Match.

      • Change the value of the Content to Match field to /usr/local/tomcat/webapps/upload/.

    • The following items describe the match modes supported by a whitelist:

      • Exact Match: If the transmitted content is the same as the string that is specified in the Content to Match field, no alert is triggered.

      • Partial Match: If the transmitted content contains a string that is specified in the Content to Match field, no alert is triggered.

      • Prefix Match: If the transmitted content starts with the string that is specified in the Content to Match field, no alert is triggered.

      • Suffix Match: If the transmitted content ends with the string that is specified in the Content to Match field, no alert is triggered.

    Note

    After you configure the whitelist rules, you can view and manage the whitelist rules on the Whitelists page. For more information, see Manage whitelist rules.

Manage whitelist rules

View whitelist rules

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the Attack Alerts tab, click Whitelists.

  4. On the Whitelists page, view the whitelist rules.

    To manage whitelist rules, you can perform the following operations:

    • Enable or disable a whitelist rule: Turn on or turn off the switch in the Rule Switch column.

    • Modify or delete a whitelist rule: Click Edit or Delete in the Actions column.

    • Create a whitelist rule: Click Configure Whitelist. For more information, see Create whitelist rules.

Create whitelist rules

When you create a whitelist rule, you can specify multiple threat types and multiple application groups. This way, the whitelist rule applies to the specified application groups at the same time, and the types of threats are added to the whitelist of the application groups.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

  3. On the Attack Alerts tab, click Whitelists.

  4. On the Whitelists page, click Configure Whitelist.

  5. In the Configure Whitelist panel, configure the whitelist rules and click OK.

    Parameter

    Description

    Rule Name

    The name of the whitelist rule.

    White Mode

    The whitelist mode. Valid values:

    • Malicious Characteristics

    • Specified Parameters

    • Request URL

    Threat Type

    The type of the threat that you want to add to the whitelist rule. You can click Select to select a threat type in the Threat Type panel.

    Match Mode

    The match mode in which the whitelist rule takes effect.

    • Exact Match: If the transmitted content is the same as the string that is specified in the Content to Match field, no alert is triggered.

    • Partial Match: If the transmitted content contains a string that is specified in the Content to Match field, no alert is triggered.

    • Prefix Match: If the transmitted content starts with the string that is specified in the Content to Match field, no alert is triggered.

    • Suffix Match: If the transmitted content ends with the string that is specified in the Content to Match field, no alert is triggered.

    Content to Match

    The content that is used to validate data against the whitelist rule based on the specified whitelist mode. You can configure this parameter based on the Malicious Characteristics, Specified Parameters, and Request URL parameter values provided on the alert details page.

    Destination Application Groups

    The application group to which you want to apply the whitelist rule. You can click Select to select an application group in the Destination Application Groups panel.

References

Security Center also provides the in-memory webshell prevention feature. For more information, see Use the in-memory webshell prevention feature.