Recognizing suspicious requests

How to set up your FortiWeb : Auto-learning : Recognizing suspicious requests

FortiWeb appliances can recognize known attacks by comparing each request to a signature. How, then, does it recognize requests that aren’t known to be an attack, or aren’t always an attack, but might be?

FortiWeb uses several methods for this:

• HTTP protocol constraints (“HTTP/HTTPS protocol constraints”)

• application parameter sanitizers & constraints (“Preventing zero-day attacks”)

• exploit signatures (“Blocking known attacks & data leaks”)

• DoS/DDoS sensors (“DoS prevention”)

• access control lists (“Access control”)

Web applications’ administrative URLs often should not be accessible by clients on the Internet, and therefore any request for those URLs from source IP addresses on the Internet may represent an attempt to scout your web servers in advance of an attack. (Exceptions include hosting providers, whose clients may span the globe and often configure their own web applications.) Administrative requests from the Internet are therefore suspicious: the host may have been compromised by a rootkit, or its administrative login credentials may have been stolen via spyware, phishing, or social engineering.

FortiWeb appliances can compare each request URL with regular expressions that define known administrative URLs, and log and/or block these requests.

Regular expressions for suspicious requests by URL are categorized as:

• Predefined — Regular expressions included with the firmware. These match common administrative URLs, and URLs for back-end data such as caches. Cannot be modified except via FortiGuard updates, but can be copied and used as the basis for a custom definitions of sensitive URLs.

• Custom — A regular expression that you have configured to detect any suspicious access attempts by URL that cannot be recognized by the predefined set. Can be modified.

Both types can be grouped into a set that can be used in auto-learning profiles.