How do I edit rules for VigilEnt Agent for WebServers?
VigilEnt Security Agent for WebServers 2.0
VigilEnt Security Agent for WebServers 2.1
VigilEnt Security Agent for WebServers 2.1 Patch1
VigilEnt Security Agent for WebServers 2.1 Patch2
VigilEnt Security Agent for WebServers 3.1.1
The Rule Editor is used to configure the rules that monitor web servers. From this window, rules can be enabled and disabled, customized, and assigned actions. This section provides a generic explanation of setting up a rule. Depending on the rule,the setup procedure may vary.
To Edit Rules:
- Select the Detect/Prevent tab in the main VigilEnt Security Agent for Web Servers window. The Detect/Prevent window opens.
- Select Manage Web Servers on the subnavigation bar. The Web Server Manager window opens listing all web server configurations that have been added. If the configuration to be edited is listed as active in the Web Server Manager window, the Rules Editor can be accessed using the Edit Rules link.
- Click the Edit Rules icon next to the configuration to be edited.
- Parameters: If the rule requires customization data for your specific web server configuration, enter this data in the field in the Parameters section of the rule.
- Enable Rule: Select this check box to set the rule to monitor incoming HTTP requests.
- Actions: Select the actions to be taken when the rule captures a potentially malicious request.
- Click Save. Your changes are saved and the Web Server Manager window opens.
You can click the Reset button to reverse all parameter changes made during this editing session.
The Reject Request action is the only action that will prevent exploits. However, misconfigured rules may reject legitimate web traffic. To determine how a rule affects the traffic on your web site, enable the rule, uncheck (disable) the Reject Request action, and check (enable) the Log Request action. Review the log files using the Detect/Prevent Log Viewer and cross reference the VLP column of the log to the ID number in the rule description. The SNMP trap action can be used to validate rules against normal web traffic instead of the Log Request action.
Carefully review the parameters of the rules against the normal traffic for your web site. Review the documentation provided with the installation kit relating to the current rule sets. By default, all rules are shipped in the disabled state.