WAF Ruleset

Vulture gives you the possibility to edit security rules based on modules mod_security and mod_defender. When you create whitelist / blacklist from logs, related rules appear here.

There is multiple Apache mod_security rules sources

  • Manually edit the rules: Writing custom mod_security rules.
  • Import OWASP rules: Download mod_security rules package defined by owasp covering a large panel of known vulnerabilities.
    The repository link is customizable from Management service ModSecurity URL.

It's possible to fine select those imported OWASP rules. Clicking on the "OWASP_CRS" rule dataset gives you the ability to toggle specific rules. It is also possible to edit those rules.

Vulture gives you the ability to use Virtual Patching, which generates a list of mod_security rules from a vulnerability scan report.

There is also some whitelist rulesets for known CMS provided out of the box by Vulture, their names end with 'WL' and are used by mod_defender.

VultureRS

Anti Session Hijacking

SessionHijacking

CSRF Token

Inject a CSRF token in every form, which will be checked upon each POST request. If the CSRF does not match with the one generated by Vulture, the anomaly score is increased by the specified amount in the WAF Policy.

User-Agent checking

Capture the User-Agent and check whether it is an:

  • Unknown UA
  • UA Anonymous
  • UA Bot
  • UA Browser
  • UA Cloud
  • UA Console
  • UA Crawler
  • UA Emailclient
  • UA Emailharvester
  • UA Mobile
  • UA Script

Content-type whitelist

Check whether the Content-Type is one of the following (specified in the WAF Policy):

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/xml
  • application/xml
  • application/x-amf
  • application/json
  • application/json-rpc

Protocol whitelist

Check whether the Content-Type is one of the following (specified in the WAF Policy):

  • HTTP/1.0
  • HTTP/1.1
  • HTTP/2

File extension whitelist

For a file upload, check whether the file extension is included in the list specified in the WAF Policy

Headers whitelist

Check whether sent Header field is not one of the following (specified in the WAF Policy):

  • Proxy-Connection
  • Lock-Token
  • Content-Range
  • Translate
  • via
  • if