-
Cisco Application Velocity System User Guide (Software Version 5.0)
-
Preface
-
Product Overview
-
AVS Description
-
Appliance Administration
-
Command Line Interface
-
Configuration Reference
-
AppScreen Configuration
-
Management Console
-
Reporting
-
NMS Integration
-
Availability Manager Clustering
-
Database Maintenance
-
Logs
-
SNMP MIB
-
Deployment Options
-
Frequently Asked Questions and Troubleshooting
-
Anonymous Base File Statistical Model
-
Regular Expressions
-
AppScreen Rules DTD
-
Glossary
-
Index
-
Table Of Contents
Testing the Default AppScreen Configuration
Preprocessing Content Transformation
Using Multiple Attributes and Values
Scanning POST Data and File Uploads
Receiving and Processing SNMP Traps
AppScreen Configuration
This chapter describes how to configure the AppScreen feature. The following topics are covered:
Overview
The AppScreen feature enables the application appliance to provide web application security and intrusion protection. AppScreen is highly configurable, and the following types of request filtering are pre-configured:
•
binary blocking
•
•
•
•
AppScreen can scan all HTTP requests, and prevent unwanted requests from going to the origin server. AppScreen supports both:
•
•
AppScreen supports only request content screening. That is, it can scan all of the content sent from the end user's browser (or other front-end system) to the origin server, through the AppScreen proxy in between. AppScreen does not currently support response content screening; that is, scanning content that is returned from the origin server and/or AppScreen itself.
AppScreen is configured through two constructs:
•
An AppScreen Rule determines whether the current request matches the criteria specified in the rule. If it does, then an AppScreen Policy that uses the rule is applied, otherwise the policy is skipped. AppScreen Rules are specified in two XML configuration files: appscreen-rules-standard.xml and appscreen-rules-custom.xml.
•
AppScreen policies are specified in the fgn.conf file, at both the global level and within a type of class called an AppScreen Class. Like Application Classes, such classes allow requests to be segmented based on their attributes such as URL, header values, cookie values, etc.
AppScreen Policies allow the evaluation (or invocation) of AppScreen Rules to be decoupled from the definition of the rules.
The AppScreen feature is disabled by default. It is controlled by the AppScreen global keyword in the fgn.conf file. To turn it on, specify:
AppScreen OnIf AppScreen is Off, all screening is disabled and all requests are passed through.
Testing the Default AppScreen Configuration
The factory default AppScreen configuration specifies Pass as the disposition for all of the pre-defined policies (see Table 6-2). This allows you to view the results of AppScreen content inspection without disrupting your web site or application traffic. Follow these steps to enable AppScreen and test the default configuration:
1.
2.
3.
4.
Preprocessing Content Transformation
Before AppScreen examines the request content, the application appliance performs the following transformations:
•
•
These transformations are applied to the following request elements:
•
•
•
•
•
•
•
Additionally, for the POST content that AppScreen examines, the application appliance transforms any null bytes to the sequence "%00" so these can be searched for.
These transformations are transient; they are done only internally for AppScreen to examine the normalized content. If the request is allowed through, AppScreen sends through the original request, without any transformation.
AppScreen Class
AppScreen classes are similar to Application Classes, in that they allow requests to be segmented based on their attributes such as URL, header values, cookie values, etc. AppScreen Classes define a group of URLs for which specific AppScreen processing is desired.
AppScreen Classes are defined in the fgn.conf file, just like Application Classes. Here is an example of some classes defined:
# AppScreen classes<AppScreenClass AllowHtmlTagsInForumPosts>Url "/myapp/forum/addComment\.jsp"AppScreenPolicy htmlTagStart | IgnoreAppScreenPolicy invalidHtmlTagForForumPost | Deny 403</AppScreenClass><AppScreenClass AllowTechSuppFileUploads>Url "/techsupport/uploadFile\.cgi"AppScreenPolicy prohibitedFileUpload | Ignore</AppScreenClass>AppScreen Class definitions can include a number of keywords (that also can be used at the global level in the fgn.conf file). The AppScreen-specific keywords are listed in Table 6-1.
Table 6-1 AppScreen Configuration Keywords
AppScreen
Enables or disables the AppScreen feature at the global or AppScreen Class level. Valid values include On and Off (default).
AppScreenAlertSeverity
Configures the alert severity threshold. When an AppScreen Policy is matched, if the severity level of the policy is less than or equal to AppScreenAlertSeverity, then an SNMP alert is triggered as described in the "SNMP Notification" section. The default is 0. Valid values include the integers from 0 through 5.
AppScreenDefaultSeverity
Configures the default AppScreen Policy severity level. The default is 3. Valid values include the integers from 1 through 5.
For more information about severity level, see the Severity keyword in Table 6-3.
AppScreenSnmpTrap
Enables or disables the AppScreen SNMP trap feature at the global or AppScreen Class level. If set to On, then an SNMP trap is sent if a policy is matched and the severity level of the policy is less than or equal to AppScreenAlertSeverity. Valid values include On and Off (default). If you set this to On, you must also define a location to send traps to with AppScreenSnmpTrapSink.
For more information about SNMP and AppScreen, see the "SNMP Notification" section.
AppScreenSnmpCommunity
Defines the SNMP community string to be used when sending SNMP traps. The default is "public".
For more information about SNMP and AppScreen, see the "SNMP Notification" section.
AppScreenSnmpTrapSink
Defines the location of an SNMP trap sink (that is, an SNMP management station). Specify a host name or IP address, optionally followed by a colon and the port number. If you don't specify the port number, the standard SNMP trap port of 162 is used. This keyword can be specified multiple times, to have the traps sent to multiple destinations.
There is no default for this keyword, and it must be defined if AppScreenSnmpTrap is On, otherwise SNMP traps won't be sent. For more information about SNMP and AppScreen, see the "SNMP Notification" section.
PostContentBufferLimit
Sets the maximum amount of POST data that can be buffered by AppScreen, in kilobytes (KB). Valid values range from 0 to 1000, with a default of 40 KB. For more information about how this value is used, see the "Scanning POST Data and File Uploads" section.
AppScreen Policies
An AppScreen Policy definition in the fgn.conf file uses this syntax:
AppScreenPolicy rulename | disposition | [action [ | action ...]]For example:
AppScreenPolicy checkBinary | Deny 403 | Severity 3This definition could appear at the global level, or within an AppScreen Class.
AppScreen Policies have the following elements:
•
•
•
The policy elements are described in detail in the following subsections.
The sequence of the policies is important. AppScreen processes policies in order, so earlier policies take precedence over later policies. However, a global policy can be overridden by an AppScreenClass policy that matches the same rule, and in that case, the AppScreenClass policy takes precedence even if it is later in the configuration file.
AppScreen checks each policy for a match against the current request:
•
•
Policy Rule Reference
The Rule reference is simply the name of the rule that will be evaluated for this policy. If the rule evaluates to true for this request, then this policy is applied. If the rule evaluates to false, this policy is skipped.
Only one rule can be named. If multiple rules need to be evaluated then it is possible to define a rule that evaluates other rules. This is described in the "AppScreen Rules" section.
Policy Disposition
Disposition is the end result of this policy's rule being matched. Each policy must have exactly one disposition. Disposition keywords are listed in Table 6-2.
Table 6-2 Policy Disposition Keywords
Deny errcode
Blocks the request and returns the specified HTTP error code.
Allow
Allows the request. This disposition immediately allows the request to go through; the remaining AppScreen policies (if any) are not evaluated.
Pass
This is a "no-op" disposition. AppScreen simply continues on to the next policy in the list of policies. This is useful to simply tag a request as having matched a given rule. This information is used by the ruleMatch operator (described in Table 6-4).
Forward url
Forward to the specified URL. The URL must be absolute (e.g., http://...). For details, see "Forward Disposition" below.
Redirect url
Redirect to the specified URL. The URL must be absolute (e.g., http://...). For details, see "Redirect Disposition" below.
Ignore
This is a special disposition that means "don't bother to evaluate this rule." For details, see "Ignore Disposition" below.
Forward Disposition
The Forward disposition forwards the current request to the specified URL. This gives the origin server a chance to handle this client request and perform operations such as logging out the client or resource cleanup.
In order to use this feature, simply specify the URL to forward to. All the request headers from the client are sent to the origin server with the exception of the Content-length and Location headers. The Host header is appropriately fixed up.
The forwarding URL can be constructed using the parameter expander functions (see Table 5-4), for example:
http://myserver/cgi-bin/test-cgi?lang=$http_query_param(hl)Where h1 is a query parameter that was received from the request.
Redirect Disposition
The Redirect disposition sends an HTTP redirect instruction (HTTP 302 response status code) to the client (web browser or other application). This is useful to display a customized error page instead of a generic error page, as may be displayed by the browser when receiving a Deny 500 error code, for example.
Using the Redirect disposition is as simple as specifying the URL to be displayed. However, there is one issue to contend with: special care must be taken to avoid introducing "looping" redirects. For example, consider the following sequence of events:
1.
Redirect http://www.mycompany.com/error.asp2.
3.
4.
5.
6.
This looping is not a security risk, however it is an unneeded use of AppScreen server resources, and it may be annoying to the user until they click the browser Stop button or close their browser window.
To avoid this looping problem, AppScreen tries to detect and prevent this condition. And the person creating the AppScreen policies should also be aware of this issue and take some precautions.
Redirect Loop Detection
When an AppScreen policy is matched, and the disposition is Redirect, AppScreen compares the URL of the current request (the Request URL) to all of the Redirect URLs defined for all AppScreen policies. If the Request URL exactly matches any Redirect URL, then AppScreen realizes that there is a danger of a redirect loop, and it does not do the requested redirect. Instead, it performs a Deny 500 disposition. A message is logged in the error log (at the info level), similar to the following example:
The request for URL http://www.mycompany.com:13188/index.html matches AppScreen policy myPolicy, which calls for a redirect to http://www.mycompany.com:13188/index.html. However, the requested URL is itself an AppScreen redirect URL, so the current request will not be redirected.Policy Creation Guidelines
When creating a policy with a Redirect disposition, you should do a simple test to help ensure that the URL will not create a looping situation:
1.
2.
3.
It might seem obvious that the Address field should not change. However, there are some cases when the Address field could change:
•
•
Ignore Disposition
Having a disposition of Ignore is similar to having a disposition of Pass. The difference is that Pass actually evaluates the rule to see if the policy applies. In contrast, Ignore ignores the rule without evaluating it, even if a higher-level policy (such as a global policy or a policy in a higher-level IF statement) references the rule.
Having a policy with a disposition of Ignore might seem identical to not having the policy at all. At a given AppScreen Class level, this is true. However, the reason the Ignore disposition is used is to allow a given AppScreen class policy to override a policy that was set in a higher-level AppScreen class. One of the features of AppScreen classes is that they allow you to specify behavior that overrides previously-defined behavior. Not only can a class add additional policies, but by using the Ignore keyword it can effectively remove existing policies.
For example, if a global policy specifies a rule to be evaluated, and you want that rule to be ignored for a given AppScreen class, in that AppScreen class you would create a policy with a disposition of Ignore that references the rule.
Here is an example of using the Ignore disposition to override a globally-defined behavior. The following configuration enables the checkFileUpload rule at the global level, but disables it for a particular URL, if the expected cookie is set:
AppScreenPolicy checkFileUpload | Deny 403 | Audit<AppScreenClass AllowTechSuppFileUploads>Url "/techsupport/uploadFile\.cgi"IF ($http_cookie_present(SUPPORT_USER)) THENAppScreenPolicy checkFileUpload | IgnoreENDIF</AppScreenClass>Policy Actions
Actions are things that AppScreen does when this policy's rule is matched. A policy can have zero or more actions. Action keywords are listed in Table 6-3.
Table 6-3 Policy Action Keywords
Severity level
Sets the severity of this policy. The level is an integer between 1 and 5, where 1 is the most critical. The numbers can be thought of like this:
1. Critical
2. Major
3. Normal
4. Minor
5. Informational
If level is not specified, it defaults to 3.
If the policy is matched, and if the severity level of the policy is less than or equal to AppScreenAlertSeverity, then an SNMP alert is triggered as described in the "SNMP Notification" section
Exec command
This executes a specified system command (such as a binary or a shell script). The path to the command must be an absolute path (beginning with /).
Pause millisec
This pauses for the specified number of milliseconds. The valid values for millisec are from 0 to 3600000 (one hour).
AppScreen Rules
AppScreen Rules determine whether the current request matches the criteria specified in the rule. Matching is done by applying operators (regular expression match and rule match) to attributes (URL, query string, cookie value, etc.) and values (regular expressions and rule names) that are specified in the rule definition.
In simple terms, a rule is a Boolean expression that evaluates to true if the match conditions are satisfied, or false if they are not.
A rule can be a simple expression (for example, comparing a single attribute against a specified value). Or a rule can be a compound expression, tying together simple expressions with ANDs and ORs.
AppScreen rules are defined in two XML configuration files that reside in the conf directory where the fgn.conf file is stored:
•
•
For the document type definition (DTD) of the AppScreen rules XML files, see "AppScreen Rules DTD."
The following subsections cover these topics:
•
•
Rule Components
The components of a rule definition are described in the following subsections:
Rule Operators
Operators compare attributes to values. They are specified by the <op> XML element. Operators are listed in Table 6-4.
Table 6-4 Rule Operators
regexMatch
The attribute is compared to a specified regular expression. These are case-insensitive POSIX extended regular expressions. For details, see the "Regular Expression Matching" section.
exists
The rule evaluates to true if the attribute exists, or false if not.
ruleMatch
Determines if the specified rule was matched for this request. If so, this rule evaluates to true, otherwise false. This provides a way to develop a set of rules that can be combined into more complex rules. This allows the reuse of rules, rather than having to cut and paste the rule definitions.
not
Logical NOT operation on exactly one nested expression. If the expression is true then the rule evaluates to false, and if the expression is false, the rule evaluates to true.
and
Logical AND operation on two or more nested expressions. All nested expressions must evaluate to true for the rule to evaluate to true.
or
Logical OR operation on two or more nested expressions. Any of the nested expressions must evaluate to true for the rule to evaluate to true.
Rule Attributes
Rule attributes are attributes of the request. They are specified by the <attribSet> XML element. Each <attribSet> element can contain one or more <attrib> elements specifying the attributes to match.
Attribute keywords are listed in Table 6-5.
Rule Values
Values are literal values that are specified in the rule definition. Depending on the type of operator, the value can be a regular expression or the name of another rule.
Values are specified by the <valset> XML element. A <valset> element can contain:
•
•
Using Multiple Attributes and Values
In many cases, it is useful for a rule to check the value of multiple attributes and/or multiple values. This can be accomplished in two ways:
•
•
A simple expression can contain an attribute set (<attribSet>), which is a list of multiple attributes to be checked, and/or a value set (<valSet>), which is a list of multiple values to be checked.
A simple expression can have any of the following:
•
•
•
•
The multiple attributes and values are all implicitly ORed together. If any attribute listed in the simple expression matches any value, the expression evaluates to true.
If you need the behavior of AND instead of OR, then use a compound expression joined with ANDs.
Regular Expression Matching
The regexMatch operator matches content using a regular expression pattern.
Content
The content for each request attribute is used as it came from the client, except for the URL encoded character transformation described earlier in the "Overview" section.
You need to take special caution with the URL_WITH_QUERY_STRING and QUERY_STRING attributes. Because the entire string is transformed, it is not advisable to use these attributes for matching the name or value of a particular parameter. Instead, you should use the provided pre-parsed attributes like param[name], ALL_PARAM_NAMES, ALL_PARAM_VALUES, ALL_PARAM_CONTENT, and so on.
For example, consider the query string "?a=b%3dc". This is transformed to "a=b=c". If you had a regular expression looking for "b=c", it would match this query string, even though that might not be what you intended.
In short, the transformed query string is provided but needs to be used with caution.
Regular Expression Patterns
The regular expression patterns are case-insensitive, extended POSIX patterns and the syntax is discussed in "Regular Expressions."
There are some additional regular expression features and things to be aware of when using AppScreen.
XML Escaping
Because the AppScreen rules file is an XML file, there are some characters that have special meaning in an XML file that need to be escaped. These are listed in Table 6-6.
Or, if you prefer, you can use an XML CDATA section for any regular expressions that contain special XML characters. For example, if you want to search for the string "a&b=c", either of the following two regular expressions can be used:
<val type="regex">a&b=c</val><val type="regex"><![CDATA[a&b=c]]></val>Refer to an XML reference manual for more details on XML escape sequences and CDATA sections.
Backslashes and Hex Character Codes
You may want to match a character (or range of characters) that is non-printable. You can specify such characters using their hexadecimal character code using the following syntax:
\xhhwhere hh is the character code, for example, \x1a for the Control-Z character.
The following rules apply:
•
•
•
Reversing Regular Expression Match Result
Sometimes it is useful to reverse the results of a match operation. This can be done by using the reverse option on the regexMatch operator. For example:
<op type="regexMatch" reverse="true"><valSet><val type="regex">\.((txt)|(pdf)|(doc)|(xls))$</val></valSet><attribSet type="include"><attrib src="req" type="enum" name="ALL_UPLOADED_FILE_NAMES" /></attribSet></op>This match will return true if any of the uploaded filenames do not match the given pattern.
This syntax is generally needed only when you have multi-valued attributes, like ALL_UPLOADED_FILE_NAMES in the above example. If you have just single values, you can simply surround the match with a not operator, for example:
<op type="not"><op type="regexMatch"><valSet><val type="regex">^1234$</val></valSet><attribSet type="include"><attrib src="req" type="param" name="userid" /></attribSet></op></op>Exec Environment
The programs or scripts that you launch using the AppScreen Exec command are run in a forked process that inherits the environment of the AppScreen process. The AppScreen process does not wait for the child process to complete—it is launched asynchronously.
In addition to the parent process environment, the following environment variables are available to the child process:
•
•
•
•
•
•
You can use these variables in a program or script. Here is a simple example:
#!/bin/bashLOG_DIR="/path/to/some/dir"LOG_FILE="$LOG_DIR/appscreen-match.log"# blank lineecho "" >>"$LOG_FILE"# timestampTSTAMP=$(date)echo "[$TSTAMP] $0 $@" >>"$LOG_FILE"# details of match# (the following echo command is all on one line)echo "AppScreen Policy matched: $APPSCREEN_POLICY, URL: $APPSCREEN_URL, TRNID: $APPSCREEN_TRNID" >>"$LOG_FILE"This example will produce output like this:
[Mon Jul 26 14:30:02 PDT 2004] /some/dir/report-appscreen-match-1.shAppScreen Policy matched: checkTest, URL: http://testserver/test.jsp?p=lion&q=tiger&r=bear, TRNID: 5rytbq1attdu4uix0uu5ixnfpe-2Predefined Rules
Table 6-7 describes the factory default rules that are predefined in the appscreen-rules-standard.xml configuration file. These rules are provided to scan content for known risks. For the precise definitions, you can view the rule text in the appscreen-rules-standard.xml file. As described in the "AppScreen Rules" section, these rules can be overridden (and new rules can be added) by editing the appscreen-rules-custom.xml file.
Scanning POST Data and File Uploads
This section discusses data and file scanning issues.
Buffer Limit
An HTTP POST can send a very large (effectively unlimited) amount of data; in an extreme case, the client can just keep sending a stream of data for the server to handle. In order to parse and inspect the POST data, AppScreen needs to load the data into a buffer in memory. The following global keyword is used to control the maximum amount of POST data that can be buffered by AppScreen:
PostContentBufferLimit maxKBThe limit is specified in kilobytes (KB). Valid values range from 0 to 1000, with a default of 40 KB.
If the POST content length exceeds the configured buffer size, AppScreen does not take any special action. It simply loads as much POST data as possible into the buffer and makes it available for inspection as described below.
Content Types
There are two types of standard HTTP form POST operations. They are distinguished by the value in the Content-Type header:
•
This type of POST represents the majority of all HTTP POSTs. This is just a standard POST of a web page form.
For this type of POST, AppScreen works just like it does for GET requests. You have the same access to all of the form parameter names and values, just as you would if the parameters were specified in a GET query string. The only limitation is that you only have access to the amount of data that fits in the AppScreen POST buffer, as per the PostContentBufferLimit keyword.
•
This type of POST is much less common. Its main purpose is to allow browser users to upload files to a web site or application. For example, if you use a web-based email program, and you want to attach a file to an email that you are sending, the upload of the file is done using this type of POST. Another usage (even less common) of this type of POST is to send binary data (for example, from a custom browser plug-in, or from a non-browser HTTP client).
For this type of POST, AppScreen does not give you access to the parameter names and values. However, AppScreen does give you access to the other parts of the request (URL, headers, cookies) as usual.
Also, if the post includes one or more file uploads, AppScreen makes the filenames and MIME types of the uploaded files available for inspection with the following request attributes: ALL_UPLOADED_FILE_NAMES and ALL_UPLOADED_FILE_MIME_TYPES. With AppScreen, you could, for example, block all POSTs of this type. Or, you could allow such posts only when they contain file uploads with file names ending in ".doc", or files of type "text/plain", and so on.
It is conceivable that a POST could be sent with a Content-Type other than the two standard types mentioned above. This would not be done by a standard web browser, but it could be done by an unusual (or malicious) user agent. AppScreen rules can detect and block such POSTs by examining the HTTP method and the Content-Type header.
AppScreen Logging
Requests that match AppScreen Classes are logged in the FgnStatLog file.
Note
Here is an FgnStatLog excerpt showing a request that did not match any policy:
<APS> <AST> 1 </AST> </APS>Here is an FgnStatLog excerpt showing a request that matched the "script" policy in the Root AppScreen Class:
<APS> <AST> 0 </AST> <ASC> Root </ASC> <ASP> script </ASP> <ASL> 1 </ASL> </APS>For details on these log entries, see the "FgnStatLog" section.
Reports of requests that match AppScreen Classes are also available through the AppScreen Reports command in the Management Console. For details, see the "AppScreen Reports" section.
SNMP Notification
If the severity of a matched policy is less than or equal to the value defined by the AppScreenAlertSeverity keyword (see Table 6-1), then an SNMP trap is issued.
You can control whether AppScreen sends these traps, and you can configure AppScreen to send the trap to one or more SNMP trap sinks (SNMP management stations).
To enable SNMP traps, set the following configuration parameters (the values given here are examples; replace these with your own values):
AppScreenAlertSeverity 2 AppScreenSnmpTrap On AppScreenSnmpTrapSink 10.0.10.131 AppScreenSnmpCommunity AppScreenAlertWith this example configuration, any matched AppScreen policies with a severity less than or equal to 2 will result in SNMP traps being sent.
The default value for AppScreenSnmpCommunity is public, so you don't need to specify that keyword if you want to use the default.
You can use either a host name or IP address for the trap sink. By default, AppScreen sends SNMP traps to the standard SNMP trap port of 162. You can specify a different port by appending it to the trap sink host value with a colon, like this: 10.0.10.131:22345
Also, you can specify the AppScreenSnmpTrapSink keyword multiple times if you want the notification to be sent to multiple destinations.
Here is another example configuration:
AppScreenAlertSeverity 2 AppScreenSnmpTrap On AppScreenSnmpTrapSink myhost:12345 AppScreenSnmpTrapSink 10.0.10.131Receiving and Processing SNMP Traps
AppScreen SNMP traps can be received and processed by any software or system that is capable of handling standard SNMP v1 traps. For example, HP OpenView or other commercial network management software, or the open source snmptrapd program.
Figure 6-1 shows example of how an AppScreen trap appears in the HP OpenView user interface.
Figure 6-1 AppScreen Trap in HP OpenView
Here is an example of how an AppScreen trap is reported by snmptrapd (line breaks have been added for clarity):
2004-10-01 19:55:53 devsrv3 [10.0.0.26] (via localhost [127.0.0.1]) TRAP, SNMP v1, community public.iso.3.6.1.4.1.9007.3 Enterprise Specific Trap (101) Uptime: 265 days, 13:18:49.61.iso.3.6.1.4.1.9007.3.101.1 = "sql".iso.3.6.1.4.1.9007.3.101.2 = "ROOTAPPSCREENCLASS/".iso.3.6.1.4.1.9007.3.101.3 = "a0f1fvd43zsggknnm3tpyrux2d-1".iso.3.6.1.4.1.9007.3.101.4 = 13180.iso.3.6.1.4.1.9007.3.101.5 = 2MIB
The SNMP Management Information Base (MIB) for AppScreen is available for your reference, or for importing into SNMP management software. The file is located at: $AVS_HOME/perfnode/conf/fgn_appscreen_mib.mib
AppScreen Reports
Reports of requests that match AppScreen Classes are also available through the AppScreen Reports command in the Management Console. For details, see the "AppScreen Reports" section.
The AppScreen reports can include all requests that match AppScreen Classes, whether or not they triggered an SNMP alert. You can configure what severity levels of matching requests you want to see in the reports.
