The Runtime Application Self Protection (RASP) agent obtains the application runtime context and the parameters that are configured for hook functions. Then, the RASP agent analyzes the obtained data by using technologies such as semantic analysis and behavioral baseline check to detect threats in a protected application. The RASP agent has a low false positive rate. In most cases, the alerts reported by the RASP agent indicate actual attacks, known as attack alerts. The application protection feature provides attack details, including attacker IP addresses, malicious attack characteristics, input parameters, and call stack information. We recommend that you handle attack alerts at the earliest opportunity based on the information on the alert details page. This topic describes how to handle attack alerts.
View and handle attack alerts
The following example describes how to view and handle an attack alert that is generated for a malicious file upload.
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Attack Alerts tab, find the alert that you want to view and click Details in the Actions column.
On the alert details page, view the alert information.
Take note of the following fields in Details and the alert information provided by AI models in Alert Analysis to determine whether the alert is a true positive.
Section
Field
Description
Solution
Basic Alert
Attacker IP Address
The source IP address that is used to access your application.
Determine whether the IP address is a normal IP address that is used to access your application.
Vulnerability Name
The vulnerability name that is exploited by attackers during the access. A vulnerability name is available only for attacks that are launched by exploiting the vulnerability.
To reduce the attack surface that can be exploited by attackers, we recommend that you handle application vulnerabilities at the earliest opportunity. You can click the vulnerability ID to view the vulnerability details.
Advanced Alert
Malicious Characteristics
The malicious data that is sent by attackers to your application.
View information in the Advanced Alert section to determine whether the alert indicates normal service requests.
In this example, check whether the request to upload the addservlet.jsp file in the /usr/local/tomcat/webapps/upload/addservlet.jsp directory is normal.
If the request is normal, you can add the characteristics to a whitelist. After you add the characteristics to the whitelist, the application protection feature no longer generates alerts for the requests that have the characteristics.
If the request is abnormal, the request may be a reconnaissance attack or an actual attack.
If you set the protection mode to Monitor, a malicious file may be executed. In this case, you must manually delete the file at the earliest opportunity.
If you set the protection mode to Block, the application protection feature blocks the attack, and the file cannot be stored on your server.
Trigger Function
The security-sensitive function within the application. When this function is called, an alert is triggered. When the RASP agent detects the calls of the function, the agent checks and processes the invocations to detect for risks.
Specified Parameters
The behavior and event logs generated by the application when the application processes requests. This field is a JSON object that contains a key-value pair.
Stack Calling
The call stack of the application when an event occurs, which records the sequence of function calls.
More Information
Request URL
The information about the request to access the application.
View the information about the request to access the application and check whether the request is sent from a legitimate source. If the request is sent from an illegitimate source, implement access control on or deny the requests from the source.
Add an attack alert to a whitelist
If you confirm that an attack alert is triggered by a normal access request, you can add the attack alert to a whitelist to prevent similar alerts from being triggered. You can add an attack alert to a whitelist based on the following alert information: malicious attack characteristics, input parameters, and request URL. Before you add an attack alert to the whitelist, obtain the information on the alert details page.
If you want to configure whitelists based on malicious attack characteristics and input parameters, you must upgrade the version of the RASP agent to 0.5.2 or later. You can restart the protected application to automatically upgrade the RASP agent to the latest version. For more information, see View the version of the RASP agent.
The following section describes how to add an attack alert to a whitelist. If you want to configure a whitelist for multiple application groups at a time, click Whitelists in the upper-right corner of the alert list. On the Whitelists page, click Configure Whitelist.
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Attack Alerts tab, find the alert that you want to manage and choose
in the Actions column.In the Add to Whitelist panel, configure the whitelist rules and click OK.
Before you configure the whitelist rules, take note of the following items:
You can configure the whitelist rules in one of the following whitelist modes: Malicious Characteristics, Specified Parameters, and Request URL. The application protection feature automatically populates the whitelist rule fields based on the data that is obtained from the alert details. The whitelist rules that use the automatically populated fields can identify and control similar requests in an accurate manner.
If you want to enlarge the scope of requests on which a whitelist rule takes effect, you can modify the Match Mode and Content to Match fields.
For example, the Malicious Characteristics field of the alert that is triggered by a malicious file upload is /usr/local/tomcat/webapps/upload/1.jsp. If you confirm that all access requests to the upload directory are normal, perform the following steps:
Change the value of the Match Mode field to Prefix Match.
Change the value of the Content to Match field to /usr/local/tomcat/webapps/upload/.
The following items describe the match modes supported by a whitelist:
Exact Match: If the transmitted content is the same as the string that is specified in the Content to Match field, no alert is triggered.
Partial Match: If the transmitted content contains a string that is specified in the Content to Match field, no alert is triggered.
Prefix Match: If the transmitted content starts with the string that is specified in the Content to Match field, no alert is triggered.
Suffix Match: If the transmitted content ends with the string that is specified in the Content to Match field, no alert is triggered.
NoteAfter you configure the whitelist rules, you can view and manage the whitelist rules on the Whitelists page. For more information, see Manage whitelist rules.
Manage whitelist rules
View whitelist rules
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Attack Alerts tab, click Whitelists.
On the Whitelists page, view the whitelist rules.
To manage whitelist rules, you can perform the following operations:
Enable or disable a whitelist rule: Turn on or turn off the switch in the Rule Switch column.
Modify or delete a whitelist rule: Click Edit or Delete in the Actions column.
Create a whitelist rule: Click Configure Whitelist. For more information, see Create whitelist rules.
Create whitelist rules
When you create a whitelist rule, you can specify multiple threat types and multiple application groups. This way, the whitelist rule applies to the specified application groups at the same time, and the types of threats are added to the whitelist of the application groups.
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Attack Alerts tab, click Whitelists.
On the Whitelists page, click Configure Whitelist.
In the Configure Whitelist panel, configure the whitelist rules and click OK.
Parameter
Description
Rule Name
The name of the whitelist rule.
White Mode
The whitelist mode. Valid values:
Malicious Characteristics
Specified Parameters
Request URL
Threat Type
The type of the threat that you want to add to the whitelist rule. You can click Select to select a threat type in the Threat Type panel.
Match Mode
The match mode in which the whitelist rule takes effect.
Exact Match: If the transmitted content is the same as the string that is specified in the Content to Match field, no alert is triggered.
Partial Match: If the transmitted content contains a string that is specified in the Content to Match field, no alert is triggered.
Prefix Match: If the transmitted content starts with the string that is specified in the Content to Match field, no alert is triggered.
Suffix Match: If the transmitted content ends with the string that is specified in the Content to Match field, no alert is triggered.
Content to Match
The content that is used to validate data against the whitelist rule based on the specified whitelist mode. You can configure this parameter based on the Malicious Characteristics, Specified Parameters, and Request URL parameter values provided on the alert details page.
Destination Application Groups
The application group to which you want to apply the whitelist rule. You can click Select to select an application group in the Destination Application Groups panel.
References
The application protection feature of Security Center also provides the in-memory webshell prevention. You can enable the in-memory webshell prevention feature to enhance your overall detection capabilities. For more information, see Use the in-memory webshell prevention feature.