Application Rules

Application rules allow an HTTP request to be blocked by inspecting its internal fields, such as uri parameters, headers, or the body of the request. This type of rules can be translated and synchronized to application-level protection devices (Web Application Firewall).

An Application rule is composed by multiple generic fields, and it defines a set of conditions and a set of actions.

The list of Application rules can be found on the page Protection - Application Rules.

Generic fields

Field	Description
Status	It indicates whether the rule is enabled or not, the user responsible for the last update and its timestamp.
ID	The UID of the rule (the first 8 characters for better readability) and, optionally, the description.
Context	It represents the application context of the rule, whether it is the specific Host or Domain Group, or is to be applied to any of them.
Priority	It indicates the execution priority. Lower values represents higher priority.
Expiration	It represents the activation duration.

Conditions

Each condition is composed by multiple targets and expressions, and an operator.

Targets

Targets represents the list of HTTP request attributes to be inspected.

They can be basic or composed:

• Basic: a simple HTTP request attribute (e.g. request path, request method, etc.).
• Composed: an HTTP request attribute specified by multiple elements (e.g. a specific request header, a field in the request body, etc.).

This is a list of the available targets and their type:

Target	Type	Description
method	Basic	The HTTP request method
parameter_key	Basic	The query parameter keys of the request
parameter_value	Basic	The query parameter values of the request
path	Basic	The URI path of the request
protocol	Basic	The HTTP protocol of the request
query	Basic	The raw query string of the request
request_body	Basic	The raw request body
request_size	Basic	The HTTP request size in bytes
request_target	Basic	The URL of the request, including the domain, path, and query string
response_body	Basic	The raw reponse body
response_size	Basic	The HTTP response size in bytes
status	Basic	The status code (or response code) of the HTTP response
query:PARAMETER_KEY	Composed	A query parameter value for the specific PARAMETER_KEY (e.g. for the test parameter key, the target is query:test)
request:HEADER	Composed	An HTTP request header value for the specific HEADER (e.g. for the User-Agent header, the target is request:User-Agent)
response:HEADER	Composed	An HTTP response header value for the specific HEADER (e.g. for the Content-Type header, the target is response:Content-Type)
parsed_request_body:x-www-form-urlencoded:KEY	Composed	The value associated with a specific KEY (URL encoded) in the request body (e.g. for the test key, the target is parsed_request_body:x-www-form-urlencoded:test)
parsed_request_body:json:JSON_PATH	Composed	The value associated with a specific JSON_PATH in the request body (JSON formatted).
parsed_request_body:xml:XML_PATH	Composed	The value associated with a specific XML_PATH in the request body (XML formatted).
parsed_response_body:x-www-form-urlencoded:KEY	Composed	The value associated with a specific KEY (URL encoded) in the response body (e.g. for the test key, the target is parsed_response_body:x-www-form-urlencoded:test)
parsed_response_body:json:JSON_PATH	Composed	The value associated with a specific JSON_PATH in the response body (JSON formatted).
parsed_response_body:xml:XML_PATH	Composed	The value associated with a specific XML_PATH in the responsed body (XML formatted).

Operator

The operator defines how expressions are evaluated against targets.

It supports both simple string comparisons and advanced regular expressions to provide flexible matching options.

Operator	Comparison type	Description
Is equal	Plain text	Matches if the target exactly equals the expression
Is not equal	Plain text	Matches if the target does not exactly equal the expression
Contains	Plain text	Matches if the target includes the specified expression
Does not contain	Plain text	Matches if the target does not include the specified expression
Starts with	Plain text	Matches if the target starts with the expression
Does not start with	Plain text	Matches if the target does not start with the expression
Ends with	Plain text	Matches if the target ends with the expression
Does not end with	Plain text	Matches if the target does not end with the expression
Match charset	Regex	Matches if the target contains characters from a specified charset. See the Charsets section for more info
Match all except charset	Regex	Matches if the target does not contain characters from a specified charset. See the Charsets section for more info
Match regex	Regex	Matches if the target satisfies the given regular expression pattern
Match all except regex	Regex	Matches if the target does not satisfy the given regular expression pattern

Expressions

Expressions define the pattern or value that will be matched agains a specified target. An expression can be one of the following types:

• String: a simple text value that must be matched.
• Regular Expression (Regex): a pattern used for advanced matching.
• Character Set (Charset): a predefined set of characters that must appear in the target.

String

String expressions are used when performing simple text-based comparisons.

These are used with operators like Contains, Is equal, Starts with or Ends with.

Regular Expressions (Regex)

Regex expressions enable complex pattern matching, such as detecting multiple variations of a string or enforcing specific formatting rules.

These are used with the Match regex operator.

Charsets

Match charset and Match all except charset operators checks whether a target contains (or does not contain) specific types of characters.

Instead of providing a string or regular expression, the user selects the expressions from a predefined set of values:

Charset	Description
Whitespaces	Matches if the target contains any whitespace characters (\s)
Digits	Matches if the target contains numeric digits (0-9)
Lowercases	Matches if the target contains lowercase letters (a-z)
Uppercases	Matches if the target contains uppercase letters (A-Z)
Alphanumerical	Matches if the target contains any letter (A-Za-z) or digit (0-9)
All symbols	Matches if the target contains any non-alphanumeric symbol (e.g. !@#$%^&*()_+[]{})
SINGLE_SYMBOL	Instead of using a predefined charset, the user can specify a single character (e.g. @ or #), which will be matched against the target

Actions

Actions define how Seer Box translates an Application Rule into a WAF rule. Each action specifies:

• The target WAF where the rule should be applied. The WAF should already be configured on the Firewalls settings page (see Firewalls section for more info).
• The WAF action to execute when conditions are met. The available actions depend on the firewall being used.

An Application Rule can define multiple actions to be translated into different WAF simultaneously. This allows flexibility in enforcing security policies across various infrastructures.

Application rule management

Application Rule management is allowed to users in the admin group or to users belonging to a group having Handle rules permission associated with the group of domains to which the rule belongs.

Create an Application rule

In addition to creating one or more rules from the alert detail page with the Advanced Protection function, custom rules can be created.

From Seer Box web interface

1. Access the Protection - Application rules page: in this section you can view the list of all created Application rules.

2. To create a custom rule click on the Add rule button in the upper right corner of the page.

3. A wizard will be displayed that will allow you to create an Application rule. For more details please see the Creation wizard section below.

4. After entering the data it is possible to click on the Save rule button to confirm the creation.

The new Application rule will appear on the summary page.

Creation wizard

The creation wizard is structured in multiple steps.

1. Set the Context of the rule

You can choose the application context in which you want the rule to be restricted.

Options are:

Option	Description
Host	The rule will be applied only to specific hosts. Selecting multiple hosts will create multiple rules.
Domain Groups (or Services)	The rule will be dynamically applied to hosts belonging to the specific domain groups. Selecting multiple domain groups will create multiple rules.
All hosts and domain groups	The rule will be applied for every host.

2. Define the Conditions

You can create multiple conditions by selecting an operator, targets and expressions.

Conditions will be translated into the proper format expected by the configured WAFs.

A rule needs at least one condition in order to be created.

3. Set the Actions

You can select multiple actions in order to synchronize the rule to WAFs, one for device.

You should configure at least one WAF to add an action.

4. Set the generic fields

You can add a short description to the rule to quickly identify why it was created, set its duration and its priority.

Edit an Application rule

When updating a rule, only certain fields can be modified. Specifically:

• Generic fields (except the Context)
• Actions

When modifying the Generic fields of an Application Rule, the new values will always overwrite the existing ones.

When modifying the Actions of an Application rule, users can choose from three update options:

1. Add rule actions: add one or more new actions to all selected rules.

   • If an action for the specified firewall does not already exist, it will be added.
   • If an action for the specified firewall already exists, it will remain unchanged.

2. Replace rule actions: update one or more actions for all selected rules.

   • If an action for the specified firewall already exists, it will be overwritten with the new action.
   • If an action for the specified firewall does not exist, it will be added.

3. Delete rule actions: remove one or more actions from all selected rules.

   • If an action for the specified firewall exists, it will be removed.
   • If an action for the specified firewall does not exist, no changes will be made.

From Seer Box web interface

1. Access the Protection - Application rules page: in this section you can view the list of all created Application rules.

2. Select one or more rules to edit by clicking on the checkbox located at the left end of each item.

3. As soon as at least one record is selected, the ... button with the three dots icon will be enabled in the upper right corner of the rules' list.

4. Select the field to update and follow the instructions on the modal.

5. Click on the Save button to confirm the changes.

Delete an Application rule

From Seer Box web interface

1. Access the Protection - Application rules page: in this section you can view the list of all created Application rules.

2. Select one or more rules to delete by clicking on the checkbox located at the left end of each item.

3. As soon as at least one record is selected, the ... button with the three dots icon will be enabled in the upper right corner of the rules' list.

4. Select the Delete rules option. It displays a modal confirming the operation. Click on the Confirm button to proceed.

WAF synchronization

Whenever an Application rule is created, updated, or deleted, Seer Box automatically triggers a synchronization process to apply the changes to the configured WAFs (as defined in the rule's actions).

Synchronization results

The outcome of the syncrhonization process is displayed:

• In the Actions column of the rule record
• Within the Actions subtable, under the Sync status column, which provides a status update for each configured firewall.

Handling synchronization errors

If synchronization process fails:

• The user should check the firewall configuration to ensure it is correctly set up.
• After resolving the issue, the synchronization process cna be retried by clicking the Sync firewalls button in the upper-right corner of the Application rules page, under the ... button with the three dots icon.