Legitimate Rules
As with any attack detection system, Seer Box is not infallible.
To prevent false positives, you can flag legitimate elements associated with your applications. This will prevent the system from detecting further malicious events on those elements.
Unlike Application Rules and Network Rules, Legitimate Rules are not translated or synchronized to external firewalls. Instead, they are used internally by Seer Box for matching them against alert specifications.
A Legitimate rule is composed by multiple generic fields, and it defines a set of conditions.
The list of Legitimate rules can be found on the page Protection - Legitimate Rules.
Generic fields
| Field | Description |
|---|---|
| Status | It indicates whether the rule is enabled or not, the user responsible for the last update and its timestamp. |
| ID | The UID of the rule (the first 8 characters for better readability) and, optionally, the description. |
| Context | It represents the application context of the rule, whether it is the specific Host or Domain Group, or is to be applied to any of them. |
| Attack type | It limits matches to alerts of the same attack type. |
Conditions
Condition elements have already been described on Application Rule section.
In addition to the operators defined in the Application rules, Legitimate rules also define:
| Operator | Comparison type | Description |
|---|---|---|
All expressions | - | Matches for every value of specified targes |
None expression | - | Never match |
Legitimate rule management
Legitimate Rule management is allowed to users in the admin group or to users belonging to a group having Handle rules permission associated with the group of domains to which the rule belongs.
Create a Legitimate rule
In addition to creating one or more rules from the alert detail page with the Advanced Protection function, custom rules can be created.
From Seer Box web interface
-
Access the
Protection - Legitimate rulespage: in this section you can view the list of all created Legitimate rules. -
To create a custom rule click on the
Add rulebutton in the upper right corner of the page. -
A wizard will be displayed that will allow you to create a Legitimate rule. For more details please see the Creation wizard section below.
-
After entering the data it is possible to click on the
Save rulebutton to confirm the creation.
The new Legitimate rule will appear on the summary page.
Creation wizard
The creation wizard is structured in multiple steps.
1. Set the Context of the rule
You can choose the application context in which you want the rule to be restricted.
Options are:
| Option | Description |
|---|---|
| Host | The rule will be applied only to specific hosts. Selecting multiple hosts will create multiple rules. |
| Domain Groups (or Services) | The rule will be dynamically applied to hosts belonging to the specific domain groups. Selecting multiple domain groups will create multiple rules. |
| All hosts and domain groups | The rule will be applied for every host. |
2. Define the Conditions
You can create multiple conditions by selecting an operator, targets and expressions.
In this case conditions will be matched against Alert specifications, allowing you to prevent a particular alert with a specific pattern from being raised again.
A rule needs at least one condition in order to be created.
If a Legitimate Rule does not specify a condition for a given specification field, it will always result in a match. See Legitimate rule n.2 in the examples below.
The only exception is made for the Target field: a Legitimate Rule will always have to set a condition on it to match the specific Alert. See Legitimate rule n.4 in the examples below.
3. Set the Attack type
You can choose to limit the Legitimate rule only to Alerts with a specific Attack Type.
In this case even if the context and all conditions match, if the Alert has a different Attack Type the rule will not match.
4. Set the description
You can add a short description to the rule to quickly identify why it was created.
Delete an Legitimate rule
From Seer Box web interface
-
Access the
Protection - Legitimate rulespage: in this section you can view the list of all created Legitimate rules. -
Select one or more rules to delete by clicking on the checkbox located at the left end of each item.
-
As soon as at least one record is selected, the
...button with the three dots icon will be enabled in the upper right corner of the rules' list. -
Select the
Delete rulesoption. It displays a modal confirming the operation. Click on theConfirmbutton to proceed.
Examples
This sections shows how you can create various Legitimate rule to match against particular alert specifications.
Alert specifications
| Request Host | Path | Parameter key | Target | Payload |
|---|---|---|---|---|
| www.example.it | /legitimate/path | test | Parameter value | legit |
Legitimate rule n.1
MatchThis rule will exactly match against every specification field.
Context ~ Host: www.example.it
| Targets | Operator | Expressions |
|---|---|---|
| path | Is equal | /legitimate/path |
| parameter_key | Is equal | test |
| parameter_value | Is equal | legit |
Legitimate rule n.2
MatchThis rule doesn't specify a context and is generalized with respect to the specific parameter key (it doesn't provide a condition for it, so it matches for every parameter key).
Context ~ All hosts and domain groups
| Targets | Operator | Expressions |
|---|---|---|
| path | Contains | legitimate |
| parameter_value | Starts with | legit |
Legitimate rule n.3
Not matchThis rule doesn't specify a context and is generalized with respect to the specific path, but it specifies a parameter key that doesn't match against alert specifications.
Context ~ All hosts and domain groups
| Targets | Operator | Expressions |
|---|---|---|
| parameter_key | Match charset | Digits |
| parameter_value | Is equal | legit |
Legitimate rule n.4
Not matchThis rule doesn't specify a condition on the Alert Specification Target field,
so even if the context and other conditions match the rule will not match.
Context ~ All hosts and domain groups
| Targets | Operator | Expressions |
|---|---|---|
| parameter_key | Is equal | test |