AQTRONIX WebKnight Configuration

Admin


(default: 1)
Enable the built-in admin web interface: /WebKnight/

Admin From IP

The IP addresses or ranges allowed access to the built-in admin interface.

(default: 1)
Allow the built-in admin web interface to make changes to the configuration (IUSR needs to have change permission on the configuration files). If disabled the admin will be a reporting utility only, no changes to the configuration files will be possible (you can also remove IUSR access). This feature requires ASP classic to be installed.

Scanning Engine


(default: 0)
This will run the filter as a low priority filter instead of high priority. Recommended is high priority (is more secure as it precedes other ISAPI filters which might have potential buffer overflows, etc.). Requires restart of IIS!

(default: 1)
Scan unencrypted (HTTP) web traffic (default port 80, but can be anything else). Requires restart of IIS!

(default: 1)
Scan encrypted (HTTPS) web traffic (default port 443, but can be anything else). Requires restart of IIS!

(default: 0)

These are the web instances excluded from scanning. Examples are Outlook Web Access web sites (starting at site instance 100).

Incident Response Handling


(default: 1)
If an attack is detected, send an immediate response to the client with a standard message. The message sent back is the contents of the denied.htm file (in the directory of the firewall)

(default: 0)
If an attack is detected, redirect the client to a custom url (the url specified in 'Response Redirect URL').

Response Redirect URL: (default: /denied.htm)
This is the URL the client is redirected to if 'Response Redirect' is chosen and 'Response Directly' is disabled. This can be an absolute URL (like "http://www.aqtronix.com") or a relative one (like "/denied.htm").

(default: 1)
Whenever an attack is detected, use the value in 'Response Status' as the HTTP response status that will be sent back to the client. This only works if you don't redirect the client to a custom URL.

Response Status: (default: 999 No Hacking)
This is the HTTP response status like '31337 No Hacking' or '404 Object Not Found' that is sent back to the client when an attack is detected.

(default: 1)
Whenever an attack is detected, drop the existing connection (even if keep-alive was requested).

(default: 1)
Monitor traffic coming from that IP address for a certain time-out period.

Response Monitor IP Timeout: (default: 6)
The time-out (in hours) to monitor traffic coming from that IP address.

(default: 0)
Block the IP address if it generates too many alerts.

Response Block IP Max Count: (default: 10)
The maximum number of alerts before being blocked in a certain amount of time.

Response Block IP Max Time: (default: 18)
The time frame in which the alerts are counted (in hours).

(default: 0)
If an attack is detected, only log and do not block it. If you want the firewall to go completely stealth, also disable the 'Response Headers' in 'Response Monitor'.

Logging


(default: 1)
Enable or disable logging. Requires restart of firewall!

Log Directory: (default: <Path of WebKnight>\LogFiles\)
The directory where the log files will be placed. Requires restart of firewall!

Log Filename Format: (default: %y.%m.%d)
The format of the generated log file names. Syntax is C++ 'strftime': A=weekday, B=month name, d=day of month, j=day of year, m=month, U=week of year, y=year(99), Y=year(9999). Requires restart!

(default: 1)
Log dates and times in GMT/UTC. Requires restart of firewall!

(default: 0)
Make a unique log file per web server process. This is for web servers that can host the filter in more than 1 process concurrently. Requires restart of firewall!

(default: 1)
Make a unique log file per web server process owner. The application pool identity will be part of the log file name (recommended for IIS 7.0 SP2 and higher). Requires restart of firewall!

Log Retention: (default: 28)
The rotation period (in days) to keep the log files. Requires restart of firewall!

(default: 0)
Enable forwarding log entries to syslog server. Requires restart of firewall!

Syslog Server: (default: localhost)
The syslog server to forward the messages to. Requires restart of firewall!

Syslog Port: (default: 514)
The UDP port number of the syslog server. Requires restart of firewall!

Syslog Priority: (default: 117)
The syslog priority of the messages. Requires restart of firewall!

(default: 0)
In addition to logging blocked requests you can log allowed requests as well. This has high performance impact on heavy loaded systems and is not recommended!

(default: 1)
Log the client IP address.

(default: 1)
Log the username the client is logged on with.

(default: 0)
Log the 'Via:' header to have a clue where the original request came from (if the client uses 1 or more proxies). Note: you will not be able to log all used proxies (certain proxies don't have or remove this header)!

(default: 0)
Log the 'X-Forwarded-For:' header. Certain proxies (like NetCache) add this header to the request which indicate the source IP address of the request.

(default: 1)
Log the host header. This will log the host header of the request, so you will have a clue to what web site the request was intended.

(default: 0)
Log the client user agent. This can indicate what software/tool is used to perform the attack. However it is not essential information for reporting an abuse.

Connection


Connection Client IP Variable: (default: )
The server variable to get the client IP address. Use this if the incoming requests are coming from a CDN/reverse proxy. Examples are: HTTP_X_FORWARDED_FOR or HTTP_TRUE_CLIENT_IP. If empty, REMOTE_ADDR is used.

(default: 0)
Adjust the web server log entries to reflect the IP address acquired from the custom IP variable.

(default: 0)

Monitor the traffic of certain IP addresses or ranges by logging their requests. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

(default: 0)

Deny access from certain IP addresses and ranges and log their requests. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

Blocklists (default: 0)
Use third-party blocklists and other lists (e.g. Tor_ip_list_EXIT.csv). Create a subfolder named 'Blocklists' and place them there and restart IIS.

Connection Requests Limit (default: 0)
Limit the number of requests an IP address can make.

Connection Requests Limit Max Count: (default: 400)
The number of requests that can be made in a certain amount of time.

Connection Requests Limit Max Time: (default: 2)
The time frame in which the requests are counted (in minutes).

(default: 0)

Exclude certain IP addresses or ranges. This allows certain hosts to have unfiltered access to your web services. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

Authentication


(default: 1)
Register for the IIS authentication notifications. Disable for IIS 7.x running in integrated pipeline mode and global.asax issue (see KB 2605401). Requires restart of IIS!

(default: 1)
Also scan the excluded web instances in this event. Excluded web instances are not scanned by the firewall except for authentication attempts.

Blank Passwords (default: 1)
This will block authentication attempts with blank passwords.

Same Password As Username (default: 1)
This will block authentication attempts with passwords equal to the username.

Default Passwords (default: 1)

This will block authentication attempts with default and most used passwords.

System Accounts (default: 1)
This will block authentication attempts with a system critical account (like IUSR_SERVERNAME, IWAM_SERVERNAME, SYSTEM, NETWORK SERVICE, TsInternetUser...).

Account Brute Force Attack (default: 1)
This will block brute force attacks and possible account lockout Denial-of-Service. Detecting this is done by counting the authentication attempts within a certain period.

Account Brute Force Attack Max Count: (default: 5)
The maximum number an IP address is allowed to authenticate within a certain time frame.

Account Brute Force Attack Max Time: (default: 30)
The time frame (in minutes) within the number of authentication attempts are counted.

Allowed Accounts (default: 0)

Only allow authentication attempts with these accounts.

Denied Accounts (default: 0)

Block authentication attempts with these accounts.

(default: 1)
This will scan the used account (logged on user) in all other ISAPI events and possibly block the request if the account is not allowed to authenticate.

(default: 1)
Scan Forms Authentication attempts. The username and password are extracted using the input field name lists. Excluded Web Instances are always ignored.

Form Username Fields

The names of the input fields containing a username.

Form Password Fields

The names of the input fields containing a password.

Form Parameter Pollution (default: 1)
Prevent parameter pollution in forms used for authentication.

HTTP Version


Maximum HTTP Version (default: 1)
(default: 15)
Limit the length of the HTTP version string. Every request to the web server involves specifying the HTTP version (like 'HTTP/1.1').

Allowed HTTP Versions (default: 1)

Only allow these HTTP versions. An empty line means you allow the HTTP version 0.9 (no http version)

URL Scanning


RFC Compliant Url (default: 1)
Check if the URL is RFC compliant. If it is not the request will be blocked.

RFC Compliant HTTP Url (default: 1)
Check if the HTTP URL is RFC compliant. This will block authentication and fragments in the HTTP url (absolute URLs only).

(default: 1)
Besides using the default scanning, also use the raw scanning capability to scan the URL before the web server decodes the URL (with built-in decoding engine).

Url Encoding Exploits (default: 1)
Do not allow encoding exploits (embedded encoding) in the URL.

Url Parent Path (default: 1)
Deny parent path ('..') attempt in the requested url.

Url Trailing Dot In Dir (default: 1)
Deny a trailing dot in a directory name. This will block all requests with './'.

Url Backslash (default: 1)
Deny backward slashes ('\') in the url.

Url Alternate Stream (default: 0)
This will block all requests with a ':' in the url.

Url Escaping (default: 1)
Do not allow '%' in the url after decoding. This will block encoding exploits (embedded encoding) in the url.

Url Running Multiple CGI (default: 1)
Do not allow using the ampersand ('&') in a url. This can be used to run multiple CGI applications.

Maximum Url (default: 1)
(default: 1024)
Limit the length of the url (more precisely everything in the url before the '?'). Certain attacks involve long urls. You should not allow urls longer than the longest path your operating system allows.

Url Characters (default: 1)
(default: ?#;)
Additional characters to block. If a requested url contains one of these, the request will be blocked.

Url High Bit Shellcode (default: 1)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended on non-US-English web sites. This will also block Unicode/UTF-8 and MBCS in the URL.

Url Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Denied Url Sequences (default: 1)

Block the request when the url contains one or more of these sequences.

Denied Url Regular Expressions (default: 1)

Block the request if the url matches one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Allowed Url Starts (default: 1)

Only allow these character sequences a url may start with.

Url Requests Limit (default: 0)
Limit the number of requests to a specific URL (except the root '/'). This can help in combating DDoS attacks on specific pages.

Url Requests Limit Max Count: (default: 3000)
The number of requests that can be made in a certain amount of time.

Url Requests Limit Max Time: (default: 2)
The time frame in which the requests are counted (in seconds).

(default: 0)

Ignore certain urls from scanning. Once the url is determined to be one of these urls (after OnReadRawData event), the request will not be scanned by the firewall. These urls are case sensitive and special characters need to be encoded as it would appear in the HTTP request line.

Mapped Path


Parent Path (default: 1)
Deny parent path ('..') attempt in the mapped path.

Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Escaping (default: 1)
Deny encoding exploits in the mapped path by blocking '%'.

Dot In Path (default: 0)
Deny a dot in the path (except for the filename).

Multiple Colons (default: 1)
Deny more than 1 colon (':') in the path.

Characters (default: 1)
(default: *?"<>|$^#+=;)
Deny the request if one or more of these characters are present in the mapped path.

Allowed Paths (default: 1)

Only allow mapped paths which start with one of these.

Requested File


(default: 1)
Besides using the default scanning, also use the raw scanning capability to scan the requested file before the web server decodes the URL (with built-in decoding engine).

Filename Characters (default: 1)
(default: \:/*?"<>|$^#+=;)
Deny the request if the filename contains one of these characters.

Default Document (default: 0)
Deny default document requests. The client can only request a specific file, not a directory.

Denied Files (default: 1)

Deny the filenames/CGI applications being accessed or run.

(default: 0)

Monitor access to these files.

Allowed Extensions (default: 0)

Only allow requests for files with these extensions.

Denied Extensions (default: 1)

Deny requests for files with these extensions.

Extension Requests Limit (default: 0)
Limit the number of requests an IP address can make to certain file extensions.

Extension Requests Limit Max Count: (default: 200)
The number of requests that can be made in a certain amount of time.

Extension Requests Limit Max Time: (default: 4)
The time frame in which the requests are counted (in minutes).

Limit Extensions

Limit the number of requests to these file extensions.

Robots


(default: 1)
Allow requests for the file 'robots.txt', even for blocked robots. This is recommended because if the file robots.txt cannot be obtained, the robot thinks it has access and you have no other way to tell the robot that it is not allowed.

(default: 0)
Requests for robots.txt are executed by a dynamic robots file.

Dynamic Robots File: (default: robots.asp)
The file that gets executed when requesting robots.txt. A sample of such a dynamic file (robots.asp) is included with the installation.

(default: 0)
Deny requests from all bots. This is done by looking at the requests for the robots.txt file. Blocking is done by the combination of IP address and User Agent.

(default: 1)
Deny requests from bad bots. Add the bot trap urls to your robots.txt file (you can find a sample robots.txt with this installation). Now, to lure a bad bot into those urls, add these urls with hidden anchors in your web site (<a href=/badbottrap/></a>). Blocking is done by the combination of IP address and User Agent.

Deny Bots BotTraps

Lowercase and no ending slash preferred to catch all the bad bots. Add these urls to your robots.txt: User-agent: * Disallow: /badbottrap/

(default: 0)
Deny aggressive bots doing more than a certain amount of requests in a certain amount of time after their initial request for robots.txt.

Deny Bots Aggressive Max Count: (default: 180)
The amount of requests to block the bot.

Deny Bots Aggressive Max Time: (default: 3)
The time frame in which the requests are counted (in minutes).

Deny Bots Timeout: (default: 36)
The time-out (in hours) to block the bots. Blocking is done by looking at the IP address and User Agent.

(default: 0)
Blocks commercial datamining robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks non-profit or public datamining robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks download managers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 1)
Blocks email harvesting robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 1)
Blocks guestbook spamming robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 1)
Blocks certain hacking tools. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks image download tools/robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks indexing robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks monitoring robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks offline browsers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 1)
Blocks other bad robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks copyright/trademark robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks certain validation tools. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks URL checking utilities. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks browsers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks media players. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks proxy servers. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks adware. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks browser extensions. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks spyware. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks web/html editing software. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks news feed utilities. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks search engines. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks filtering software. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks certain software components. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks translation robots. This is done by looking at known user agents and/or IP address defined in Robots.xml.

(default: 0)
Blocks search engine optimization tools and services. This is done by looking at known user agents and/or IP address defined in Robots.xml.

Headers


Denied Headers (default: 1)

Block the request if any of these headers are present.

Header SQL Injection (default: 0)
Do not allow SQL injection in the headers sent to the web server.

Header Encoding Exploits (default: 0)
Do not allow encoding exploits (embedded encoding) in the headers sent to the web server.

Header Directory Traversal (default: 1)
Do not allow directory traversal (parent path) in the headers sent to the web server. This will block any '..' preceding or following a slash ('/' or '\').

Header High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Maximum Header Length (default: 0)
(default: 8192)
The maximum length of a single header.

Max Headers (default: 1)

Limit the length of request headers. You can specify a header and a maximum length.

Denied Header Sequences (default: 1)

Block the request if any of the character sequences are present in the headers.

Denied Header Regular Expressions (default: 1)

Block the request if the headers match one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Host


RFC Compliant Host Header (default: 1)
Block the HTTP 1.1 request if it does not include a 'Host:' header (RFC compliant).

Allowed Host Headers (default: 0)

Allow these hostname headers ('Host:') in requests and deny all others.

Denied Host Headers (default: 1)

Deny these hostname headers ('Host:') in requests.

(default: 1)

Add an exclusion to the denied hostname headers by allowing access from these IP addresses. For ranges you can use wildcards ('10.*.*.*') and CIDR notation ('10.0.0.0/8') or hyphen ('10.0.0.1-10.0.0.5').

(default: 0)

Exclude these host headers, recommended if you want to exclude scanning requests for certain web sites. Requests with these Host headers will not be scanned. Example: 'www.example.com'.

Content Type


Allowed Content Types (default: 1)

Deny the request when the Content-Type is not in this list. If for instance you want to enable all multipart types simply add 'multipart/'. This way you effectively enable 'multipart/form-data', 'multipart/mixed',...

Denied Content Types (default: 0)

Deny the request when the Content-Type is in this list. Examples are 'application/' (will block all application content-types), 'application/octet-stream', 'application/*' , ...

Maximum Content Length (default: 1)
(default: 5300642)
Limit the value of the Content-Length header in a request. This allows you to limit the number of bytes sent to the server in requests.

Allowed Transfer Encodings (default: 1)

Deny the request when the Transfer-Encoding is not in this list.

Denied Transfer Encodings (default: 0)

Deny the request when the Transfer-Encoding is in this list.

Cookie


(default: 0)
Sets the HttpOnly attribute in the cookie. This prevents JavaScript from accessing the cookie.

(default: 0)
Sets the Secure attribute in the cookie when the site is accessed over HTTPS. This prevents the browser from sending the cookie over non-HTTPS connections.

Cookie SQL Injection (default: 1)
Deny SQL injection in the 'Cookie:' header. This can be useful if your website is using a database and you are using cookies for storing information related to the database.

Cookie Encoding Exploits (default: 0)
Do not allow encoding exploits (embedded encoding) in cookies (in the 'Cookie:' header).

Cookie Directory Traversal (default: 0)
Do not allow directory traversal (parent path) in the cookie sent to the web server. This will block any '..' preceding or following a slash ('/' or '\').

Cookie High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Cookie Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Cookie Parameter Pollution (default: 1)
Do not allow parameter pollution (multiple parameters with the same name).

Cookie Parameter Name Require Regular Expression (default: 1)
(default: ^[a-zA-Z0-9_\.\-$]+$)
Require the parameter name to match this regular expression (CAtlRegExp syntax).

Cookie Input Validation (default: 1)
Validate user input. Use the admin interface to configure validators.

Maximum Cookie Variable Length (default: 1)
(default: 1024)
The maximum length of a variable in the cookies.

Denied Cookie Sequences (default: 1)

Block the request if any of the character sequences are present in the cookie.

User Agent


User Agent Empty (default: 1)
Deny the request if the user agent is empty or not present.

User Agent Non RFC (default: 1)
Deny the request if the user agent is not RFC compliant.

User Agent SQL Injection (default: 1)
Do not allow SQL injection in the user agent.

User Agent High Bit Shellcode (default: 0)
Deny high bit shell code in the user agent. This will block ASCII>127 and possibly blocking non US-ASCII web browsers user agent strings.

User Agent Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Require User Agent Character (default: 0)
(default: /-._)
Deny the request if the user agent does not contain at least one of these characters.

User Agent Current Date (default: 1)

Deny the request if the user agent contains the current date in one of these formats. Syntax is C++ 'strftime': A=weekday, B=month name, d=day of month, j=day of year, m=month, U=week of year, y=year(99), Y=year(9999).

User Agent Switching (default: 1)
Deny the request if the user agent is changing too much coming from a single IP address.

User Agent Switching Max Count: (default: 30)
The maximum number of different user agents in a certain amount of time.

User Agent Switching Max Time: (default: 5)
The time frame in which the user agents are counted (in minutes).

Denied User Agents (default: 0)

Deny the request for these user agent strings.

Denied User Agent Sequences (default: 0)

Deny the request if the user agent contains one of these character sequences.

(default: 0)

Exclude the request from being scanned when the User-Agent header is one of these.

Referrer


(default: 1)
Scan the referrer URL. Enabling this allows the other checks in this section.

Referrer URL RFC Compliant (default: 1)
The referrer URL has to be RFC compliant.

Referrer URL RFC HTTPCompliant (default: 1)
The referrer URL has to be HTTP RFC compliant (no authentication and no fragment).

Referrer SQL Injection (default: 1)
Do not allow SQL injection in the referrer URL sent to the web server.

Referrer Encoding Exploits (default: 0)
Deny encoding exploits and embedded encoding in the referrer URL.

Referrer High Bit Shellcode (default: 0)
Deny high bit shell code in the referrer URL. This will block ASCII>127 in the referrer URL and possibly blocking non US-ASCII web sites from linking to your site.

Referrer Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Allowed Referrer Starts (default: 1)

Only allow these character sequences a referrer url may start with.

Referrer Characters (default: 0)
(default: )
Deny certain characters in the referrer URL.

Denied Referrer Sequences (default: 1)

Deny these character sequences in the referrer URL.

Hot Linking


(default: 0)
Scan hot linking (also called direct linking, inline linking) to certain urls or file extensions from certain domains.

Referrer Hot Linking Urls

The urls hot linking to is denied. This can also be used to prevent cross-site request forgery (CSRF) on those urls if Blank Referrer is set to blocked.

Referrer Hot Linking File Extensions

The file extensions hot linking to is denied.

Referrer Hot Linking Allow Domains (default: 1)

Only allow certain domains to use hot linking. The domains (FQDN) or IP addresses that are allowed to use hot linking. You do not need to add your own domain to this list, see setting: "Use Host Header".

Referrer Hot Linking Deny Domains (default: 0)

Deny certain domains to use hot linking. The domains (FQDN) or IP addresses that are denied to use hot linking.

(default: 1)
Allow the Host header domain to use hot linking. This is allowing the local web site to refer to itself without needing to add the domain names to the allowed list above.

Referrer Hot Linking Blank Referrer (default: 0)
Deny requests with no referrer to the protected file extensions or urls. This will block some leeching tools but also some proxy servers and browsers with additional security applications that remove the referrer header.

Methods


Allowed Verbs (default: 1)

Only allow these request methods (HTTP verbs).

Denied Verbs (default: 0)

Deny these request methods (HTTP verbs).

Denied Payload (default: 1)

Deny payloads (entity body) for these request methods (HTTP verbs).These request methods are denied receiving a payload.

Querystring


(default: 1)
Besides using the default scanning, also use the raw scanning capability to scan the querystring before the web server decodes the URL (with built-in decoding engine).

Querystring SQL Injection (default: 1)
Do not allow SQL injection in the querystring.

Querystring Encoding Exploits (default: 1)
Do not allow encoding exploits (embedded encoding) in the querystring.

Querystring Directory Traversal (default: 1)
Do not allow directory traversal in the querystring. This will block any '..' preceding or following a slash ('/' or '\').

Querystring High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Querystring Special Whitespace (default: 1)
Do not allow carriage return, line feed, form feed, backspace and tabulator characters.

Querystring Parameter Pollution (default: 1)
Do not allow parameter pollution (multiple parameters with the same name).

Querystring Parameter Name Require Regular Expression (default: 1)
(default: ^[a-zA-Z0-9_\.\-]+$)
Require the parameter name to match this regular expression (CAtlRegExp syntax).

Querystring Input Validation (default: 1)
Validate user input. Use the admin interface to configure validators.

Maximum Querystring (default: 1)
(default: 1024)
Limit the length of the querystring (everything after the '?' in a url).

Maximum Querystring Variable Length (default: 1)
(default: 2048)
The maximum length of a variable in the querystring.

Denied Querystring Sequences (default: 1)

Block the request if any of these sequences are present in the querystring.

Denied Querystring Regular Expressions (default: 1)

Block the request if the querystring matches one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

(default: 0)
Ignore certain querystrings from scanning. Once the querystring is determined to be one of these querystrings (after OnReadRawData event), the request will not be scanned by the firewall. CAUTION: if attackers know these querystrings they can avoid detection!


Exclude these querystrings from being scanned. These are full querystrings, case sensitive and special characters need to be encoded as it would appear in the HTTP request line.

Post


Postdata SQL Injection (default: 1)
Do not allow SQL injection in the data (e.g. postdata) sent to the web server.

Postdata Encoding Exploits (default: 1)
Do not allow encoding exploits (embedded encoding) in the data (e.g. postdata) sent to the web server.

Postdata Directory Traversal (default: 1)
Do not allow directory traversal (parent path) in the data (e.g. postdata) sent to the web server. This will block any '..' preceding or following a slash ('/' or '\').

Postdata High Bit Shellcode (default: 0)
Do not allow high bit shellcode (ascii>127). This will restrict the web sites to US-ASCII only and block characters not in this character set. Not recommended for non-US-English web sites.

Postdata Parameter Pollution (default: 1)
Do not allow parameter pollution (multiple parameters with the same name).

Postdata Parameter Name Require Regular Expression (default: 1)
(default: ^[a-zA-Z0-9_\.\-$]+$)
Require the parameter name to match this regular expression (CAtlRegExp syntax).

Postdata Input Validation (default: 1)
Validate user input. Use the admin interface to configure validators.

Maximum Postdata Variable Length (default: 1)
(default: 2048)
The maximum length of a variable in the data.

Denied Post Sequences (default: 1)

Block the request if any of these character sequences are present in the data (i.e. postdata).

Denied Post Regular Expressions (default: 1)

Block the request if the postdata matches one of these regular expressions. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

Post Log Length: (default: 1024)
Log this amount of bytes of the post data when it is triggering an alert. Set this to zero to disable logging sensitive post data.

Global Filter Capabilities


(default: 1)
Register for the OnReadRawData event (required for scanning the Post in IIS 5). This event can only be called if the filter is installed as a global filter. If this is not the case then the filter will fail to load. For IIS 6, you need to run in IIS 5.0 Isolation mode. Use ISAPI extension instead for IIS6 (Worker Process mode) and IIS7+. Requires restart of IIS!

(default: 0)
Is the firewall installed in ISA Server or Forefront TMG. Requires restart!

Slow Header Attack (default: 1)
Do not allow slow header attack. This is a DoS where headers are sent separately with long time intervals. This is only supported in ISAPI filter.

Slow Post Attack (default: 1)
Do not allow slow POST attack. This is a DoS where postdata is sent in small packets with long time intervals. This is only supported in ISAPI filter.

Response Monitor


(default: 1)

Add, change or remove headers from the HTTP response. Use an empty value to remove the header.

(default: 1)
Log HTTP client side errors like '404 Not Found'. These errors start with a '4'.

HTTP Client Errors (default: 1)
Block the IP address if it generates too many HTTP client errors.

HTTP Client Errors Max Count: (default: 100)
The maximum number of HTTP client errors that can be made in a certain amount of time.

HTTP Client Errors Max Time: (default: 10)
The time frame in which the errors are counted (in minutes).

(default: 1)
Log HTTP server side errors like '501 Not Implemented'. These errors start with a '5'.

HTTP Server Errors (default: 1)
Block the IP address if it generates too many HTTP server errors.

HTTP Server Errors Max Count: (default: 10)
The maximum number of HTTP server errors that can be made in a certain amount of time.

HTTP Server Errors Max Time: (default: 10)
The time frame in which the errors are counted (in minutes).

Information Disclosure (default: 1)

Deny certain information disclosures in text sent from the webserver to the client. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

SQL Injection


SQL Injection Keywords

These are the SQL keywords for the SQL injection scanning.

SQL Injection Allowed Count: (default: 1)
Ignore this number of matches at most. Only trigger an alert when more keywords than this threshold are found.

(default: 1)
Removes redundant whitespace before scanning. This removes double whitespaces and spaces around parenthesis and comparison operators and adds at least one space before and after comments.

(default: 1)
Also scan with numeric and boolean values replaced with 1. This is needed for some of the keywords above.

Encoding Exploits


Encoding Keywords

These are the keywords for detecting encoding exploits.

Encoding Regular Expressions

These are the regex patterns for detecting encoding exploits. 'Key' is the name of the rule (will be logged). 'Value' is the regex pattern used to find matches (CAtlRegExp syntax).

(default: 1)
Scan for double encoding (= embedded encoding).

(default: 1)
Scan for invalid UTF-8 sequences. To avoid issues with non US-ASCII characters, set your response pages to UTF-8.

Web Applications


(default: 0)
Allows file uploads to your server using the HTTP POST command.

(default: 0)
Allows Unicode encoding in the urls and other data sent to the server.

(default: 0)
Allows Outlook Web Access. This changes other settings so that OWA is enabled. This reduces the security of your system and it is not recommended that you run OWA as a virtual directory ('/Exchange'). It is better to assign a web site to OWA (Use MMC of Exchange Server: add HTTP server) and exclude this web instance from scanning!

(default: 0)
Allows Outlook Mobile Access. This changes other settings so that OMA is enabled. Outlook Mobile Access is the successor of Mobile Information Server 2002 (MIS) and now comes with Microsoft Exchange Server. It enables access to Exchange Server from XHTML (WAP 2.x), and CHTML-based microbrowsers.

(default: 0)
Allows Microsoft ActiveSync. ActiveSync is used for connection with Pocket PCs and similar devices that have Microsoft ActiveSync client software installed. One example is access from Pocket PCs to Exchange Server via Exchange Server ActiveSync.

(default: 0)
Allows RPC over HTTP Proxy. RPC over HTTP was first introduced in Windows 2003 and Windows XP SP1. It allows RPC connections over an HTTP connection. Exchange 2003 uses this feature for direct remote access from Outlook without a VPN.

(default: 0)
Allows Frontpage Extensions. This changes other settings so that the firewall will not block Frontpage Extensions. Enabling this reduces the security of your system and make sure you have the latest version of Frontpage installed and keep up with security patches!

(default: 0)
Allows Coldfusion. This changes other settings so that the firewall will not block these requests. This reduces the security of your system and you should follow security practices of Coldfusion and keep up with security fixes!

(default: 0)
Allows WebDAV. WebDAV is an HTTP extension for Distributed Authoring and Versioning. This changes other settings so that the firewall will not block these requests. This reduces the security of your system!

(default: 0)
Allows IISADMPWD. IISADMPWD is a virtual directory that allows users to change their domain/local password over the HTTP protocol. Outlook Web Access can use this feature. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows SharePoint Portal Server. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows SharePoint Team Services. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Office SharePoint Server 2007. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Team Foundation Server. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Virtual Server 2005 Web Interface. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Certificate Services Web Interface. Certificate Services installs a virtual directory in your default web site for managing certificates via your browser. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows BizTalk Server. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Commerce Server. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Small Business Server. This is the same as enabling Outlook Web Access. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Active Server Pages 3.0 (and previous versions). By default ASP is fully enabled, but if you changed the default settings and disabled ASP then you can use this option to re-enable ASP.

(default: 0)
Allows all features of ASP.NET. By default ASP.NET is partially enabled. You should select this option only if you really need debugging, tracing, remoting and SOAP for your ASP.NET.

(default: 0)
Allows ASP.NET MVC. By default ASP.NET MVC is not enabled.

(default: 0)
Allows PHP. Use this to allow PHP isapi extension. This also changes the scanning engine to be compatible with PHP.

(default: 0)
Allows Background Intelligent Transfer Service (BITS). BITS uses an ISAPI to extend IIS to support upload jobs. Use this to enable this isapi extension.

(default: 0)
Allows SOAP. By default SOAP is blocked. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows JSON. By default JSON is blocked. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows REST. By default REST is partially blocked. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Windows Remote Management (WinRM) IIS Extensions. By default WinRM is blocked. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows WebSocket (RFC 6455). By default WebSocket is blocked. Enabling this changes other settings so that the firewall will not block these requests.

(default: 0)
Allows Paypal IPN. By default Paypal IPN is blocked. Enabling this changes other settings so that the firewall will not block these requests.


AQTRONiX XML Editor - Copyright © 2013-2018 AQTRONiX, Parcifal Aertssen