Overview
A security rule library is used to store the characteristic information of discovered insecure SQL statements. The system determines whether the audited SQL statements contain suspicious behaviors by matching them with security rules.
According to the characteristics of insecure SQL statements, security rules are divided into SQL injection rules, vulnerability exploit rules, account security rules, data leakage rules and illegal operation rules.
SQL injection is an attack that inserts or adds SQL code into the input parameters of the application (user), and then delivers these parameters to the backend database server for parsing and execution. SQL injection rules can effectively detect such attack behaviors and generate alarms.
Vulnerability exploit rules are formulated based on known SQL vulnerabilities. Vulnerability security rules can be divided into buffer overflow and stored procedure abuse according to different vulnerability types.
Account security rules are security rules for scenarios such as brute force attacks on database servers and login failures.
Data leakage rules are divided into data reductions, database external communications, large-traffic responses, and unauthorized access according to the leakage scenarios. The system can effectively detect these leakages and send alarms in time.
Illegal operation rules are targeted at illegal operations of application accounts and O&M personnel, database detection and abnormal statement scenarios.
The system has more than 900 built-in security rules, covering common application scenarios, and is constantly being enriched. In addition, users can customize security rules.
Rule Management
Built-in rules cannot be changed and are recommended by default. You can switch to all rules by clicking the Recommended button in the upper right corner of the interface.
Note:
Built-in rules include feature rules and other non-feature rules. Feature rules cannot be cloned or deleted, while non-feature rules can be cloned.
You can manage custom rules. To add custom security rules, follow the steps below:
1. In the menu, select Configure Rules > Security Rules to enter the Security Rules page, select the Manage Rules tab, and click Add.
2. Fill in the relevant parameters in the pop-up dialog box. Then, click Save to complete the addition of the new security rules.
Item | Parameter | Parameter Description |
Basic Info | Name | Set the rule name. Must consist of Chinese characters, letters, numbers, underlines (_), dots (.) or dashes (-), within 64 characters. |
Description | Description of the rule. | |
Level | Required. The system's default risk level is medium. The risk level can be high, medium, or low. | |
Associated Rule Group | Required. You can select a custom rule group or a default rule group. To manage custom rule groups, follow the steps below: On the right side of the associated rule group, click Manage Rule Group to add, modify and delete the custom rule group. | |
Rule Type | Currently, two types of rules are supported: general rules and statistical rules.
| |
Behaviors | Currently available are alarm, and alarm and blocking.
| |
Client | Client Source | Client IP or IP group for accessing a service type. You can fill in multiple entries, and separate them with commas (,). |
Client Tools | You can configure multiple client tools by separating them with commas (,). Example: db2bp.exe,java.exe. | |
Client port | You can configure multiple values or ranges, and separate them with commas (,). Example: 10-15,20,25,30-40. | |
Client MAC Address | You can fill in multiple values, and separate them with commas (,). | |
Operating System User | You can select a string or a regular expression. The string can contain multiple values separated with commas (,). | |
Host Name
| You can select a string or a regular expression. The string can contain multiple values separated with commas (,). | |
Application IP | Specifies the application IP or IP group that matches the rule, corresponding to the associated IP in audit logs. Multiple values can be filled in. Separate them with commas (,). | |
Application Username
| Specifies the application user or user group that matches the rule, corresponding to the associated account in audit logs. Multiple values can be filled in. Separate them with commas (,). | |
Server | Server IP
| You can fill in multiple values, and separate them with commas (,). |
Server Port | You can configure multiple values or ranges, and separate them with commas (,). Example: 10-15,20,25,30-40. | |
Database Account
| Specifies the database login user account or account group that matches the rule, or a regular expression. Multiple values can be filled in. Separate them with commas (,). | |
Server MAC Address | You can fill in multiple values, and separate them with commas (,). | |
Database Name (SID) | You can select a string or regular expression. For an Oracle database, enter an SID. For other databases, enter a database name. The string can contain multiple values. Separate them with commas (,). | |
Behaviors | Object | Specifies the object group that matches the rule. |
Operation Type | Specifies the operation type of an SQL statement, for example, select, update, delete, etc. | |
SQL Template ID | Optional. Multiple values can be filled in. Separate them with commas (,). | |
SQL Keywords | SQL keywords: Supports matching packets with regular expressions. Click Regular Verification to enter the packet content, click Verify to verify whether the input content matches the regular expression in the execution result keyword; click Add Condition to add multiple conditions. Logical expression of conditional operation: If the SQL keyword is filled in, this item is required. The relationship between conditions can be based on AND, OR, NOT, and bracket operations (&: AND; |: OR; ~: NOT). Conditions are represented by serial numbers, that is, 1 represents condition 1. For example, 1&2 means there are two SQL keyword conditions and both keywords must be met for an alarm to be generated. | |
SQL Length | Specifies the length of a SQL statement. Value range: 1 B to 64 KB. | |
Number of Associated Tables
| This rule is triggered when the number of tables involved in the SQL operation is greater than or equal to this value. The maximum input value allowed is 255. | |
WHERE Clause | Whether there is any WHERE clause. Supports three options:
The default is "Do not check". A WHERE clause is used to extract SQL records that meet the specified conditions. The syntax is as follows: SELECT column_name,column_name FROM table_name WHERE column_name operator value; | |
Result | Execution Duration | (Optional) Unit: Seconds, milliseconds, microseconds. Value range: zero to half an hour. If the SQL execution duration falls within this range, the rule is triggered. |
Number of Affected Rows | Value range: 0 to 999,999,999. If the number of records returned by the SQL operation or the number of affected rows falls within this range, the rule is triggered. | |
Returned Result Set | Supports matching with regular expressions. Click Regular Verification to enter the packet content, click Verify to verify whether the input content matches the regular expression in the execution result keyword; click Add Condition to add multiple conditions. Logical expression of conditional operation: If the SQL keyword is filled in, this item is required. The relationship between conditions can be based on AND, OR, NOT, and bracket operations (&: AND; |: OR; ~: NOT). Conditions are represented by serial numbers, that is, 1 represents condition 1. For example, 1&2 means there are two SQL keyword conditions and both keywords must be met for an alarm to be generated. | |
Execution Status | There are three types of execution status:
The default is "All". | |
Execution Result Description | Supports matching with regular expressions. | |
Others | Effective At | You can customize the time group or select one. |
Maximum Number of Alarms Per Day | Value range: 0 to 99,999. Where, 0 for no limit. | |
Result Set Storage Policy | Set the storage policy for the returned result set of the alarm logs of the rule, including "Same as asset settings", "Save", and "Do not save". |
Enabling Rule
1. In the left menu, select Configure Rules > Security Rules to enter the Security Rules page, select the Manage Rules tab, check the target rules in the rule list, and click Enable Selected Items.
2. In the pop-up dialog box, check the assets for which the rules need to be enabled and click OK to enable the rules for the selected assets.
Disable Rules
1. In the left menu, select Configure Rules > Security Rules to enter the Security Rules page, select the Manage Rules tab, check the target rules in the rule list, and click Disable Selected Items.
2. In the pop-up dialog box, check the assets for which the rules need to be disabled and click OK to disable the rules for the selected assets.
Trustlist Management
Audit logs that match security rules will not trigger alarms if they meet the trustlist conditions. The conditions include the client, server, basic information, results, and behaviors.
Here are the steps to add a new trustlist and enable it:
1. In the left menu, select Configure Rules > Security Rules to enter the Security Rules page, and select the Manage Trustlists tab.
2. Click Add to enter the Add Trustlist page and edit the relevant configuration items (the process is the same as that for configuring parameters to add a custom rule).
3. Then, click Save to complete the add the trustlist.
4. In the left menu, select Rules Configure > Security Rules to enter the Security Rules page and select the Manage Rules tab.
5. Click the number in the Trustlist Quantity column.
6. In the dialog box that pops up, change the status in the Status column to Enabled to enable the trustlist.
Note: If you need to delete a trustlist rule, you need to disable all security rules enabled on the trustlist before deleting it.
Settings
You can use this function to set the priority of a rule. You can enable the priority to customize the rule-matching order. Once a rule is matched, rules with lower priorities will no longer be matched. When the rule priority is disabled, each database operation can trigger all security rules that meet the corresponding conditions.