3. Configuration

Process

Configuration is set by applying settings from different sources in the order below:

  1. Selected template

  2. Local configuration file

  3. Configuration from remote server

  4. Settings as constructor arguments

Constructor Parameters

All classes constructors support the parameters listed in teh table below.

Parameter
Default Value
Django Parameter
Default Value

template

default

PYRASP_TEMPLATE

Template to use

key

None

PYRASP_KEY

Agent key

cloud_url

None

PYRASP_CLOUD_URL

Remote management server URL

conf

None

PYRASP_CONF

Configuration file

params

{}

-

Dictionnary of configuration parameters

Configuration Parameters

Available settings are provided in the table below.

Default values are defined in the default template (see Templates below)

Generic Parameters Table

Parameter
Type
Values
Default
Usage

HOSTS

list of strings

any

[]

List of valid 'Host' headers checked for spoofing detection

APP_NAME

string

any

"Web Server"

Identification of the web application in the logs

BLACKLIST_ACTION

string

block, redirect

"block"

Action taken for blacklist reaction

BLACKLIST_STATUS_CODE

int

valid HTTP status code

403

Status code sent for blacklist reaction

BLACKLIST_ACTION_CONTENT

string, url

any

Blocked

Content sent in block responses or redirect URL (relative or absolute) for redirect responses

BLOCK_ACTION

string

block, redirect

"block"

Action taken for blacklist reaction

BLOCK_STATUS_CODE

int

valid HTTP status code

403

Status code sent for blacklist reaction

BLOCK_ACTION_CONTENT

string, url

any

Blocked

Content sent in block responses or redirect URL (relative or absolute) for redirect responses

VERBOSE

integer

any

0

Verbosity level - See Specific Parameters Values

DECODE_B64

boolean

true, false

true

Decode Base64-encoded payloads

SECURITY_CHECKS

integer

0, 1, 2, 3

see below

Security modules status - See Specific Parameters Values

WHITELIST

list of strings

any

[]

Whitelisted source IP addresses

IGNORE_PATHS

list of regexp

any

see below

Paths to which requests will entirely bypass security checks including blacklist

WHITELIST_HEADERS

list of list

any

[]

Headers not to be analyzed by security engines - See Specific Parameters Values

BRUTE_AND_FLOOD_PATH

list of regexp

any

["^/"]

Paths for which flood and brute force threshold will be enabled

FLOOD_DELAY

integer

any

60

Sliding time window (in second) against which request threshold is calculated

FLOOD_RATIO

integer

any

50

Requests threshold

ERROR_FLOOD_DELAY

integer

any

10

Sliding time window (in second) against which error threshold is calculated

ERROR_FLOOD_RATIO

integer

any

100

Errors threshold

BLACKLIST_DELAY

integer

any

3600

Duration (in seconds) of source IP blacklisting

BLACKLIST_OVERRIDE

boolean

true, false

false

Ignore source IP blacklisting (usually for testing)

DECOY_ROUTES

list of list

any

see below

Paths generating immediate detection - See Specific Parameters Values

EXCEPTIONS

list of list

any

[]

Payloads that will not be tested, used to prevent false positives - See Specific Parameters Values

XSS_PROBA

float

0 to 1

0.9

Machine Learning prediction minimum probability for XSS (should be left to default value)

SQLI_PROBA

float

0 to 1

0.9

Machine Learning prediction minimum probability for SQL injections (should be left to default value)

DLP_PHONE_NUMBERS

boolean

true, false

false

Check phone number leak

DLP_CC_NUMBERS

boolean

true, false

false

Check credit card number leak

DLP_PRIVATE_KEYS

boolean

true, false

false

Check private key leak

DLP_HASHES

boolean

true, false

false

Check hash leak

DLP_WINDOWS_CREDS

boolean

true, false

false

Check Windows credentials leak

DLP_LINUX_CREDS

boolean

true, false

false

Check Linux credentials leak

DLP_LOG_LEAKED_DATA

boolean

true, false

false

Log leaked data

UPLOAD_FILES

boolean

true, false

true

Auhtorized file uploads

UPLOAD_MAX_SIZE

integer

any

2

Maximum uploaded file size (MB)

UPLOAD_EXTENSIONS

list of strings

any

see below

Authorized uploaded files extensions

LOG_ENABLED

boolean

true, false

false

Enable event logging

LOG_FORMAT

string

syslog, json

"syslog"

Format of event log - see Event Logs Format

LOG_SERVER

string

any

"127.0.0.1"

Log server IP address or FQDN

LOG_PORT

integer

1 - 36635

514

Log server port

LOG_PROTOCOL

string

tcp, udp, http, https, file

"udp"

Log server protocol (tcp or udp for syslog, http or https for json, file for local)

LOG_PATH

string

any

""

URL path to use for http(s) log webhook (ex: /logs) or local logfile path

LOG_FILE_SIZE

integer

any

50

Local log file maximum size before rotation in MB

RESOLVE_COUNTRY

boolean

true, false

true

Resolve country of attack source IP address

CHANGE_SERVER

boolean

true, false

true

Change response "Server" header

SERVER_HEADER

string

any

"Apache"

Message displayed when request is blocked. HTML page code is authorized

ZTAA_HEADER

string

any

"pcb-ztaa"

Name of header used for Zero-Trust Application Access

ZTAA_KEYS

list of strings

any

[]

List of Zero-Trust valid keys

ZTAA_BROWSER_VERSION

boolean

true, false

false

Enable browser version check

Specific Parameters Values

Default ignore paths

Default files extensions

SECURITY_CHECKS

The SECURITY_CHECKS parameter contains a dictionnary of keys corresponding to the security check and value setting the action associated to the security check.

Value
Usage

0

Disabled

1

Enabled, no Blacklisting

2

Enabled, Blacklisting activated

3

Log Only

Security checks and their default values are provided in the table below.

Parameter
Function
Default Value

flood

Flood

2

headers

Forbidden Headers

0

path

Requests Validation

1

spoofing

Spoofing

0

decoy

Decoy

2

sqli

SQL Injection

2

xss

XSS

2

command

Command Injection

2

hpp

HTTP Parameter Polution

2

dlp

Data Leak Prevention

0

brute

Brute Force

2

ztaa

Zero-Trust Application Access

0

prompt

Prompt Injection

0

upload

Uploads Validation

0

Note: spoofing module refers to "Host" header validation

An example of SECURITY_CHECK parameter is provided below.

VERBOSE

Value
Messages displayed

0

Start, Stop, Configuration load status

10+

Configuration loading details, XSS and SQLi model load status, Logging process status, Attacks detection

100+

Configuration details, attack details

Decoy routes

Decoy routes are defined as a list of list of 2 elements: a pattern and a match operation.

The list of valid patch operations is provided in the related section

Default DECOY_ROUTES variable is provided below.

Exceptions

Exceptions are defined as a list of list of 2 elements: a pattern and a match operation.

The list of valid match operations is provided in the related section

Headers whitelist

Headers whitelist defines the name of the headers that should not be anayzed by security engines. They are defined as a list of list of 2 elements: a pattern and a match operation.

All patterns are case non-sensitive

The list of valid match operations is provided in the related section

Match operations

Operation
Pattern Type
Details

starts

string

Tested text starts with pattern

ends

string

Tested text ends with pattern

contains

string

Tested text contains pattern

match

string

Tested text strictly matches pattern

regexp

regular expression

Tested text matches pattern

Templates

5 templates are defined:

  • default: to be used as a baseline to create custom configurations

  • monitor: "log-only" policy to provide visibility and false-positive evalution

  • audit: agressive policy, may be subject to higher false-positive rate

  • mcp: MCP server customized policy

  • llm: policy designed to protect LLM frontends

Security Checks Settings

Check values:

  • 0: Disabled

  • 1: Block

  • 2: Block & Blacklist

  • 3: Log Only

Values different from default template are in bold

Security Check

Parameter

default

monitor

audit

mcp

llm

Method & Path

path

1

3

2

1

1

Headers

headers

0

0

0

0

0

Flood

flood

2

0

2

2

2

Host Spoofing

spoofing

0

0

2

0

0

Deception

decoy

2

3

2

2

2

SQL Injection

sqli

2

3

2

2

2

XSS

xss

2

3

2

2

2

HTTP Parameter Polution

xss

2

3

2

2

2

Command Injection

command

2

3

2

2

2

Data Leak Prevention

dlp

0

3

2

2

1

Brute Force

brute

2

3

2

2

2

Zero-Trust

ztaa

0

0

0

0

0

Prompt Injection

prompt

0

0

0

0

2

Uploads Validation

upload

0

3

2

2

1

Configuration Settings

Parameter

default

monitor

audit

mcp

llm

APP_NAME

Web Server

Web Server

Web Server

MCP Server

LLM Frontend

DLP_PHONE_NUMBERS

False

True

True

True

False

DLP_CC_NUMBERS

False

True

True

True

False

DLP_PRIVATE_KEYS

False

True

True

True

False

DLP_HASHES

False

True

True

True

False

DLP_WINDOWS_CREDS

False

True

True

True

False

DLP_LINUX_CREDS

False

True

True

True

False

DLP_LOG_LEAKED_DATA

False

True

True

True

False

FLOOD_DELAY

60

60

60

60

60

FLOOD_RATIO

50

50

10

50

50

ERROR_FLOOD_DELAY

10

10

60

10

10

ERROR_FLOOD_RATIO

100

100

10

100

100

UPLOAD_FILES

True

True

False

True

True

VERBOSE

0

100

100

0

0

Configuration File / Remote Configuration Format

Configuration is a JSON-formated data structure provided as:

  • the content of a local configuration file

  • the body of the response to the connection request to the management server (see Cloud Operations)

It is not necessary to specify all configuration parameters. Parameters that don't appear in the configuration file will remain untouched from the template.

An example of such configuration structure is provided below.

Previous2. RunNext4. Event Logs Format

Last updated