3. Configuration

Configuration is set from a JSON file.

pyrasp first loads default values and overwrite data from configuration.

If configuration is loaded from a remote server, the response body to the request should be a JSON containing a valid pyrasp configuration file as described below.

Example File

{
    "config": {
        "HOSTS" : ["mysite.mydomain.com"],
        "APP_NAME" : "Web Server",
        "GTFO_MSG" : "<html><head /><body><h1>You have been blocked</h1></body></html>",
        "DENY_STATUS_CODE": 403,
    
        "VERBOSE" : 10,
        "DECODE_B64" : true,
    
        "SECURITY_CHECKS" : {
            "path": 3,
            "headers": 0,
            "flood": 2,
            "spoofing": 2,
            "decoy": 2,
            "sqli": 2,
            "xss": 2,
            "hpp": 2,
            "command": 2,
            "dlp": 2,
            "brute": 2,
            "ztaa": 0
        },    
    
        "WHITELIST": [],
    
        "IGNORE_PATHS" : ["^/css","^/js","^/img"],
    
        "BRUTE_AND_FLOOD_PATHS" : ["^/"],
        "FLOOD_DELAY" : 60,
        "FLOOD_RATIO" : 50,
        "ERROR_FLOOD_DELAY" : 10,
        "ERROR_FLOOD_RATIO" : 100,
    
        "BLACKLIST_DELAY" : 3600,
        "BLACKLIST_OVERRIDE" : false,
    
        "DECOY_ROUTES" : [ 
            [ "/admin", "ends" ],
            [ "/login", "ends" ],
            [ "/logs", "ends" ],
            [ "/version", "ends" ],   
            [ "/cgi-bin/", "starts" ],                      
            [ "/remote/", "starts" ],                     
            [ "/.env", "starts" ],                     
            [ "/owa/", "starts" ],                        
            [ "/autodiscover", "starts" ],
            [ "/Autodiscover", "starts" ],
            [ "/.git/", "starts" ],                
            [ "/.aws/ ", "starts" ],
            ["wp-", "contains" ]
        ],

        "EXCEPTIONS": [
            [ "Skull & Bones", "match" ]
        ],
    
        "XSS_PROBA" : 0.80,
        "MIN_XSS_LEN": 16,
    
        "SQLI_PROBA" : 0.725,
        "MIN_SQLI_LEN": 8,
    
        "DLP_PHONE_NUMBERS": false,
        "DLP_CC_NUMBERS": false,
        "DLP_PRIVATE_KEYS": false,
        "DLP_HASHES": false,
        "DLP_WINDOWS_CREDS": false,
        "DLP_LINUX_CREDS": false,
    
        "LOG_ENABLED": false,
        "LOG_FORMAT": "Syslog",
        "LOG_SERVER": "127.0.0.1",        
        "LOG_PORT": 514,    
        "LOG_PROTOCOL": "UDP",
        "LOG_PATH": "",
        "RESOLBVE_COUNTRY": false,
    
        "CHANGE_SERVER": true,
        "SERVER_HEADER": "Apache",
    
        "BEACON": false,
        "TELEMETRY_DATA": false,
        "BEACON_URL": "",
        "BEACON_DELAY": 30,

        "ZTAA_HEADER": "pcb-ztaa",
        "ZTAA_KEYS": [ ],
        "ZTAA_BROWSER_VERSION": false
    }
}

Parameters

Generic Parameters Table

Parameter
Type
Values
Default
Usage

HOSTS

list of strings

any

[]

List of valid 'Host' headers checked for spoofing detection

APP_NAME

string

any

["Web Server"]

Identification of the web application in the logs

GTFO_MSG

string

any

["Blocked"]

Message displayed when request is blocked. HTML page code is authorized

DENY_STATUS_CODE

integer

any

403

HTTP status code sent in response to blocked requests

VERBOSE

integer

any

0

DECODE_B64

boolean

true, false

true

Decode Base64-encoded payloads

SECURITY_CHECKS

integer

0, 1, 2, 3

WHITELIST

list of strings

any

[]

Whitelisted source IP addresses

IGNORE_PATHS

list of regexp

any

Paths to which requests will entirely bypass security checks including blacklist

BRUTE_AND_FLOOD_PATH

list of regexp

any

["^/"]

Paths for which flood and brute force threshold will be enabled

FLOOD_DELAY

integer

any

60

Sliding time window (in second) against which request threshold is calculated

FLOOD_RATIO

integer

any

50

Requests threshold

ERROR_FLOOD_DELAY

integer

any

10

Sliding time window (in second) against which error threshold is calculated

ERROR_FLOOD_RATIO

integer

any

100

Errors threshold

BLACKLIST_DELAY

integer

any

3600

Duration (in seconds) of source IP blacklisting

BLACKLIST_OVERRIDE

boolean

true, false

false

Ignore source IP blacklisting (usually for testing)

DECOY_ROUTES

list of list

any

EXCEPTIONS

list of list

any

[]

XSS_PROBA

float

0 to 1

0.6

Machine Learning prediction minimum probability for XSS (should be left to 0.8)

SQLI_PROBA

float

0 to 1

0.6

Machine Learning prediction minimum probability for SQL injections (should be left to 0.725)

DLP_PHONE_NUMBERS

boolean

true, false

false

Check phone number leak

DLP_CC_NUMBERS

boolean

true, false

false

Check credit card number leak

DLP_PRIVATE_KEYS

boolean

true, false

false

Check private key leak

DLP_HASHES

boolean

true, false

false

Check hash leak

DLP_WINDOWS_CREDS

boolean

true, false

false

Check Windows credentials leak

DLP_LINUX_CREDS

boolean

true, false

false

Check Linux credentials leak

DLP_LOG_LEAKED_DATA

boolean

true, false

false

Log leaked data

LOG_ENABLED

boolean

true, false

false

Enable event logging

LOG_FORMAT

string

syslog, json

"syslog"

LOG_SERVER

string

any

"127.0.0.1"

Log server IP address or FQDN

LOG_PORT

integer

1 - 36635

514

Log server port

LOG_PROTOCOL

string

tcp, udp, http, https

"udp"

Log server protocol (tcp or udp for syslog, http or https for json)

LOG_PATH

string

any

""

URL path to use for http(s) log webhook (ex: /logs)

RESOLVE_COUNTRY

boolean

true, false

true

Resolve country of attack source IP address

CHANGE_SERVER

boolean

true, false

true

Change response "Server" header

SERVER_HEADER

string

any

"Apache"

Message displayed when request is blocked. HTML page code is authorized

ZTAA_HEADER

string

any

"pcb-ztaa"

Name of header used for Zero-Trust Application Access

ZTAA_KEYS

list of strings

any

[]

List of Zero-Trust valid keys

ZTAA_BROWSER_VERSION

boolean

true, false

false

Enable browser version check

Specific Parameters Values

Default ignore paths

"IGNORE_PATHS" : ["^/favicon.ico$","^/robots.txt$","^/sitemap\\.(txt|xml)$"]

SECURITY_CHECKS

Value
Usage

0

Disabled

1

Enabled, no Blacklisting

2

Enabled, Blacklisting activated

3

Log Only

Default security checks values are provided in the table below.

Parameter
Function
Default Value

flood

Flood

2

headers

Forbidden Headers

0

path

Requests Validation

1

spoofing

Spoofing

0

decoy

Decoy

2

sqli

SQL Injection

2

xss

XSS

2

command

Command Injection

2

hpp

HTTP Parameter Polution

2

dlp

Data Leak Prevention

0

brute

Brute Force

2

ztaa

Zero-Trust Application Access

0

Note: spoofing module refers to "Host" header validation

VERBOSE

Value
Messages displayed

0

Start, Stop, Configuration load status

10+

Configuration loading details, XSS and SQLi model load status, Logging process status, Attacks detection

100+

Configuration details, attack details

Decoy routes

Decoy routes are defined as a list of list of 2 elements: a pattern and a match operation.

DECOY_ROUTES = [
    [ "<pattern>", "<match_operation>" ]
    ...
]

The list of valid patch operations is provided in the related section

Default DECOY_ROUTES variable is provided below.

"DECOY_ROUTES" : [ 
    [ "/admin", "ends" ],
    [ "/login", "ends" ],
    [ "/logs", "ends" ],
    [ "/version", "ends" ],   
    [ "/cgi-bin/", "starts" ],                      
    [ "/remote/", "starts" ],                     
    [ "/.env", "starts" ],                     
    [ "/owa/", "starts" ],                        
    [ "/autodiscover", "starts" ],
    [ "/Autodiscover", "starts" ],
    [ "/.git/", "starts" ],                
    [ "/.aws/ ", "starts" ],
]

Exceptions

Exceptions are defined as a list of list of 2 elements: a pattern and a match operation.

EXCEPTIONS = [
    [ "<pattern>", "<match_operation>" ]
    ...
]

The list of valid match operations is provided in the related section

Match operations

Operation
Pattern Type
Details

starts

string

Tested text starts with pattern

ends

string

Tested text ends with pattern

contains

string

Tested text contains pattern

match

string

Tested text matches pattern

regexp

regular expression

Tested text matches pattern

Previous2. RunNext4. Event Logs Format

Last updated