Page tree
Skip to end of metadata
Go to start of metadata

The Advanced Detection Engine - CMDi node applies a set of rules (internal to DenyAll) to a request in order to detect attacks or intrusion attempts based on command injections ( see https://www.owasp.org/index.php/Command_Injection)).

This node requires a normalization context in order to work which must be provided by a Normalization node placed higher in the Workflow.

When CMDi Engine detects an attack, it creates a Security Event, which is added to the table http.request.security.events. A security event is divided in two parts : information about the request, and a set of Security Tokens (see Security Logs).

Attacks detected by the engine can be logged using the Log Alert node.

To resolve false positives, please refer to the section Resolving false positives.

Node parameters

  • Display name: name of the node displayed in the Workflow. Replace the default name "Advanced Detection Engine - CMDi".
  • Normalization attribute: Normalization profile containing the decoding rules applied to the request. For more details, see Normalization Configurations.
  • Path: defines if the engine must check the path of the request (from attribute http.request.path).
  • Headers: defines if the engine must check the headers of the request (from attribute http.request.headers).
  • Cookies: defines if the engine must check the cookies of the request (from attribute http.request.cookies).
  • GET Vars: defines if the engine must check the query vars of the request (from attribute http.request.query.vars). 
  • POST Vars: defines if the engine must check the body vars of the request (from attribute http.request.body.vars).

The engine is based on a forbid commands dictionary, it allows to adjust the engine behavior following the operating system of the application backend:

  • Windows and Unix: if only the Windows option is enabled, a command like 'cat /etc/passwd' will not be blocked (whatever the context) because the 'cat' command does not exist on Windows operating system. This also applies for Windows commands on Unix systems.
    If all protected applications are based on Unix systems, it is recommended to disable the Windows option to avoid false-positives.

  • Webshell Mode: by default, the engine will search for escaping characters that can lead to an injection. This option modify this behavior to search for command injections even if there is no escaping characters in the payload. The Webshell Mode is disabled by default.
    By example, if the payload contains 'foo; cat /etc/passwd': the semicolon character will trigger a security alert in any case.
    However, if the payload contains 'cat /etc/passwd': a security alert will be triggered only if the Webshell Mode option is enabled.

The detection engine is also based on command parameters. By example, the 'cat ' or 'ping' commands will not be blocked unless they are followed by one or more parameters like a path or an IP address.

Required attributes

  • http.request.security.events: internal attribute of the Workflow containing information about detected security events. When an attack is detected by the engine, an event is created and added to this attribute. It allows to manage exceptions with the Security Exception Management node and log events through the Log Alert node.

Provided attributes

  • cmdi.request.blocked: boolean set to true if at least one attack have been found in the request.

Use Case

Basic filtering Workflow

  1. The first node "Normalization Engine" is used to normalized the request. The node provides a normalized context of the incoming request that will be used by the "Adv. Detection Engine - CMDi" node.
  2. The "Adv. Detection Engine - CMDi" check the request and returns the result in the provided attributes of the node.
    -If an attack is detected, an event is created and added in the http.request.security.events table attribute. The cmdi.request.blocked attribute is set to "true".
  3. A condition on the cmdi.request.blocked attribute decides if the request must be blocked or not:
    -If equals to "true" (an attack is detected), the "Log Alert" node will send events from the http.request.security.events table in the database. Then the request will be blocked by a HTTP code 403.
    -If equals to "false" (no attack detected), the request will be sent to the backend server.

CMDi engine - log details

Backup: WF - Command Injection Engine - Use case.backup