Classify Request Handler

Purpose

This handler is ignored in detection mode.

The Classify Request Handler evaluates requests with regard to their risk potential. To do this, the handler works in two different operating modes. In Learn mode, it monitors the responses of vWAF and of your web application to requests; in Decide mode the handler creates an entry in the log file for each request and adds an evaluation of the risk potential to this entry. As an administrator you can then evaluate these log file entries and detect possible attacks that aren’t yet covered by your current security configuration.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Should always be used to indicate possible gaps in your security configuration and therefore to help further optimize your security configuration.

ATTENTION

After you’ve changed your security configuration, you should put the Classify Request Handler back into Learn mode for a time.

Attributes

Attribute	Meaning
mode	Determines the working mode of the handler: learn Learn mode: vWAF continually analyzes the reactions from vWAF and your web application to all requests. decide Decide mode: vWAF evaluates all requests with regard to their risk potential and creates an entry in the log file for subsequent evaluation. To have a sufficiently broad basis for the Decide mode, the handler should first have been running in Learn mode at least for a period of 10000 requests.
usertext	Optional: Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.
enable logging	Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries. When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports.To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

Attribute

Meaning

mode

Determines the working mode of the handler:

learn
Learn mode: vWAF continually analyzes the reactions from vWAF and your web application to all requests.
decide
Decide mode: vWAF evaluates all requests with regard to their risk potential and creates an entry in the log file for subsequent evaluation.

To have a sufficiently broad basis for the Decide mode, the handler should first have been running in Learn mode at least for a period of 10000 requests.

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports.To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.