Rules

This tab shows the vulnerability analysis rules that apply to this particular project. In general, the rules correspond to those defined at the company level (see the Company-level Analysis Rules section in the Installation, Setup, and Integration Guide). However, it is possible to change or add rules at the project level, depending on the specifics of the application being scanned. Rules added at the project level will only apply within that project.

Redefinition of Analysis Rules

On the Project page, the Rules tab shows the rules for analyzing collected data to find vulnerabilities. Use this tab to add, change or delete an existing analysis rule at the project level. This means that the new or changed analysis rule will be applied only to this project, but not to all projects of this company.

How Analysis Rules Work

The main goal of using analysis rules is to tune the system to the characteristics of the tested application in order to effectively find vulnerabilities. Each application and its data is unique in format and content. The use of customized analysis rules maximizes the system's coverage of all possible application-specific vulnerability cases.

The analysis rules available to the user for modification are used to search for a part of the vulnerabilities. Analysis rules for finding certain vulnerabilities are a set of strings or regular expressions to be searched in the data collected during an application scan. Each rule specifies which string or regular expression to search for, in which modules' data, and where exactly the search should take place. This approach significantly reduces the number of false positives when searching for vulnerabilities.

The system contains two types of analysis rules:

  • Internal analysis rules. They are not configurable and cannot be viewed or edited by the user. They are not presented on the Rules tab.
  • Analysis rules intended to search for sensitive information. They are presented on the Rules tab and described in this section. These rules can be modified by the user.

Each analysis rule is displayed as a string in the left part of the Rules tab. The rule string has the following fields:

  • The rule status indicator. If this field is marked as Picture 106, then the rule is active and will be used when analyzing the collected data to find vulnerabilities. If this field is marked as Picture 140, then the rule is inactive and will not be used when analyzing collected data to find vulnerabilities.
  • The name of the rule for easier navigation.

The selected rule is highlighted and the rule details are displayed on the right side of the screen:

  • Name — The name of the rule.
  • Description — The rule short description.
  • Injections — A string or regular expression to search for sensitive information.
  • Modules — Modules where this rule will be applied.
  • Expressions — Where exactly to look for the necessary information, in what files and data formats.

Let's consider how the analysis rules work on the example of one of the rules.

This analysis rule is currently active and is called "Password". It defines that the following patterns:

  • Regular expressions like pin(?:[_-]?code)?.
  • The passphrase string.
  • The password string.
  • The passwd string.
  • The paswd string.

will be searched in the data collected by all modules selected in the Modules field in the following locations (these values were selected in the Expressions field):

  • XML tag name.
  • Key name in the key=value pair.

If necessary, the user can disable, edit or delete this rule.

To make it easier to work with the rules, you can select a filter and apply it to the displayed rules by clicking the Filter button in the upper left corner.

In the field that appears, you can select one or more values from the drop-down lists to filter by Modules and Expressions. Click the Clear Filter button on the right to remove the selected values from the filter. Click the Filter button again to hide the filtering field.

Adding / Editing Analysis Rule

You can edit the analysis rules on the Rules tab. To edit a rule, select it in the Rules tab on the left side. On the Details tab on the right side, the following rule parameters can be changed:

  • Name — The name of the rule.
  • Description of the analysis rule (optional parameter).
  • Injections — In this field you can specify a string or a regular expression to search for sensitive information. To add a new regular expression, click the Рисунок 69 button next to the “Injections” word, enter the new string or regular expression in the newly appeared Injection value field and click the Save button on the right. All previously defined regular expressions for this rule are listed in the window below. To delete a regular expression, click the Picture 117 icon on the right of the regular expression.
  • Expressions — Enabled search locations are marked with Picture 118, disabled with Рисунок 78. To change the status from "enabled" to "disabled" and vice versa, simply click the status icon. Its status will change and a successful change notification will be displayed.
  • Modules where this rule will be applied. Any module can be selected and added to the rule. Enabling and disabling the module can be done similarly to the Expressions field.
  • Click the Save button on the right to save all changes to the regular expression.

To add a new analysis rule, click the Add rule button at the top right. In the Add new rule window that appears, enter the name and description of the rule and click the Add button at the bottom right. The added rule will be displayed in the list and can be edited further.

Deleting Analysis Rule

You can delete the analysis rules on the Rules tab. To delete a rule, click the Remove rule button in the lower right corner. In the Removing rule window that appears, confirm or cancel the rule removal. There are nine preset rules in the system that cannot be deleted. The user can only delete other rules.