Distributed web application firewall
First Claim
1. A method for protecting web applications, the method comprising:
- at a first web application firewall (WAF);
receiving a first HTTP request from over a network, the first HTTP request being destined for a first web server that is associated with a first web application that is running on the first web server, the first web application being categorized in a first class;
analyzing the first HTTP request based on at least one rule applied by a handler;
generating a second rule based on the analyzing, wherein said generating involves;
in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, andin response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a gray list URL; and
transmitting the second rule, over the network, to a global server unit; and
at a second web application firewall (WAF);
receiving the second rule from over the network from the global server unit;
receiving a second HTTP request from over a network, the second HTTP request being destined for a second web server that is associated with a second application that is running on the second web server and categorized in the first class; and
analyzing the second HTTP request based on the second rule, the second rule being communicated from the global server unit to the second WAF responsive to the global server unit identifying the first web application and the second web application as being members of the first class and the second web application running on the second web server.
18 Assignments
0 Petitions
Accused Products
Abstract
A method for protecting a Web application running on a first local Web Server bases from hacker attacks, said Web Server being connectable to at least one client, the method comprising the following steps: —providing a plurality of preset rules on said Server, which correspond to specific characteristics of HTTP requests; —receiving an HTTP request on said server from the client, said HTTP request comprising a plurality of characteristics; —analyzing said characteristics of said received HTTP request in accordance with said rules provided on said server; —rejecting said HTTP request, if said rules identify said HTTP request as harmful request; —accepting said HTTP request, if said rules identify said HTTP request as trustable request; —classifying said HTTP request as doubtful request, if said rules identify said request neither as harmful request nor as trustable request; —evaluating the characteristics of said doubtful local request; —generating a learned rule on basis of the edge base evaluation.
40 Citations
19 Claims
-
1. A method for protecting web applications, the method comprising:
-
at a first web application firewall (WAF); receiving a first HTTP request from over a network, the first HTTP request being destined for a first web server that is associated with a first web application that is running on the first web server, the first web application being categorized in a first class; analyzing the first HTTP request based on at least one rule applied by a handler; generating a second rule based on the analyzing, wherein said generating involves; in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, and in response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a gray list URL; and transmitting the second rule, over the network, to a global server unit; and
at a second web application firewall (WAF);receiving the second rule from over the network from the global server unit; receiving a second HTTP request from over a network, the second HTTP request being destined for a second web server that is associated with a second application that is running on the second web server and categorized in the first class; and analyzing the second HTTP request based on the second rule, the second rule being communicated from the global server unit to the second WAF responsive to the global server unit identifying the first web application and the second web application as being members of the first class and the second web application running on the second web server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system to protect web applications, the system comprising:
-
a first web application firewall (WAF) executing on a first processor to receive a first HTTP request from over a network, the first HTTP is destined for a first web server that is associated with a first web application that is to run on the first web server, the first web application is categorized in a first class, the first WAF to analyze the first HTTP request based on at least one rule applied by a handler, generate a second rule based on the analysis, and transmit the second rule, over the network, to a global server unit, wherein said generating involves; in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, and in response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a graylist URL; and a second web application firewall (WAF) executing on a second processor to receive the second rule from over the network from the global server unit, receive a second HTTP request from over a network, the second HTTP request is destined for a second web server that is associated with a second application that is to run on the second web server and categorize in the first class, the second WAF to analyze the second HTTP request based on the second rule, the second rule is communicated from the global server unit to the second WAF responsive to an identification by the global serve unit of the first web application and the second web application as members of the first class and the second web application running on the second web server. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer program comprising computer program code stored on a non-transitory computer readable medium, the computer program code for performing a method protecting web applications, method comprising:
-
at a first web application firewall (WAF); receiving a first HTTP request from over a network, the first HTTP request being destined for a first web server that is associated with a first web application that is running on the first web server, the first web application being categorized in a first class; analyzing the first HTTP request based on at least one rule applied by a handler; generating a second rule based on the analyzing, wherein said generating involves; in response to determining that a referrer URL included in the first HTTP request is not present in a whitelist or a blacklist, incrementing a count corresponding to the referrer URL, wherein the count keeps track of HTTP requests that were received within a given time window that included the referrer URL, and in response to determining that the count corresponding to the referrer URL is above a threshold, generating the second rule, wherein the second rule redirects HTTP requests that include the referrer URL to a graylist URL; transmitting the second rule, over the network, to a global server unit; and
at a second web application firewall (WAF);receiving the second rule from over the network from the global server unit; receiving a second HTTP request from over a network, the second HTTP request being destined for a second web server that is associated with a second application that is running on the second web server and categorized in the first class; and analyzing the second HTTP request based on the second rule, the second rule being communicated from the global server unit to the second WAF responsive to the global server unit identifying the first web application and the second web application as being members of the first class and the second web application running on the second web server.
-
Specification