Learning data

3.1.1. Applications learned

Applications learned is shown as a 3-level expandable table. Group, URL path and details.

Applications learned

Expandable: Click + to expand.

Application group (level 1)

Applications are divided into groups based on path characteristics. The group name reflects the characteristics of the group. The most Expands 2 levels.

common grouping criteria is the file extension. But also the appear- ance of special characters like '$' or '.' in the path is used as grouping criteria.

Applications URL paths (level 2)

When a group is expanded the URL paths in that group is listed. Each URL path is an application learned. Note that this list also contains "simple" applications, applications that only takes global parameters as input, and therefore potentially can be very long.

Application details (level 3)

When an application URL path is expanded the details learned about that specific application is shown. Number of unique URL Paths in the group.

Paths

Applies to: Group level (1).

Number of parameters the application takes as input.

If a blue number in parentheses is shown at the left of the number this number indicates how many of the parameters learned that are approved based on the Learner thresholds which are configurable.

Parameters that does not exceed one or more threshold values are colored blue while trusted parameters name are black.

Applies to: URL path level (2).

Name of input validation class mapped to a parameter.

Class

If the parameter is not trusted yet, the class name is blue. Applies to: Detail level (3).

Number of unique IP-addresses requesting the resource.

Source

Applies to: Group (1), URL path (2) and Detail level (3). Number of unique timestamps in requests for the resource.

Time

Applies to: Group (1), URL path (2) and Detail level (3).

Time difference between the first and last observed request for the re- source.

 Time (delta time)

Applies to: Group (1), URL path (2) and Detail level (3).

3.1.1.1. Deleting applications or corresponding parameters

To delete a learned application or a corresponding parameter expand to the level desired and click the red X.

3.1.2. Global parameters learned

The Global parameters learned section shows all parameters observed on a number of paths that exceeds the Learner setting Global parameters Path duplication threshold.

Note that the list also includes observed parameter names which are still pending approval based on the Learner threshold settings. The number of approved, or trusted, observations is indicated with black number while a blue number shows the number of non-approved observations.

Group, URL path and details.

Global parameters

Expandable: Click + to expand.

Parameter name (level 1) Name of the parameter Expands 1 level.

Applications URL paths (level 2)

When Global parameter is expanded a list of URL paths which are observed taking the parameter as input is shown.

Name of input validation class mapped to a parameter.

Class

Applies to: Parameter name level (1).

Number of unique URL Paths observed using the parameter.

Paths

Applies to: Parameter name level (1).

Number of unique URl Paths using the parameter but where the para- meter name is not approved yet - where threshold values is not reached yet.

Applies to: Parameter name level (1).

Number of unique URl Paths using the parameter where the parameter name is approved - where threshold values is reached.

Trusted

Applies to: Parameter name level (1).

3.1.3. Static content learned

This section shows all URL Paths to static resources learned. URL Paths are grouped by their extension.

Extension and URL Paths learned.

Static content learned

Expandable: Click + to expand.

Extension (level 1)

The static content policy is based on allowing extension and URL Path based on characters in the URl path.

Expands 1 level.

To be included in the static content policy, static resources must therefore have a file extension. A case where natural URLs are pointing to static content is handled by the Learner by building Global URL policies.

Static content URL paths (level 2)

When an extension is expanded the URL paths in that extension group is listed.

Number of unique URL Paths in the extension group.

Paths

Applies to: Extension level (1).

Number of unique IP-addresses requesting the resource.

Source

Applies to: Extension (1) and URL path level (2).

Number of unique timestamps in requests for the resource.

Time

Applies to: Extension (1) and URL path level (2).

Time difference between the first and last observed request for the re- source.

 Time (delta time)

Applies to: Extension (1) and URL path level (2).

3.1.3.1. Deleting static content extensions

To delete a static content extension (a group) click the red X in the list.

3.1.4. Tools

This contains tools for tidying the learning data set.

Delete learned parameter names using simple wildcard matching.

Delete querys by name wildcard

Input field

Valid input

A string or a simple wildcard.

Use the following characters to specify wildcards:

? = one ocurrence of any character.

Input example

http://* - matches all querys (parameter names) beginning with

http:// Default value

<none>

Preview displays parameter names matching the wildcard below the input field.

Delete performs deletion of parameters matching wildcard. Delete learned parameter names using matching occurrence data.

Delete querys by data

Input field

Source

Number of IP addresses requesting the resource. Valid input

number in range 0 -

Input example

10 - Querys requested by 10 or less IP addresses.

Default value

<none>

Time

Number of unique timestamps in requests for the resource. Valid input

number in range 0 -

Input example

10 - Querys requested in a maximum of 10 intervals of 1 second.

Default value

<none>

 Time (delta time)

Time difference between the first and last recorded request for the re- source.

Valid input

Time interval specified in seconds.

number in range 0 -

Input example

86400 - Querys with a recorded difference between first and last re-

Default value

<none>

Preview displays parameter names matching search criteria below the input fields.

Delete performs deletion of parameters matching search criteria.

3.1.5. Lower button bar

The lower button bar contains the following buttons.

To see the effect of deleting selected learning data in the resulting policy section click this button. Wait a few seconds and reload the page.

Re-analyze data

Button

Use with caution!

Reset learn data

Button When clicking this button and accepting the confirm pop-up window. All learning data for that proxy will be deleted!

If learning is enabled the learning and data sampling process will start from scratch.

In document Administration Manual. Web Security Manager 4.2 (Page 150-154)