• Security -> Application Security: Anomaly Detection: Brute Force Attack Prevention
    • Login Page
    • IP Address Whitelist (IP Address/Subnet Mask)
    • Session-based Brute Force Protection (Blocking Settings – Input Violations/Brute Force: Maximum login attempts are exceeded)
    • Login Attempts from The Same client (5)
    • Re-enable Login After (600) seconds – 10 minutes
    • Dynamic Brute Force Protection (uses statistical analysis)
    • Operation Mode (Off/Alarm/Alarm and Block)
    • Detection Criteria (Failed Login Attempts) – Global
      • Minimum FLA (20) per second
      • FLA increased by (500) %
      • FLA Rate reached (100) per second
    • Suspicious Criteria (Per IP Address)
      • FLA increased by (500) %
      • Rate reached (20) per second
    • Prevention Policy (first method found from the list is used)
      • Source IP-Based Client-Side Integrity Defense (JavaScript is used to identify if client is using a legal browser as opposed to a script posing as a legal browser)
      • URL-Based Client-Side Integrity Defense (JavaScript is used)
      • Source IP-Based Rate Limiting
      • URL-Based Rate Limiting
      • Prevention Duration (Unlimited by default)
  • Security -> Application Security: Anomaly Detection: Web Scraping
    • Prerequisites:
      • DNS server must be listed under DNS lookup server list
      • Client browsers need to have JavaScript enabled, and support cookies for Anomaly Detection to work
      • Consider disabling response caching. If enabled, system does not protect cached content
      • ASM does not perform scraping on legitimate search engine traffic. If the web app has its own search engine it should be added to the system under Security > Options> Application Security > Advanced Configuration > Search Engines
    • Methods/Options
      • Bot Detection
        • Determine whether web client is human or a web robot
        • Uses Capture Rapid Surfing defaults
        • Off/Alarm/Alarm and Block
      • Session Opening
        • Too many sessions originating from specific IP
        • The system can detect session opening anomalies only if clients have JavaScript enabled
        • Off/Alarm/Alarm and Block
          • Detection Criteria (Sessions opened per second)
            • increased by (500) %
            • reached (50)
            • Minimum sessions opened per second threshold detection (25)
            • Prevention Duration (1800) – 30 minutes
      • Session Transaction Anomaly
        • Suspicious amounts of transactions within a particular session
        • Off/Alarm/Alarm and Block
          • Detection Criteria (Session transactions)
            • above normal by (500) %
            • reached (400)
            • Minimum sessions transactions threshold detection (200)
            • Prevention Duration (1800) – 30 minutes
      • Fingerprinting usage (unchecked by default)
        • If the system fails to detect session opening anomalies by IP addresses, ASM cookies, and persistent device identification then the system detects browsers and bots by collecting browse attributes
          • Detects if browser agent is being forged/curl command
        • Suspicious Client (unchecked by default) – detects scraper extensions installed in a browser
          • Off/Alarm and Block
      • Persistent Client Identification (unchecked by default)
        • Log and/or prevent attackers from circumventing web scraping by resetting sessions and sending requests
      • IP Address Whitelist (to avoid legitimate users/internal/external scanners from triggering these alarm/blocks)
        • IP Address/Subnet Mask