• Programming Language: e.g. python 3.6
• Runtime: e.g. CPython 3.6

• Library versions: e.g.

  • boto3:1.7.74
  • botocore:1.10.74
  • etc…
• Kernel version: e.g. Linux 3.13.0-92-generic x86_64 GNU/Linux
• OS Version: e.g. Ubuntu 14.04.5 LTS
• Application Security version
• Configuration & Custom Tags (set in library config file): ex: log_level:INFO, app_name: my app, etc.
• Process ID and Parent Process ID: Used to identify sub-processes running within the same server.

• Total Transactions: Count of all requests seen by the library.
• Reported Transactions: Count of all requests with events reported to cloud.
• Dropped Messages: Count of messages discarded by the library due to a connection issue.
• Rejected Messages: Count of messages discarded when rejected by the cloud backend.
• Exceptions: count of internal library exceptions processing request data.
• Performance Data: Aggregate and sampled timing data on the Application Security library performance. Used to monitor the performance of our code to track typical performance data in our customers’ environments.
• Network interface MAC Addresses: Used to identify apps running on the same host.
• Instance ID, Container ID, Instance ARN, Region: Identification info to distinguish instances vs containers vs lambda for billing.
• Active ruleset and AV versions: Current release version of the running Malicious Payload ruleset and AV definitions.
• Policy version: Active version of policy.

Unique transaction ID generated by:

• library
• HTTP Method
• URL Path
• URL QueryString
• HTTP Protocol
• HTTP Host Header
• HTTP X-Forward-For Header
• Remote IP Address

• AWS Request ID
• Function Name
• Function Version
• Invoked Function ARN
• Amazon Trace ID (if available)
• TargetGroup ARN (for ALB invocation)
• Request ID (for API Gateway invocation)
• API Stage (for API Gateway invocation)

• Timestamp
• Blocked: true/false
• Custom event tags

• Rule ID
• Payload Sample: Portion of HTTP stream containing identified payload. Note, this may contain some additional HTTP headers not normally sent like Cookies.
• Payload Position: Byte offset of malicious bytes within the payload sample.

Malicious Payload

• Function Used: Language function used to open file (ex: open, os.open, etc.)
• Current Working Directory
• Target File: The file that was attempted to open.
• Matched Rule: Rule that was matched by this open attempt.
• Open Mode: Read or Write
• Stack Trace: Traceback leading to execution.

Illegal File Access

• SQL Query: Query text flagged. Literal values are stripped out before being sent.
• Algorithm Detected: Why is this query flagged. (ex: Always True, Always False, Bad Statement, etc.)
• SQL Dialect: (ex: postgres, mysql, etc.)
• Stack Trace: Traceback leading to execution.

SQL Injection

• Redirect Location: Target of the redirect
• Rule Matched: Matching rule that matches Location above
• Stack Trace: Traceback leading to execution

Open Redirect

• Command and Arguments: Command that was attempted to run.
• Function Used: Function used to execute command.
• Rule Matched: Matching rule that matches command above.
• Stack Trace: Traceback leading to execution.

Remote Command Execution

• Form Parameter Name: Form field name in HTTP form used for upload.
• File Name: File name supplied by source of file.
• Virus Name: Name of detected virus/malware.

Malicious File Upload