Indexed Prevention Elements

SARC → PA Indexed Prevention Elements

D1. Signatures

  • [S1] RCE AV (Remote Command Execution)
  • [S2] SQLi (SQL Injection)
  • [S3] XSS (Cross-site Scripting)
  • [S4] LFI (Local File Inclusion)
  • [S5] RFI (Remote File Inclusion)
  • [S6] Specific exploit signature
  • [S7] Generic exploits signature
  • [S8] Informational signature
  • [S9] Global signature – request level
  • [S10] Param-level signature
  • [S11] URL param-level signature
  • [S12] Signature normalization – lowercase, char ops, base64, M’C switching
  • [S13] Signature content-type checks: TXT, HTML, JSON, XML
  • [S14] CVE-based signatures
  • [S15] Informational/default signatures
  • [S16] CI trigger on signature overuse
  • [S17] Signature hunting – scanners, fuzzing, single-strike

D2. Anomaly

  • [A1] Source/Geo IP anomaly (E2)
  • [A2] Request Rate anomaly (RPS)
  • [A3] Failed Login anomaly (FLI)
  • [A4] Session Opening anomaly (SO)
  • [A5] Seasonality-based spikes
  • [A6] Increase-based anomalies (IP, Geo, URL, SID)
  • [A7] Signature increase from IPs
  • [A8] Historical anomaly (e.g., non-existent users, bad redirect ratio)
  • [A9] UA-based anomaly (known tools, outdated agents)
  • [A10] Too many RPS to login URL from Geo

D3. Restrictions

  • [R1] HTTP Method restrictions – global/specific
  • [R2] Param/Value size restrictions
  • [R3] Character set restrictions
  • [R4] Meta characters in headers/params/URLs
  • [R5] Empty/null request restrictions
  • [R6] RFC structure mismatch
  • [R7] Schema-based parsing and validation
  • [R8] rDNS queries
  • [R9] HTTP response scrubbing
  • [R10] Flow/evasion restrictions

D4. Client Interrogation

  • [CI1] HTTP Client Type Level (L1-L3)
  • [CI2] JS Capabilities – Cookie, Screen size, Location
  • [CI3] Mouse/Click-based behavioral profiling
  • [CI4] CAPTCHA (active/passive)
  • [CI5] UA enforcement (latest browsers only)
  • [CI6] SID (JS fingerprinting)
  • [CI7] Layer-7 bot detection
  • [CI8] CI-based rate limiting (E2 → CI → PA)

PA – Prevention Actions

  • [P1] Logging – local / remote
  • [P2] Blocking (HTML page, JS popup, RST, drop)
  • [P3] Rate Limiting – IP/site/URL/session/time
  • [P4] Access control – deny access to resource
  • [P5] Semi-blocking – Scrubbing/Stripping/Cloaking
  • [P6] Redirect / Honeypot
  • [P7] Retaliation (deception, keep-busy, soft block)
  • [P8] Ban enforcement (e.g., 4 hours ban)
  • [P9] Enforcement per entity: request, session, IP, DID, header, etc.

Recent Articles