SARC → PA Indexed Prevention Elements
D1. Signatures
- [S1] RCE AV (Remote Command Execution)
- [S2] SQLi (SQL Injection)
- [S3] XSS (Cross-site Scripting)
- [S4] LFI (Local File Inclusion)
- [S5] RFI (Remote File Inclusion)
- [S6] Specific exploit signature
- [S7] Generic exploits signature
- [S8] Informational signature
- [S9] Global signature – request level
- [S10] Param-level signature
- [S11] URL param-level signature
- [S12] Signature normalization – lowercase, char ops, base64, M’C switching
- [S13] Signature content-type checks: TXT, HTML, JSON, XML
- [S14] CVE-based signatures
- [S15] Informational/default signatures
- [S16] CI trigger on signature overuse
- [S17] Signature hunting – scanners, fuzzing, single-strike
D2. Anomaly
- [A1] Source/Geo IP anomaly (E2)
- [A2] Request Rate anomaly (RPS)
- [A3] Failed Login anomaly (FLI)
- [A4] Session Opening anomaly (SO)
- [A5] Seasonality-based spikes
- [A6] Increase-based anomalies (IP, Geo, URL, SID)
- [A7] Signature increase from IPs
- [A8] Historical anomaly (e.g., non-existent users, bad redirect ratio)
- [A9] UA-based anomaly (known tools, outdated agents)
- [A10] Too many RPS to login URL from Geo
D3. Restrictions
- [R1] HTTP Method restrictions – global/specific
- [R2] Param/Value size restrictions
- [R3] Character set restrictions
- [R4] Meta characters in headers/params/URLs
- [R5] Empty/null request restrictions
- [R6] RFC structure mismatch
- [R7] Schema-based parsing and validation
- [R8] rDNS queries
- [R9] HTTP response scrubbing
- [R10] Flow/evasion restrictions
D4. Client Interrogation
- [CI1] HTTP Client Type Level (L1-L3)
- [CI2] JS Capabilities – Cookie, Screen size, Location
- [CI3] Mouse/Click-based behavioral profiling
- [CI4] CAPTCHA (active/passive)
- [CI5] UA enforcement (latest browsers only)
- [CI6] SID (JS fingerprinting)
- [CI7] Layer-7 bot detection
- [CI8] CI-based rate limiting (E2 → CI → PA)
PA – Prevention Actions
- [P1] Logging – local / remote
- [P2] Blocking (HTML page, JS popup, RST, drop)
- [P3] Rate Limiting – IP/site/URL/session/time
- [P4] Access control – deny access to resource
- [P5] Semi-blocking – Scrubbing/Stripping/Cloaking
- [P6] Redirect / Honeypot
- [P7] Retaliation (deception, keep-busy, soft block)
- [P8] Ban enforcement (e.g., 4 hours ban)
- [P9] Enforcement per entity: request, session, IP, DID, header, etc.