Flow Control Policies

The input controls at the top of this page are described here: Policies & Rules Entry Administration. Specific editing of a Session Flow Control entry is described below.

Overview

The Session Flow Control module blocks hostile activity based on defined sequences of session flow.

Threat actors usually behave quite differently than legitimate users. For speed and efficiency, they tend to deviate from normal patterns of activity. The Session Flow Control capabilities of Curiefense allow you to define the expected patterns of behavior, and block access attempts that deviate from them.

For example, when a legitimate user attempts to log into a web application, the initial access of the login page will generate a GET request. Subsequently, a POST request will arrive with the login credentials.

However, a hostile bot that's attempting a credential stuffing attack has no need to issue a GET, and often, will not bother to do so. Therefore, if a POST request arrives that was not preceded by a GET, this is anomalous behavior, and Curiefense can block it.

Flow Control Parameters

Value

Description

Name

A name for this flow control entry, for display within the interface.

Active

Whether or not this flow control entry is enforced.

TTL

The time period within which the traffic source must complete the Flow Control Sequence. In the example screenshot above, a POST request will be rejected if a GET was not received within the previous 60 seconds.

Count by

Defines the criteria by which Curiefense will associate requests with a single requestor. In other words, this is how Curiefense identifies requests as having originated from the same traffic source. By default, a single parameter is available; to add more, select New entry. Multiple parameters are evaluated with "AND"; requests must match all the parameters to be associated together.

Action

When the Flow Control Sequence is violated, this Action will be taken.

Notes

Comments for use within the interface.

Include

Includes all requests in the evaluation that contain one or more Tags on this list (unless they match an Exclude parameter). If this list is empty, all requests will be included.

Exclude

Excludes any request from evaluation if it contains a Tag on this list.

Flow Control Sequence

These parameters define the sequence of requests that will be enforced. The sequence consists of several sequence sections. They must be fulfilled in the order defined here.

By default, a new sequence contains two sections. Additional sections can be added by selecting the "Create new sequence section" button.

Parameters for each Sequence Section

A request will fulfill this Sequence Section if it matches all of these parameters:

  • The HTTP method specified in Method

  • The domain or host specified in Host

  • The path specified in Path

  • And the optional parameters, if any. Optional parameters can be added by selecting the "+" button; each parameter includes matching characteristics for a header, cookie, or argument.