How to create a

query-based

white list

Create a query-based white list: 4 simple steps

1. Create a new Query Group 2. Create a new IPS/IDS rule 3. Create a new Database

Firewall rule 4. Propagate the white list

Query Group

1 Create a new Query Group

Step 1: Log on to the GreenSQL management GUI.

Step 1a: Click on the Policies icon at the top of the management screen.

Step 1b: Click on the Query Groups policy option to proceed to the query groups configuration function.

Step 1c: Click on the Create New button in order to create a new Query Group.

Step 1d: Give the new Query Group a meaningful name, e.g., "White List".

Step 1e: Choose your database type, e.g., MySQL.

Step 1f: Choose the proxy that protects your database type.

Step 1g: Choose the appropriate color for the newly created Query Group.

Step 1h: Click the Create button to finalize the configuration.

Step 1i: Check that the White List Query Group was created and displays in the Query Groups section.

2 Create a new IPS/IDS rule

Step 2 (optional): Minimize the floating notification bar for a better view of the management GUI.

Step 2a: Click on Policy to create a new IPS/IDS (intruder prevention system/intruder detection system) rule.

Step 2b: Click on the Create New button.

Step 2c: Choose the Risk Based - IPS/IDS Rule Type.

Step 2d: Select the Database that the new rule will apply to.

Step 2e: Make sure that the Mode is set to Active Protection.

Step 2f: Make sure that the SQL Injection Detection box is checked.

Step 2g: Make sure that the Action is set to Block.

Step 2h: The Blocking action has a number of options; for this example, we will choose Close SQL Connection.

Step 2i: Make sure that the Logging option is set to Intrusion Events.

Step 2j: Scroll down and click the Create button to confirm rule creation.

Step 2k: Notice that our new Blocking rule, which defends our database against SQL injections, appears before the Allow Any rule.

3 Create a new Database Firewall rule

Step 3a: To create the White List rule, click on the Create New button.

Step 3b: Choose the Database Firewall Rule Type.

Step 3c: Select the Database that the new rule will apply to.

Step 3d: Choose Query Groups as the Firewall Type. Remember, we created the White List Query Group and now we want to use it.

Step 3e: Choose the White List Query Group we created earlier for this specific rule.

Step 3f: Select Allow as the Action, to allow White List queries to access the database.

Step 3g: Click Create to finalize rule creation.

Step 3h: Your policy should now contain three policy rules, as shown in the example above.

4 Propagate the white list query group

Step 4a: Now, we need to investigate if there are legitimate queries that were blocked by the SQL Injection rule. Click on the Logs icon.

Step 4b: Click on Intrusion Logs to look for legitimate blocked queries.

Step 4c: This example shows that there was an intrusion event. Click on the event to view the event details.

Step 4d: Scroll down in the event details to look for the Pattern field.

Step 4e: Review the pattern and note that this query is legitimate. Click on the pattern to add it to our White List Query Group.

Step 4f: Choose White List from the pop-up window and click Assign.

Step 4g: See that the new Query Group contains our white-listed pattern.

The white list is configured and operational.

That’s it!