1. Create a new query group called "White List" and configure it for the appropriate database and proxy. 2. Create a new IPS/IDS rule to block SQL injections and log intrusion events for the database. 3. Create a new database firewall rule that uses the "White List" query group and allows those queries to access the database.

1. How to create a
query-based
white list

2. Create a query-based white list:
4 simple steps
1. Create a new Query Group
2. Create a new IPS/IDS rule
3. Create a new Database
Firewall rule
4. Propagate the white list
Query Group

3. 1 Create a new
Query Group

4. Step 1: Log on to the GreenSQL management GUI.

5. Step 1a: Click on the Policies icon at the top of the management screen.

6. Step 1b: Click on the Query Groups policy option to proceed to the query
groups configuration function.

7. Step 1c: Click on the Create New button in order to create a new Query
Group.

8. Step 1d: Give the new Query Group a meaningful name, e.g., "White
List".

9. Step 1e: Choose your database type, e.g., MySQL.

10. Step 1f: Choose the proxy that protects your database type.

11. Step 1g: Choose the appropriate color for the newly created Query Group.

12. Step 1h: Click the Create button to finalize the configuration.

13. Step 1i: Check that the White List Query Group was created and displays
in the Query Groups section.

14. 2 Create a new
IPS/IDS rule

15. Step 2 (optional): Minimize the floating notification bar for a better view
of the management GUI.

16. Step 2a: Click on Policy to create a new IPS/IDS (intruder prevention
system/intruder detection system) rule.

17. Step 2b: Click on the Create New button.

18. Step 2c: Choose the Risk Based - IPS/IDS Rule Type.

19. Step 2d: Select the Database that the new rule will apply to.

20. Step 2e: Make sure that the Mode is set to Active Protection.

21. Step 2f: Make sure that the SQL Injection Detection box is checked.

22. Step 2g: Make sure that the Action is set to Block.

23. Step 2h: The Blocking action has a number of options; for this example,
we will choose Close SQL Connection.

24. Step 2i: Make sure that the Logging option is set to Intrusion Events.

25. Step 2j: Scroll down and click the Create button to confirm rule creation.

26. Step 2k: Notice that our new Blocking rule, which defends our database
against SQL injections, appears before the Allow Any rule.

27. 3 Create a new
Database
Firewall rule

28. Step 3a: To create the White List rule, click on the Create New button.

29. Step 3b: Choose the Database Firewall Rule Type.

30. Step 3c: Select the Database that the new rule will apply to.

31. Step 3d: Choose Query Groups as the Firewall Type. Remember, we
created the White List Query Group and now we want to use it.

32. Step 3e: Choose the White List Query Group we created earlier for this
specific rule.

33. Step 3f: Select Allow as the Action, to allow White List queries to access
the database.

34. Step 3g: Click Create to finalize rule creation.

35. Step 3h: Your policy should now contain three policy rules, as shown in
the example above.

36. 4 Propagate
the white list
query group

37. Step 4a: Now, we need to investigate if there are legitimate queries that
were blocked by the SQL Injection rule. Click on the Logs icon.

38. Step 4b: Click on Intrusion Logs to look for legitimate blocked queries.

39. Step 4c: This example shows that there was an intrusion event. Click on
the event to view the event details.

40. Step 4d: Scroll down in the event details to look for the Pattern field.

41. Step 4e: Review the pattern and note that this query is legitimate. Click
on the pattern to add it to our White List Query Group.

42. Step 4f: Choose White List from the pop-up window and click Assign.

43. Step 4g: See that the new Query Group contains our white-listed pattern.

44. That’s it!
The white list is
configured and
operational.