Our attack type recognition based on machine learning which can at first produce lexems and, secondly. syntax constructions (patterns) by existing attacks. For example, in the case of memcached injections (more details: https://www.blackhat.com/docs/us-14/materials/us-14-Novikov-...) we can train system to detect these attacks without regexps or new heuristic rules.

Ivan, co-founder of Wallarm, here.

There are few different tasks for machine learning.

1. Traffic clustering (hierarchical clustering algorithms). We use ML to understand how your application works in terms of business logic. E.g. clustering numbers of HTTP requests for /login as cluster determined by (HTTP_header->HOST="yoursite.com" + HTTP_URL->"/login" + ...).

2. Data profiling inside clusters. We use statistical distribution algorithms to understand which data is normal for fields POST->login and POST->password inside cluster from p.1. It is not hardcoded data templates like "only digits" or smth like this. Wallarm generates profiles dynamically.

3. Fuzzy search. Those data which is abnormal (from p.2), we understand if it looks like XSS or SQLi or any other attack or not.

Just easiest way to test your WAF right here and right now is:

hXXp://defended-site/?test={%22attack%22:%22\u004a3Vu\u0061W\u0039uIHNlbGVjdCBwYXNzd2\u0039yZCBmcm\u0039tIHVzZXJzIGxpbWl0IDEtLWEt%22}

Let's explain payload processing in details: 1. URL-decode {"attack":"\u004a3Vu\u0061W\u0039uIHNlbGVjdCBwYXNzd2\u0039yZCBmcm\u0039tIHVzZXJzIGxpbWl0IDEtLWEt"}

2. JSON unicode chars decode: J3VuaW9uIHNlbGVjdCBwYXNzd29yZCBmcm9tIHVzZXJzIGxpbWl0IDEtLWEt

3. BASE64 decode: 'union select password from users limit 1--a-

Wallarm can process this w/o any manual tuning out of the box.

Can you please give piece of advice how to prepare response for RFE in case of L1 visa? Some tricks or typical mistakes.