Skip to main content

Monarx Protect: RASP Addon

Monarx RASP delivers a variety of features including WAF, Virtual Patching, IP Blocking, and more.

J
Written by Joe Bruno
Updated over 3 weeks ago

RASP (Beta)

Runtime Application Self-Protection (RASP) is a security technology embedded directly within an application’s runtime environment. Unlike traditional perimeter-based defenses, RASP provides real-time protection by actively monitoring and analyzing application behavior during execution. This allows it to detect and block malicious activities with high precision. In the context of Monarx’s RASP, this solution integrates seamlessly into PHP environments, delivering deep visibility and fine-grained control over application execution.

RASP vs. WAF: Pros and Cons

A Web Application Firewall (WAF) operates at the network layer, inspecting incoming HTTP traffic to filter out malicious requests before they reach the application. While effective for broad-spectrum protection, a WAF lacks contextual awareness of the application’s internal behavior and can often be bypassed using techniques such as encryption, obfuscation, or encoding. By contrast, RASP runs within the application’s runtime, giving it unparalleled insight into what each request actually does once processed.

RASP Pros:

  • Precise detection based on runtime behavior, reducing false positives.

  • Cannot be bypassed by obfuscated requests, as it monitors actual runtime function execution.

  • Provides protection against novel attacks through behavioral analysis.

RASP Cons:

  • Limited to the runtime environment (e.g., PHP-specific in Monarx’s case).

  • Does not address network-layer attacks, such as DDoS or IP spoofing.

WAF Pros:

  • Broad coverage across all incoming traffic, regardless of application type.

  • Effective against network-level threats and common attack patterns.

WAF Cons:

  • Relies heavily on pattern matching, which can miss sophisticated attacks or generate false positives.

  • Lacks visibility into application logic or runtime execution.

For PHP-based applications, Monarx’s RASP offers a compelling alternative or complement to a WAF, providing deeper, context-aware security tailored to the application’s runtime.

Capabilities

Monarx’s RASP delivers comprehensive analysis of web requests and PHP program execution, covering the entire lifecycle—from request initialization to the invocation of specific native PHP functions like shell_exec, file_put_contents, and others. By hooking into these function calls, RASP gains a distinct advantage over traditional security tools. Instead of speculating about a request’s intent, it operates as an integral part of the PHP runtime, ensuring no bypass is possible and providing exact visibility into what each function does. This enables real-time detection and blocking of malicious activities with minimal guesswork. RASP features are powered by various modules, each designed to complement the others and add layers of security and capabilities. These modules can be independently enabled or disabled based on user needs.

"WAF" Module

In modern vernacular, WAFs are often associated with a core set of security capabilities rather than their strict architectural definition. Common industry standards, such as ModSecurity and OWASP’s Core Ruleset, continue to shape these expectations.

During request initialization, Monarx’s RASP inspects payloads for signals of common OWASP-defined attacks, terminating malicious requests early in the process. This feature provides a tailored OWASP Core Ruleset capability set, optimized for Linux PHP runtime environments. It protects against a wide range of generic threats, including:

  • XSS (Cross-Site Scripting)

  • SQL Injection (SQLi)

  • NoSQL Injection (NoSQLi)

  • Remote Code Execution (RCE)

  • XML External Entity (XXE)

  • Command Injection Payloads

  • Prototype Pollution

  • Directory Traversal

  • Local File Inclusion (LFI)

  • PHP Object Injection

  • Arbitrary File Uploads

  • Server-Side Request Forgery (SSRF)

  • Sensitive File Access (DLP)

  • Server-Side Template Injection

  • And much more

Virtual Patching

While the WAF module offers broad, OWASP-compatible protection against common attack patterns that might be leveraged in zero-day exploits, it may still encounter false positives or fail to address logical, access, or authorization vulnerabilities.

The Virtual Patching module enhances this protection by providing specific, tailored defenses against known, high-impact vulnerabilities in various frameworks and core CMS platforms like WordPress, Joomla, Drupal, Laravel, and more. Examples include:

  • LiteSpeed Cache <= 6.3.0.1 – Unauthenticated Privilege Escalation

  • WooCommerce Payments <= 5.6.1 – Authentication Bypass and Privilege Escalation

  • GutenKit <= 2.1.0 – Unauthenticated Arbitrary File Upload

  • Email Subscribers by Icegram Express <= 5.7.20 – Unauthenticated SQL Injection via Hash

  • Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation

This module delivers extensive protection against XSS, SQLi, RCE, XXE, LFI, and other threats tied to known vulnerabilities actively exploited in the wild, including logical, access control, and privilege escalation issues.

Anti-Malware

Building on Monarx’s Core AntiVirus (AV) product, RASP extends runtime protection to combat a variety of threats, including:

  • Malicious file uploads

  • Compromised or malicious WordPress themes and plugins

  • Actions performed by known malicious admin users

  • Known APT and C2 malware payloads

  • Known malicious software tools

  • Dynamic webshell protection (including fileless webshells)

  • Defenses against legitimate tools that can be exploited by malicious actors (e.g., legitimate file managers)

Application Hardening

This feature strengthens PHP applications by enforcing security best practices, including:

  • Blocking logins with weak or compromised passwords

  • Preventing access to sensitive framework-specific files, such as wp-config.php and .env

  • Restricting probing for known vulnerable components in specific frameworks

  • Tracking and flagging suspicious framework-specific activities for further investigation

Bot Protection

In cybersecurity, “bots” refer to automated software programs or scripts designed to execute specific tasks over the internet, often at speeds and scales far beyond human capability. While some bots, like search engine crawlers, serve legitimate purposes, malicious bots pose significant risks—spamming, launching Denial of Service (DoS) attacks, delivering malware, or probing for vulnerabilities. Even benign bots, such as aggressive data scrapers, may be undesirable. Monarx’s RASP helps customers identify and manage these threats, though its scope can sometimes cause confusion. Here’s how it works.

Behavioral Analysis:
Malicious bots often exhibit distinct patterns that threaten system security, such as:

  • Spamming: Flooding email, comments, or forms with unwanted content

  • Scraping: Extracting data, such as AI-driven bots harvesting website information

  • Brute-Force Attacks: Targeting login pages (e.g., WordPress) to crack credentials

  • Vulnerability Exploitation: Probing for weaknesses in applications or servers

  • Malware Delivery: Distributing payloads to compromise systems

These behaviors are typically tied to a source IP address (e.g., “185.X.XX.XX”). However, equating an IP with a bot can be misleading. Bots are software running on servers, and their traffic may shift across multiple IPs over time. Conversely, legitimate human traffic might share an IP with a bot in shared network environments. Blocking large IP ranges risks disrupting legitimate users—a pitfall noted by industry leaders like Cloudflare (see Consequences of IP Blocking at

The unintended consequences of blocking IP addresses ). Even blocking a single IP based purely on activity can affect many users due to technologies like CGNAT, where a single public IPv4 address serves dozens, hundreds, or thousands of connections.

Moreover, these behaviors aren’t exclusive to bots—humans or manual scripts can perform similar actions. Monarx’s RASP mitigates threats like malware payloads, vulnerability exploits, and brute-force attacks regardless of origin (bot, script, or human), grouping them by behavior (e.g., “Exploits,” “WAF”) in the UI for actionable insights.

Self-Identification via User-Agent Strings:
Many bots—benign, malicious, or otherwise—announce their identity via user-agent strings in HTTP requests (e.g., Googlebot). In Monarx’s “Bots” category, we highlight automated programs that self-identify as known malicious bots (e.g., Zeus), flagging them proactively regardless of behavior. When “bots” appears in Monarx, it specifically refers to programs identifying as such via their user-agent strings.

Beyond Bots: A Layered Approach
While the “Bots” category focuses on self-identified malicious or undesirable bots, Monarx’s RASP goes further. The UI breaks down events into complementary categories—WAF, IP Blocking, Exploits (Anti-Malware), and Application Hardening—each tackling overlapping threats. For example:

  • IP Blocking: Selectively blocks IPs with consistent malicious activity (from bots, scripts, or humans), tracked in “IP Blocking” charts.

  • Exploits & WAF: Captures behavioral threats like malware or vulnerability exploitation, regardless of source.

This overlap is intentional—cybersecurity threats don’t fit neatly into silos. Monarx prioritizes mitigating impact over categorizing origins.

Why “Bots” Matters
The “Bots” category isn’t about catching every automated program—it’s a focused lens on self-identified malicious or undesirable bots posing clear risks. Meanwhile, RASP’s broader capabilities ensure protection against the full spectrum of threats. RASP targets requests based on user-agent strings:

  • AI bots

  • Known malicious bots

  • Overly aggressive vendor bots (scrapers)
    SEO bots are not restricted.

IP Blocking

Layer 7 (application-layer) IP blocking is tailored to mitigate threat actors targeting web-based applications. Monarx selectively blocks traffic from specific IP addresses when consistent malicious activity is detected, whether from bots, manual programs, or humans. This can mitigate certain DoS attacks.

In a web application context, a Denial of Service (DoS) attack seeks to disrupt normal functioning, making the service unavailable to legitimate users by overwhelming the application, server, or infrastructure. DoS attacks vary:

  • Logic-Based DoS (Application Vulnerabilities): Exploits flaws like unhandled exceptions or resource-intensive operations (e.g., malformed requests crashing an app or overloading a database). Mitigated via Virtual Patching rules that block malicious inputs.

  • Traffic-Based DoS: Floods the system with excessive requests, exhausting resources like bandwidth or CPU (e.g., thousands of HTTP requests or fake login attempts).

Monarx does not mitigate Distributed DoS (DDoS) attacks. However, it can address certain logic-based DoS attacks via Virtual Patching and some traffic-based DoS attacks via IP blocking. For comprehensive DDoS protection, a purpose-built, DNS-based solution like Cloudflare is recommended.

Limitations

Monarx’s RASP activates whenever PHP is invoked, typically within web frameworks like Drupal, Joomla, Laravel, WordPress, or CLI applications. It does not engage in these scenarios:

  • Higher-Level Caching: If a cache (e.g., Varnish or a CDN) serves a response before PHP is invoked, RASP remains dormant.

  • Non-PHP Content: When the web server delivers static content (e.g., directory listings or default pages) without invoking PHP, RASP is not triggered.

Designed exclusively for PHP environments on Linux, RASP mirrors capabilities of tools like ModSecurity while tailoring its ruleset to PHP-specific threats. It offers minimal to no protection for:

  • Windows-specific exploits

  • Windows-based security applications or appliances

  • Java, Ruby, Python, etc., vulnerabilities

Other limitations include:

  • Excluded Vulnerability Classes: Certain attacks, like HTTP request smuggling, fall outside RASP’s runtime scope.

  • Managed Ruleset: The ruleset is fully managed by Monarx—users cannot customize or toggle individual rules.

  • Runtime Dependency: Protection applies only when PHP executes, offering no coverage for network-layer (Layer 3/4) threats or IP-based attacks.

Requirements

Monarx’s RASP is delivered as an add-on to the Monarx PHP Zend extension, Monarx Protect. To enable it, ensure:

  • PHP Version: Compatible with PHP 5.3 through 8.4

  • Monarx Agent: Version > 4.2.60, installed and correctly configured

  • Monarx Protect: Version > 5.1.85, installed and correctly configured

Proper setup is essential for effective operation. Monarx is generally compatible with existing WAF solutions.

Support

Monitoring:
RASP activity can be monitored through the Monarx Web Application UI or accessed programmatically via Monarx APIs.

Handling False Positives:

  1. Critical Emergency: If immediate action is needed, disable RASP at the agent level. Go to the Server Agents module in the Monarx Web UI, located the impacted agent, click the green gear in the top right ("Configure RASP Features"), and disable via the toggle in the sideview.

  2. Submit a False Positive Report: Visit Monarx to file a report or reach out to us via Intercom or Slack.

Did this answer your question?