Closed slowpokeeh closed 2 years ago
slowpokeeh
commented
2 years ago Apache Access Log (count all requests with User Agent sqlmap from ip)
Maltrail Server (Please Note, the Events show the number 2870, but I executed my script several times with different user agents etc)
Thanks again!
MikhailKasimov
commented
2 years ago Hello!
I think some investigation is needed here.
Can you, please, upload pcap-files you have with respective results? Perhaps, later your test scripts will also be asked. But currently let's begin with pcap-files.
Thnx!
stamparm
commented
2 years ago @slowpokeeh there was indeed a bug in the visual representation of the number of events in the row rendering:
With the latest commit (html/js/main.js got changed), that row rendering should be fixed
As of the total count, which you say is 6000 while sqlmap counted only 2000. In Maltrail there is a deliberate dropping of events in case of a mass-attack. Main reason is to prevent UI hogs. Imagine being scanned with some heavy application and the UI has to chew all of that junk (while, in case of Maltrail, data chewing is being done at the JS/client side)
slowpokeeh
commented
2 years ago @stamparm and @MikhailKasimov thank you for your quick response!
@stamparm The dropping of events in case of a mass attack is totally rational and very good of course, but I wanted to use maltrail to benchmark maltrail vs some self coded machine learning experiment regarding SQLis.
Is there any "easy" way to disable that behaviour in a config file? Or would lots of code editing and self compiling be needed to achieve that?
Thank you again, you are doing absolutely great work!
stamparm
commented
2 years ago 1) currently there is no such config option 2) after a second though, maybe in your case some of payloads were not recognized as SQLi. Maltrail has a pretty good detection mechanism for SQLi, with minimal false-positives. You should be aware that Maltrail is made to recognize threats, not events (as e.g. Suricata) 3) that being said, best advice I could give to you is to use Maltrail in parallel with some existing IDS (e.g. Suricata/Snort), so it could synergetically help you in detection of threats
slowpokeeh
commented
2 years ago Thank you a lot!
Btw: The bug is now fixed and the events get counted correctly.
Dear Maltrail-Team,
I have the following infrastructure: Ubuntu server with custom website (apache), maltrail server and maltrail sensor.
I did the following: I wrote a python script that fires SQL-Injections against my custom website (from another client). I have a sleep timer in my python script, that fires an sql injection every 100ms. All of those SQL-Injections are a bit different from each other. By doing that I have around 6400 requests towards the website.
After my Script is done, Maltrail only shows around 400 Events and only around 10 Detections. I tried analyzing a pcap file that i recorded with wireshark, but the number of events and detections stays around that number.
When I used Burp intruder (Free Version, 4 Seconds per Request) a lot more detections and events showed up. So i thought there might be some performance problem. Or does maltrail somehow summarize requests?
By the way, I tried the same setting "sqlmap" as custom user agent, it also showed only a few detections.
Could you help me with my issue - or is this intended?
Best regards and thanks a lot