zecure / shadowd_ui

The Shadow Daemon user interface
GNU General Public License v2.0
20 stars 9 forks source link

List attacks on Analysis menu #46

Closed figassis closed 3 years ago

figassis commented 4 years ago

I can see attack count on profiles and home page, but I can't analyze them individually. It'd be great to list them in the analysis menu or add a filter in the requests/parameters list for the request classification.

zit-hb commented 4 years ago

I am not sure what you mean, could you elaborate please? At the moment every request that contained something malicious is considered an attack. Do you mean to group multiple requests by IP address and time? That would be a handy feature. I was mostly interested in the vulnerability details of the attacks so far but for sysops it would be handy to have a more cleaned up view of attacks without many details.

figassis commented 4 years ago

Yes, so basically the issue is in the profiles list I see XXX / 3, meaning I think XXX requests and 3 attacks. But I can't look at those 3 attacks so I can learn from them. For example, they might give insight on security improvements I can make to the applications themselves, so diving into them can be useful.

zit-hb commented 4 years ago

Ah, no, the left number are requests that were recorded in the learning mode. It is not "learning" at this point, it just records all requests that come in. This mode is not intended to be on for a long time if you are on a production system. I usually also delete the requests that were recorded in the learning mode after I have generated some rules with them. There is no point in keeping them.

If you run Shadow Daemon in the normal mode every logged request is an attack. If you click on the gears you can also filter the results. For example, try this: https://demo.shadowd.zecure.org/parameters?parameter_filter%5BincludeThreat%5D=1&parameter_filter%5BexcludeNoWhitelistRule%5D=1&parameter_filter%5BexcludeBrokenWhitelistRule%5D=1&parameter_filter%5BexcludePaths%5D%5B0%5D=POST%7Curl&parameter_filter%5BexcludePaths%5D%5B1%5D=POST%7Ccomment

figassis commented 4 years ago

Ah, got it :-)