Closed figassis closed 3 years ago
I am not sure what you mean, could you elaborate please? At the moment every request that contained something malicious is considered an attack. Do you mean to group multiple requests by IP address and time? That would be a handy feature. I was mostly interested in the vulnerability details of the attacks so far but for sysops it would be handy to have a more cleaned up view of attacks without many details.
Yes, so basically the issue is in the profiles list I see XXX / 3, meaning I think XXX requests and 3 attacks. But I can't look at those 3 attacks so I can learn from them. For example, they might give insight on security improvements I can make to the applications themselves, so diving into them can be useful.
Ah, no, the left number are requests that were recorded in the learning mode. It is not "learning" at this point, it just records all requests that come in. This mode is not intended to be on for a long time if you are on a production system. I usually also delete the requests that were recorded in the learning mode after I have generated some rules with them. There is no point in keeping them.
If you run Shadow Daemon in the normal mode every logged request is an attack. If you click on the gears you can also filter the results. For example, try this: https://demo.shadowd.zecure.org/parameters?parameter_filter%5BincludeThreat%5D=1¶meter_filter%5BexcludeNoWhitelistRule%5D=1¶meter_filter%5BexcludeBrokenWhitelistRule%5D=1¶meter_filter%5BexcludePaths%5D%5B0%5D=POST%7Curl¶meter_filter%5BexcludePaths%5D%5B1%5D=POST%7Ccomment
Ah, got it :-)
I can see attack count on profiles and home page, but I can't analyze them individually. It'd be great to list them in the analysis menu or add a filter in the requests/parameters list for the request classification.