In this article I would like to show and explain my personal use cases of the Wallarm search engine. The cool thing about it is human readable search with intuitive commands.
Just look at this search command before we start:
> attacks incidents vulns today RCE 502
For a security engineer looking at it it’s easy to understand that this search means all the malicious requests, called attacks, verifies vulnerabilities (vulns) and the malicious requests, targeted to exactly to it (incidents) with the HTTP response status code 502. You can simply exclude, for example, 404 responses by adding !404 into the search line.
Let’s see how easy to find all the attacks this year from one IP address and some subnets in a different definition formats.
Wallarm search. More than 100 source IP addresses in on attack
My last example will be about this super capability of Wallarm to identify the anomalies in requests and responses. To take advantage of it, use the a: keyword identifier which can have following values:
Unlike signature-based WAFs Wallarm can understand the difference between payloads within the same attack type. It provides this ability to identify cases when the payloads in one attack are different from each other.
It’s a super useful feature to identify false positives because very few false positive events have anomalies of these types. Finally my recipe to identify the false positives is:
> attacks !a:stamps !500+ ip:>10
To drill down into the power of Wallarm search engine look at the documentation here: <https://docs.wallarm.com/en/interface/search.html>