The power of Wallarm search engine

2017-04-07T18:52:02
ID WALLARMLAB:C7E2DCDC513EDB5BD351770678A716A3
Type wallarmlab
Reporter Ivan Novikov
Modified 2017-04-07T18:52:02

Description

In this article I would like to show and explain my personal use cases of the Wallarm search engine. The cool thing about it is human readable search with intuitive commands.

Just look at this search command before we start:

> attacks incidents vulns today RCE 502

For a security engineer looking at it it’s easy to understand that this search means all the malicious requests, called attacks, verifies vulnerabilities (vulns) and the malicious requests, targeted to exactly to it (incidents) with the HTTP response status code 502. You can simply exclude, for example, 404 responses by adding !404 into the search line.

Let’s see how easy to find all the attacks this year from one IP address and some subnets in a different definition formats.

I have some of my own indicators that an attack could probably be a false positive. And one of them it’s the number of IP address in one attack. It means that a lot of sources (people) sent the same attacks to the same application function (action). A situation like this can occur because of the false positive or an error, for example, in the JavaScript. To find the attacks with more than one hundreds source IP addresses just add ip:>100 into the search line.

Wallarm search. More than 100 source IP addresses in on attack

My last example will be about this super capability of Wallarm to identify the anomalies in requests and responses. To take advantage of it, use the a: keyword identifier which can have following values:

  • a:size — abnormal lengths of the responses were detected in one attack
  • a:statuscode — abnormal status codes were detected in one attack
  • a:time — abnormal response times were detected in one attack
  • a:stamps — attack contains malicious requests with different payloads inside.

Unlike signature-based WAFs Wallarm can understand the difference between payloads within the same attack type. It provides this ability to identify cases when the payloads in one attack are different from each other.

It’s a super useful feature to identify false positives because very few false positive events have anomalies of these types. Finally my recipe to identify the false positives is:

> attacks !a:stamps !500+ ip:>10

To drill down into the power of Wallarm search engine look at the documentation here: <https://docs.wallarm.com/en/interface/search.html>


The power of Wallarm search engine was originally published in Wallarm on Medium, where people are continuing the conversation by highlighting and responding to this story.