Notifications
The malicious HTTP traffic detected by Seer Box can be dynamically sent to multiple tools capable of collecting and processing such data, such as SIEMs and data data analysis software, allowing you to monitor the state of your systems from multiple perspectives and intervene more timely and accurately in the event of an attack.
Seer Box allows individual malicious transaction logs to be sent to multiple destinations, each configured with its own address, port and protocol (TCP or UDP) listening, as well as specific expeted format.
The different destinations can be configured and managed from the Seer Box web interface or via its REST API.
Types and formats
Generic
The Generic type collects all formats that can be used for different categories of notifications, such as the JSON format.
Format: JSON
{
"alert_id":"00.2-1-0.xxxxxxxx.xxxxxxxx.xxxxxxxx",
"id":"xxxxxxxx",
"network":"XXX.XXX.XXX.XXX/XX",
"response_size":0,
"rq_cookie":[
[
"key",
"value"
]
],
"rq_authorization":"xxxxxxxxxxx",
"last_hop_port":54402,
"rq_referer":"http://xxxxxxxxx.xxx/",
"method":"POST",
"request_body":"hash_of_the_body",
"as_number":"000000",
"path":"/vulnerable",
"rp_headers":null,
"last_hop":"XXX.XXX.XXX.XXX",
"attack_name":"SQL Injection",
"timestamp":1708961062000000,
"continent":"xx",
"status_code":500,
"client_address":"XXX.XXX.XXX.XXX",
"country":"xx",
"parameters":[
[
"key",
"value"
]
],
"as_organization":"xxxxxxxxxxxx",
"response_body":null,
"attack_code":"2-1-0",
"protocol_version":"HTTP/2.0",
"rq_host":"xxxxxxxx.xxx",
"latitude":"XX.XXXX",
"rq_headers":{
"Content-Type":"application/json",
"Cookie":"key=value",
"Host":"xxxxxxxx.xxx",
"Referer":"http://xxxxxxxxx.xxx/",
"User-Agent":"malicious-user-agent",
"X-Forwarded-For":"XXX.XXX.XXX.XXX"
},
"server_port":443,
"server_address":"XXX.XXX.XXX.XXX",
"state":"xxxxxxxxx",
"city":"xxxxxxxx",
"pattern":"malicious_pattern",
"longitude":"XXX.XXX",
"attack_category":"Injection",
"rq_user_agent":"malicious-user-agent",
"request_size":2132
}
SIEM
The SIEM type encapsulates the different formats accepted by different commercial and open source SIEMs, such as the CEF format and the LEEF format.
Format: CEF
CEF:1|Pluribus One|Seer Box|23.4.1|Injection|SQL Injection|5|alertId=01.3-3-2.xxxxxxxx.xxxxxxxx.xxxxxxxx attackPattern=malicious_pattern dhost=xxxxxxxx.xxx dpt=54402 dst=XXX.XXX.XXX.XXX httpRespCode=500 in=443 lastHop=XXX.XXX.XXX.XXX out=0 request=/vulnerable requestApplication=malicious-user-agent requestContext=http://xxxxxxxx.xxx/ requestMethod=POST rt=Feb 26 2024 15:35:30 src=XXX.XXX.XXX.XXX
Format: LEEF
LEEF:2|Pluribus One|Seer Box|23.4.1|SQL Injection|Injection||alertId=01.3-3-2.xxxxxxxx.xxxxxxxx.xxxxxxxx attackPattern=malicious_pattern dhost=xxxxxxxx.xxx dpt=54402 dst=XXX.XXX.XXX.XXX httpRespCode=500 in=443 lastHop=XXX.XXX.XXX.XXX out=0 request=/vulnerable requestApplication=malicious-user-agent requestContext=http://xxxxxxxx.xxx/ requestMethod=POST rt=Feb 26 2024 15:35:30 src=XXX.XXX.XXX.XXX
Add a notification
Adding a notification is allowed only for users in the admins group or users who belong to a group with permissions related to notification management (Handle notifications).
From Seer Box web interface
-
Access the
Settings - Notificationssection: in this page you can view the list of already added destinations. Clicking on each item will display detailed information about it. -
Click on the
Create notificationbutton in the upper right corner of the page. -
Enter data:
- Enabled - a switch to enable or disable the notification.
- Name - the name of the notification. It must be different from existing ones.
- Destination address - destination IP address.
- Destination port - destination port.
- Protocol - protocol used for sending the notification.
- Notification type - destination type. The type allows to categorize the different formats defined in the next field.
- Notification format - notification format. It specifies the structure of the log row sent to the destination.
-
Click on the
Savebutton in the upper right corner of the page.
The new notifications' destination will appear on the summary page.
Edit a notification
Editing a notification is allowed only for users in the admins group or users who belong to a group with permissions related to notification management (Handle notifications).
From Seer Box web interface
-
Access the
Settings - Notificationssection: in this page you can view the list of already added destinations. Clicking on each item will display detailed information about it. -
Click on the
Editbutton with a pencil icon located on the right end of the notification you want to edit. -
Edit the chosen fields.
-
Click on the
Savebutton in the upper right corner of the page.
Delete a notification
Deleting a notification is allowed only for users in the admins group or users who belong to a group with permissions related to notification management (Handle notifications).
Deleting a notification is an irreversible operation: once done it is necessary to repeat the creation operation to restore the item.
If you want to disable the destination without deleting the configuration, it is enough to modify the item by unchecking the Enabled switch.
From Seer Box web interface
-
Access the
Settings - Notificationssection: in this page you can view the list of already added destinations. Clicking on each item will display detailed information about it. -
Select one or more destinations to delete by clicking on the checkbox located at the left end of each item.
-
As soon as at least one item is selected, the
Deletebutton with a trash can icon appears in the upper right corner of the destinations' list. -
Clicking this button displays a modal summarizing the operation. Click the
Confirmbutton to confirm.