Skip to main content

Other settings

General

Several categories of general settings are accessible from the General section.

From Seer Box web interface

  1. Access to Settings - General section.

Retention

The Retention settings control how long HTTP traffic, alerts, rules, metrics, and audit logs data are retained.

FieldTypeDescription
Audit logs removed afterIntegerNumber of days after which audit logs older than this value are permanently deleted.
Deleted rules removed afterIntegerNumber of days after which binned rules older than this value are permanently deleted.
Alerts ignored afterIntegerNumber of days after which alerts older than this value are automatically ignored.
Handled or ignored alerts removed afterIntegerNumber of days after which managed or ignored alerts older than this value are permanently deleted.
Hourly trends deleted afterIntegerNumber of days after which metrics and trends older than this value are permanently removed.
Http traffic deleted afterIntegerNumber of days after which HTTP traffic older than this value is permanently deleted. Stored HTTP traffic have a large impact on the amount of disk space required by the system.
Unseen unrelated hosts deleted afterIntegerNumber of days after which unseen unrelated Hosts (not associated with a Domain Group) will be deleted.

Mailer

The Mailer is the component responsible for automatically sending emails containing the scheduled reports. You need to configure this component in order to set up your own mail server and credentials.

FieldTypeDescription
Server hostStringThe outgoing mail server hostname.
Server portIntegerThe outgoing mail server port. Tipically, port 465 (TLS or SSL) or port 587 (unencrypted connection) is used.
Secure connection (SSL)BooleanIf enabled, it uses SSL encryption for sending.
UsernameStringUser username for the outgoing mail server.
PasswordStringUser password for the outgoing mail server.

Detection

The Detection section allows you to enable or disable the individual detection modules available on Seer Box.

From Seer Box web interface

  1. Access to Settings - Detection section.

General

FieldTypeDescription
Exclude status code from detectionStatus codes listIt allows to prevent detection on requests with a specific response code.
WhitelistIP addresses/network listIt allows to prevent detection on requests with a specific IP as source.

Detection modules

Modules related to the different attack categories are categorized based on OWASP Top 10.

Broken access control

https://owasp.org/Top10/A01_2021-Broken_Access_Control/

Drupal Probing

Drupal Probing is a module designed to detect and thwart attempts to fingerprint web applications that utilize the Drupal content management system (CMS).

Path Traversal

Path Traversal is a module that identifies and prevents unauthorized access attempts to directories external to the current one.

Wordpress Probing

Wordpress Probing is a module that identifies attempts to fingerprint web applications that utilize the Wordpress CMS.

Identification and authentication failures

https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/

Botnet

The Botnet module identifies attempts of attack from known botnets.

Brute Force

The Brute Force module detects repeated attempts of unauthorized access to resources or sections using brute force techniques.

Fake Bot

The Fake Bot module identifies attempts of User-Agent spoofing by clients trying to impersonate legitimate bots.

Malicious Scanner

The Malicious Scanner module detects attempts of application scanning by malicious automated clients.

Injection

https://owasp.org/Top10/A03_2021-Injection/

Code Injection

This module identifies attempts to inject malicious code into HTTP requests.

Command Injection

This module detects attempts to inject system commands into HTTP requests.

Cross Site Scripting (XSS)

This module identifies attempts to inject malicious JavaScript code into HTTP requests.

JNDI Injection

This module detects attempts to exploit vulnerabilities in the Java Naming and Directory Interface (JNDI) by injecting malicious code into HTTP requests.

SQL Injection

This module identifies attempts to inject malicious SQL queries into HTTP requests.

XML External Entity (XXE)

This module detects attempts to exploit vulnerabilities in XML parsers by injecting malicious XML into HTTP requests.

Network rules

The Network rules section provides access to settings related to network rules, their duration and automation.

From Seer Box web interface

  1. Access to Settings - Network rules section.

General

FieldTypeDescription
Expire strategyStringIt specifies whether a network rule should be disabled or deleted when it reaches its expiration date.

Automation

The Automation settings allow you to manage the automatic creation of network rules in response to alerts detected by Seer Box.

FieldTypeDescription
EnableBooleanWhen enabled, it allows to automatically create network rules when new malicious traffic arrives.
Update firewall after rule creationBooleanIf enabled, updates the configured firewall with the newly created rules.
Default durationIntegerThe duration set for automatically generated network rules.
WhitelistIP addresses/network listList of IP addresses or address networks for which blocking rules are not automatically generated.
Enable only for Domain GroupsDomain groups listList of Domain Groups for which blocking rules are automatically generated. If empty, Seer Box will automatically generate rule for all Domain Groups.
Enable only for HostsHosts listList of Hosts for which blocking rules are automatically generated. If empty, Seer Box will automatically generate rule for all Hosts.
Enable only for attack typesAttack types listList of attack types for which blocking rules are automatically generated. If empty, Seer Box will automatically generate rule for all the attack types.