Other settings
General
Several categories of general settings are accessible from the General section.
From Seer Box web interface
- Access to
Settings - Generalsection.
Retention
The Retention settings control how long HTTP traffic, alerts, rules, metrics, and audit logs data are retained.
| Field | Type | Description |
|---|---|---|
| Audit logs removed after | Integer | Number of days after which audit logs older than this value are permanently deleted. |
| Deleted rules removed after | Integer | Number of days after which binned rules older than this value are permanently deleted. |
| Alerts ignored after | Integer | Number of days after which alerts older than this value are automatically ignored. |
| Handled or ignored alerts removed after | Integer | Number of days after which managed or ignored alerts older than this value are permanently deleted. |
| Hourly trends deleted after | Integer | Number of days after which metrics and trends older than this value are permanently removed. |
| Http traffic deleted after | Integer | Number of days after which HTTP traffic older than this value is permanently deleted. Stored HTTP traffic have a large impact on the amount of disk space required by the system. |
| Unseen unrelated hosts deleted after | Integer | Number of days after which unseen unrelated Hosts (not associated with a Domain Group) will be deleted. |
Mailer
The Mailer is the component responsible for automatically sending emails containing the scheduled reports. You need to configure this component in order to set up your own mail server and credentials.
| Field | Type | Description |
|---|---|---|
| Server host | String | The outgoing mail server hostname. |
| Server port | Integer | The outgoing mail server port. Tipically, port 465 (TLS or SSL) or port 587 (unencrypted connection) is used. |
| Secure connection (SSL) | Boolean | If enabled, it uses SSL encryption for sending. |
| Username | String | User username for the outgoing mail server. |
| Password | String | User password for the outgoing mail server. |
Detection
The Detection section allows you to enable or disable the individual detection modules available on Seer Box.
From Seer Box web interface
- Access to
Settings - Detectionsection.
General
| Field | Type | Description |
|---|---|---|
| Exclude status code from detection | Status codes list | It allows to prevent detection on requests with a specific response code. |
| Whitelist | IP addresses/network list | It allows to prevent detection on requests with a specific IP as source. |
Detection modules
Modules related to the different attack categories are categorized based on OWASP Top 10.
Broken access control
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
Drupal Probing
Drupal Probing is a module designed to detect and thwart attempts to fingerprint web applications that utilize the Drupal content management system (CMS).
Path Traversal
Path Traversal is a module that identifies and prevents unauthorized access attempts to directories external to the current one.
Wordpress Probing
Wordpress Probing is a module that identifies attempts to fingerprint web applications that utilize the Wordpress CMS.
Identification and authentication failures
https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/
Botnet
The Botnet module identifies attempts of attack from known botnets.
Brute Force
The Brute Force module detects repeated attempts of unauthorized access to resources or sections using brute force techniques.
Fake Bot
The Fake Bot module identifies attempts of User-Agent spoofing by clients trying to impersonate legitimate bots.
Malicious Scanner
The Malicious Scanner module detects attempts of application scanning by malicious automated clients.
Injection
https://owasp.org/Top10/A03_2021-Injection/
Code Injection
This module identifies attempts to inject malicious code into HTTP requests.
Command Injection
This module detects attempts to inject system commands into HTTP requests.
Cross Site Scripting (XSS)
This module identifies attempts to inject malicious JavaScript code into HTTP requests.
JNDI Injection
This module detects attempts to exploit vulnerabilities in the Java Naming and Directory Interface (JNDI) by injecting malicious code into HTTP requests.
SQL Injection
This module identifies attempts to inject malicious SQL queries into HTTP requests.
XML External Entity (XXE)
This module detects attempts to exploit vulnerabilities in XML parsers by injecting malicious XML into HTTP requests.
Network rules
The Network rules section provides access to settings related to network rules, their duration and automation.
From Seer Box web interface
- Access to
Settings - Network rulessection.
General
| Field | Type | Description |
|---|---|---|
| Expire strategy | String | It specifies whether a network rule should be disabled or deleted when it reaches its expiration date. |
Automation
The Automation settings allow you to manage the automatic creation of network rules in response to alerts detected by Seer Box.
| Field | Type | Description |
|---|---|---|
| Enable | Boolean | When enabled, it allows to automatically create network rules when new malicious traffic arrives. |
| Update firewall after rule creation | Boolean | If enabled, updates the configured firewall with the newly created rules. |
| Default duration | Integer | The duration set for automatically generated network rules. |
| Whitelist | IP addresses/network list | List of IP addresses or address networks for which blocking rules are not automatically generated. |
| Enable only for Domain Groups | Domain groups list | List of Domain Groups for which blocking rules are automatically generated. If empty, Seer Box will automatically generate rule for all Domain Groups. |
| Enable only for Hosts | Hosts list | List of Hosts for which blocking rules are automatically generated. If empty, Seer Box will automatically generate rule for all Hosts. |
| Enable only for attack types | Attack types list | List of attack types for which blocking rules are automatically generated. If empty, Seer Box will automatically generate rule for all the attack types. |