Skip to main content

Alerts

Seer Box analyzes incoming traffic and identifies potential attacks by generating alerts.

An alert is created when a specific pattern of malicious behaviour is detected across multiple target fields, effectively grouping multiple HTTP transactions within a single alert. This grouping provides several advantages:

  1. More effective rules: this approach simplifies the identification of techniques and strategies used by attackers, enabling the creation of more precise response rules.
  2. Simplified visualization: users can focus on a single report that represents a set of related malicious activities instead of having to manage and analyze each suspicious transaction. This reduces the risk of overlooking important details.
  3. Plain attack view: the complete attack view allows for identification of repeated attack attempts on different target fields, even if they are from the same attacker. This enables better assessment of the impact of the attacks.

Main concepts

Attack type

The attack type associated with each alert. For better classification, each specific type is referred to a category of the OWASP Top 10. More details on the individual types and their detection modules can be found in the Detection section.

Request host

As mentioned earlier, each alert groups multiple malicious HTTP transactions: one of the keys to such grouping is the Host header of the request. Each alert will consequently be associated with only one host.

Attack pattern

The attack pattern is a two elements field:

  1. The pattern, which is the main and common characteristic of different transactions that identifies the attack attempt. Depending on the type of attack, the pattern can be a portion of a payload, an IP address, or even more generally a portion of a string. It is also used as a key for grouping, so each alert will be related to a single pattern.

  2. A list of targets, i.e., fields in the HTTP request targeted by the attack (e.g., the uri path, the value of a uri parameter key, the Referer header, etc.). An alert can be associated with multiple targets, thus allowing a complete view of the attack on the specific web application, correlating different targets but victims of the same pattern.

Payload

The payload identifies the value of the target field that is the victim of the attack. It's possible to have multiple payloads on the same target.

Alert specifications

The alert specifications define the context specifications related to the attack pattern: this is the set of fields that identify the portion of the application subject to the attack attempt. This set depends on the specific target, as described in the table below:

TargetAlert specifications
Host-
Uri pathHost
Uri parameter keyHost - Uri path
Uri parameter valueHost - Uri path - Uri parameter key
Request headerHost - Uri path
Request bodyHost - Uri path
Response headerHost - Uri path
Response bodyHost - Uri path

Alert management

A Seer Box alert indicates an attempted attack and can be addressed in various ways based on the operator's analysis and risk assessment, as well as the available and configured protection devices.

Seer Box enables the creation of network and application rules from an alert, as well as the ability to flag it as legitimate or ignore it.

Only users in the admins group or users belonging to a group with Explore alerts permission associated with on or more domain groups are allowed to view and delete alerts. If the user belongs to the latter group, they will only be able to view alerts associated with the configured domain groups.

Users in the admins group or in a group with Handle rules permission associated with the domain group to which the alert belongs can manage alerts by creating one or more rules.

From Seer Box web interface

  1. Access the Alerts page: in this section you can view the list of alerts reported by Seer Box.

  2. To inspect the individual alert simply click on the Inspect button on the right end of the item.

The detail page displays information related to the alert, including tables with context specifications and malicious HTTP transactions.

From the upper right corner you can perform several actions:

  • Advanced protection: this action opens a wizard for managing the alert, creating application rules, network rules, or legitimate rules associated with it.
  • Other actions - Create default Application ruleset: this action creates the minimum set of unoptimized application rules necessary to cover all context specifications reported in the alert.
  • Other actions - Create default Network ruleset: this action creates the minimum set of network rules that block the clients responsible for the alert.
  • Other actions - Create default Legitimate signature: this action creates the minimum set of legitimate elements associated with all context specifications flagged in the alert.
  • Other actions - Delete: this action ignores the alert.

Advanced protection

From Seer Box web interface

  1. From the alert detail page click on the Advanced protection button. A wizard will be displayed at the top of the page.

  2. From the Strategy field, you will be able to choose what kind of strategy you want to apply for managing the alert. Read the Creation Wizard section for more details:

info

You can create any number of Application, Network or Legitimate Rules you need to manage the alert!

  1. After the wizard has been completed, the interface will show a summary of the rules created. To add an additional rule click on the Add rule button. Otherwise, simply click Save in the top right corner of the page to complete the process. The alert will then be removed from the summary list, and the new rules will be visible on the relevant pages.

Alert Export

From the Alert page, it is possible to export notice information in CSV format, choosing the fields to be included and generating a CSV file with the following characteristics:

  • Separator: the pipe (|) symbol;

  • Delimiter: the newline character \r\n;

  • Escape: the double quote (") symbol.

  1. From the Alert page click on the Actions button, then select Export CSV.

  2. Select fields in the modal and click on Export.

The same process can be used to export HTTP traffic from the HTTP Traffic section, selecting different fields in the HTTP request and response and exporting it using the same CSV file format.