Skip to main content

Alerts

Seer Box analyzes incoming traffic and identifies potential attacks by generating alerts.

An alert is created when a specific pattern of malicious behaviour is detected across multiple target fields, effectively grouping multiple HTTP transactions within a single alert. This grouping provides several advantages:

  1. More effective rules: this approach simplifies the identification of techniques and strategies used by attackers, enabling the creation of more precise response rules.
  2. Simplified visualization: users can focus on a single report that represents a set of related malicious activities instead of having to manage and analyze each suspicious transaction. This reduces the risk of overlooking important details.
  3. Plain attack view: the complete attack view allows for identification of repeated attack attempts on different target fields, even if they are from the same attacker. This enables better assessment of the impact of the attacks.

Main concepts

Attack type

The attack type associated with each alert. For better classification, each specific type is referred to a category of the OWASP Top 10. More details on the individual types and their detection modules can be found in the Detection section.

Request host

As mentioned earlier, each alert groups multiple malicious HTTP transactions: one of the keys to such grouping is the Host header of the request. Each alert will consequently be associated with only one host.

Attack pattern

The attack pattern is a two elements field:

  1. The pattern, which is the main and common characteristic of different transactions that identifies the attack attempt. Depending on the type of attack, the pattern can be a portion of a payload, an IP address, or even more generally a portion of a string. It is also used as a key for grouping, so each alert will be related to a single pattern.

  2. A list of targets, i.e., fields in the HTTP request targeted by the attack (e.g., the uri path, the value of a uri parameter key, the Referer header, etc.). An alert can be associated with multiple targets, thus allowing a complete view of the attack on the specific web application, correlating different targets but victims of the same pattern.

Payload

The payload identifies the value of the target field that is the victim of the attack. It's possible to have multiple payloads on the same target.

Alert specifications

The alert specifications define the context specifications related to the attack pattern: this is the set of fields that identify the portion of the application subject to the attack attempt. This set depends on the specific target, as described in the table below:

TargetAlert specifications
Host-
Uri pathHost
Uri parameter keyHost - Uri path
Uri parameter valueHost - Uri path - Uri parameter key
Request headerHost - Uri path
Request bodyHost - Uri path
Response headerHost - Uri path
Response bodyHost - Uri path

Alert management

A Seer Box alert indicates an attempted attack and can be addressed in various ways based on the operator's analysis and risk assessment, as well as the available and configured protection devices.

Seer Box enables the creation of network and application rules from an alert, as well as the ability to flag it as legitimate or ignore it.

Only users in the admins group or users belonging to a group with Explore alerts permission associated with on or more domain groups are allowed to view and delete alerts. If the user belongs to the latter group, they will only be able to view alerts associated with the configured domain groups.

Users in the admins group or in a group with Handle rules permission associated with the domain group to which the alert belongs can manage alerts by creating one or more rules.

From Seer Box web interface

  1. Access the Alerts page: in this section you can view the list of alerts reported by Seer Box.

  2. To inspect the individual alert simply click on the Inspect button on the right end of the item.

The detail page displays information related to the alert, including tables with context specifications and malicious HTTP transactions.

From the upper right corner you can perform several actions:

  • Advanced protection: this action opens a wizard for managing the alert, creating application rules, network rules, or reporting legitimate items associated with it.
  • Other actions - Create default Application ruleset: this action creates the minimum set of unoptimized application rules necessary to cover all context specifications reported in the alert.
  • Other actions - Create default Network ruleset: this action creates the minimum set of network rules that block the clients responsible for the alert.
  • Other actions - Create default Legitimate signature: this action creates the minimum set of legitimate elements associated with all context specifications flagged in the alert.
  • Other actions - Delete: this action ignores the alert.

Advanced protection

From Seer Box web interface

  1. From the alert detail page click on the Advanced protection button. A wizard will be displayed at the top of the page.

  2. From the Strategy field, you will be able to choose what kind of strategy you want to apply for managing the alert.

Application rule

  1. Select Application rule to create an application rule. Click on Next to continue.

  2. Select the Target on which to apply the rule. In case the target is only one, it will be selected manually. Click on Next to continue.

  3. Based on the selected target, it will be possible to configure the different context specifications (as shown within the table in the Alert specifications section), adapting them to the characteristics needed for the rule to be generated. Click on Next to continue.

  4. Select the rule type to be created, the string and the matching strategy:

    Rule typeMatching stringMatching strategy
    Block values - Negative ruleThe pattern or one of the payloads associated with the alertBlock if the string matches the entire target value or alternatively a subset of it
    Allow values - Positive ruleUser-defined specific valueBlock if the string NOT matches the entire target value
    Allow charsets - Positive ruleSet of alphabetic and/or numeric characters and/or symbolsBlock if target value NOT matches the defined sets

    For some target types, only the negative rule will be available. Click on Next to continue.

  5. Configure the action to be associated with the rule, and the execution priority over the others. Click on Add rule to confirm.

Network rule

  1. Select Application rule to create a network rule. Click on Next to continue.

  2. In the Blacklist field select the IP addresses responsible for the alert that you want to block.

  3. Configure the action to be associated with the rule and the duration of its activation (the rule will be disabled or deleted when it expires as set in the dedicated section). Click on Add rule to confirm.

Legitimate signature

  1. Select Legitimate signature to flag an element as legitimate. Click on Next to continue.

  2. Based on the selected target, you can configure the context specifications (as shown within the table in the Alert specifications section) to tailor them to the characteristics needed by the legitimate element. Click on Next to continue.

  3. Select the pattern or payload to label as legitimate for the identified target. Click on Add legitimate to confirm.

To add additional alert handling strategies click on the Add signature button. Otherwise, simply click Save in the top right corner of the page to save the changes. The alert will then disappear from the summary list, and the new rule will be visible on the Protection - Rules page.

Alert Export

From the Alert page, it is possible to export notice information in CSV format, choosing the fields to be included and generating a CSV file with the following characteristics:

  • Separator: the pipe (|) symbol;

  • Delimiter: the newline character \r\n;

  • Escape: the double quote (") symbol.

  1. From the Alert page click on the Actions button, then select Export CSV.

  2. Select fields in the modal and click on Export.

The same process can be used to export HTTP traffic from the HTTP Traffic section, selecting different fields in the HTTP request and response and exporting it using the same CSV file format.