NAME

eris::log::context::attacks::url - Inspects URL's for common attack patterns

VERSION

version 0.006

SYNOPSIS

This context matches any field ending in '_url' and inspects the URL for common attack patterns. This is not sophisticated, but leverages the reconnaisance stage of an attack in which attackers try unsophisticated things to look for weak spots in your infrastructure.

It was built on the "least work for most reward" principle. This context is prone to false positives and false negatives, but works fast enough to be inlined into the log processing pipeline.

ATTRIBUTES

priority

Defaults to 100, running after most other contexts so things can end up in the right fields.

field

Defaults to '_exists_', meaning it's looking for the presence of certain keys in the eris::log context.

matcher

Defaults to matching the fields ending with '_url' or fields exact matching 'resource' or 'referer'

METHODS

contextualize_message

Takes an eris::log instance, parses the fields 'resource' and 'referer' for attack patterns.

Provides 3 top level keys to the context:

attack_score

The higher the number, the more likely an attack has been detected. Takes the HTTP response code into account if available.

attack_triggers

This is the count of distinct tokens detected in the URL leading us to believe this is an attack.

attacks

This is a HashRef containing all the tokens and attack signatures tripped.

Tags messages with 'security' if an attack string is detected.

SEE ALSO

eris::log::contextualizer, eris::role::context

AUTHOR

Brad Lhotsky <brad@divisionbyzero.net>

COPYRIGHT AND LICENSE

This software is Copyright (c) 2015 by Brad Lhotsky.

This is free software, licensed under:

The (three-clause) BSD License