eris::log::context::attacks::url - Inspects URL's for common attack patterns
version 0.006
This context matches any field ending in '_url' and inspects the URL for common attack patterns. This is not sophisticated, but leverages the reconnaisance stage of an attack in which attackers try unsophisticated things to look for weak spots in your infrastructure.
It was built on the "least work for most reward" principle. This context is prone to false positives and false negatives, but works fast enough to be inlined into the log processing pipeline.
Defaults to 100, running after most other contexts so things can end up in the right fields.
Defaults to '_exists_', meaning it's looking for the presence of certain keys in the eris::log context.
Defaults to matching the fields ending with '_url' or fields exact matching 'resource' or 'referer'
Takes an eris::log instance, parses the fields 'resource' and 'referer' for attack patterns.
Provides 3 top level keys to the context:
The higher the number, the more likely an attack has been detected. Takes the HTTP response code into account if available.
This is the count of distinct tokens detected in the URL leading us to believe this is an attack.
This is a HashRef containing all the tokens and attack signatures tripped.
Tags messages with 'security' if an attack string is detected.
eris::log::contextualizer, eris::role::context
Brad Lhotsky <brad@divisionbyzero.net>
This software is Copyright (c) 2015 by Brad Lhotsky.
This is free software, licensed under:
The (three-clause) BSD License
To install eris, copy and paste the appropriate command in to your terminal.
cpanm
cpanm eris
CPAN shell
perl -MCPAN -e shell install eris
For more information on module installation, please visit the detailed CPAN module installation guide.