Using search

You can search for virtually any attribute of attacks, incidents, and vulnerabilities.

Wallarm is equipped with a query language similar to human language, which makes submitting queries intuitive. Queries can be refined using special modifiers, which are described below.

When values of different parameters are specified, the result will meet all these conditions. When different values for the same parameter are specified, the result will meet any of these conditions.

To search within a single application, specify in the search string pool:<application name>, where <application name> is set on the Applications tab.

Examples of search requests:

  • attacks xss: to search for all XSS-attacks.
  • attacks today: to search for all attacks happened today.
  • vulns sqli: to search for SQL-injection vulnerabilities.
  • vulns 01/02/2016-10/03/2016: to search for vulnerabilities within a certain period of time.
  • xss 14/01/2016: to search for all vulnerabilities, suspicions, attacks, and incidents of cross-site scripting on 14 January 2017.
  • p:xss 14/01/2016: to search for all vulnerabilities, suspicions, attacks, and incidents of all types within the xss HTTP request parameter (i.e. http://localhost/?xss=attack-here) as of 14 January 2017.
  • attacks 2-9/2016: to search for all attacks from February to September 2017.
  • rce /catalog/import.php: to search for all RCE attacks, incidents, and vulnerabilities on /catalog/import.php script for the last day.

In addition to the search string, you can retrieve data using filters. See Using filters.

The search string parameters duplicate in the filters and vice versa.

Save as a filter

Any search query or a combination of filters can be saved using Save as template button and quickly accessed later.

Search attributes

  • Type of object
  • Type of attack or vulnerability
  • Aim of attack or vulnerability
  • Severity level
  • Vulnerability identifier
  • Vulnerability status
  • Time
  • IP address
  • Server response status
  • Server response size
  • HTTP request method
  • Domain
  • Path
  • Parameter

Search by object type

Specify in the search string:

  • attack, attacks: to search only for the attacks that are not aimed on the known vulnerabilities.
  • incident, incidents: to search only for incidents (attacks exploiting a known vulnerability).
  • vuln, vulns, vulnerability, vulnerabilities: to search only for vulnerabilities.

Search by attack type or vulnerability type

Specify in the search string:

  • csrf: to search for Cross Site Request Forgery, attacks/vulnerabilities of cross-site request forgery.
  • xss: to search for Cross Site Scripting, attacks/vulnerabilities of cross site scripting.
  • sqli: to search for SQL injections, attacks/vulnerabilities of SQL code injections.
  • rce: to search for OS Commanding, attacks/vulnerabilities of server-side code execution (including Path Traversal, PHP injections, Shell injections).
  • dirbust: to search for forced browsing attacks.
  • info: to search for attacks/vulnerabilities of information disclosure.

An attack or vulnerability name can be specified in both uppercase and lowercase letters: "SQLI", "sqli", and "SQLi" are equally correct.

Search by the attack target or the vulnerability target

Specify in the search string:

  • client: to search for client data attacks/vulnerabilities.
  • database: to search for database attacks/vulnerabilities.
  • server: to search for app server attacks/vulnerabilities.

Search by risk level

Specify in the search string:

  • low — low risk level.
  • medium — medium risk level.
  • high — high risk level.

Search by vulnerability identifier

To search for a certain vulnerability, specify its identifier. It can be specified in two ways:

  • either fully: WLRM-ABCD-X0123
  • or in abbreviated form: X0123

Search by vulnerability status

Specify vulnerability status in the search string. Vulnerability can have one of the three statuses:

  • open: currently relevant vulnerability;
  • closed: fixed vulnerability;
  • falsepositive: false response.

By default, only open vulnerabilities are searched.

Search by event time

Specify time range in the search string. If the time interval is not specified, search is conducted within the events occurred during the last 24 hours. Use the following data format — DD/MM/YYYY (for example, 14/01/2014). If year is not specified, the current year is used. Thus, 14.01 is the same as 14.01.2017.

Usage of string aliases is possible:

  • yesterday: always equals to yesterday's date.
  • today: always equals to today's date.

You can also specify the following intervals for the search:

  • "10/01-14/01" is same as "10-14/01" is same as "10-14/01/2014" is same as "10/01/2014 00:00 - 14/01/2014 23:59"
  • by time (seconds are disregarded): 10/01/2014 11:11, 11:30-12:22, 10/01/2014 11:12 - 14/01/2014 12:14
  • with relation to a certain moment of time: >10/01/14

Search by IP address or address range

To search by IP address or address range, use ip: prefix.

You can search according to the following criteria:

  • Subnets: 192.168/16, 192.168.0.1/24
  • Ranges: 192.168.0.1-200, 192.168.1-10, 192.168.1-10.*

It is possible to search by the total number of IP addresses that are related to an incident (only for attacks and incidents).

Examples:

  • xss ip:100+ will search for all incidents and attacks of the cross-site scripting type and will not return anything if less than 100 different IP-addresses were registered as the attackers with this attack type.
  • xss p:id ip:100+ will search for all attacks and incidents of XSS type related to the id parameter (?id=aaa) and will display a result only if the number of different IP-addresses exceeds 100.

Search by server response status

To search by server response status, specify statuscode: prefix.

Response status can be specified as:

  • a number from 100 to 999.
  • "N–M" range, where N and M are figures from 100 to 999.
  • N+ and N- ranges, where N is a number from 100 to 999.

Search by server response size

To search by the server response size, use s: or size: prefix.

You can search for any integer value. Figures above 999 can be specified without a prefix. The N–M, N+ and N- ranges can be specified, where figures above 999 can also be specified without a prefix.

Search by HTTP request method

To search by HTTP request method, specify method: prefix.

To search for GET, POST, PUT, DELETE, OPTIONS: if upper-case is used, then search string can be specified without a prefix. For all the rest values, prefix should be specified.

Search by domain

To search by domain, use d: or domain: prefix.

Any string, which may be a domain of the second or a higher level, can be specified without a prefix. Any string can be specified with a prefix.

You may use masks within a domain. Symbol * replaces any number of characters, symbol ? replaces any single character.

Search by path

To search by path, use u: or url: prefix.

Strings that start with "/" are processed without prefix. Any string can be specified with a prefix.

Search by parameter

To search by parameter, use p:, param:, or parameter: prefix, and also the = suffix.

For example, if you need to find attacks aimed at "xss" parameter, but not at XSS-attacks (for instance, SQL-injection attack having xss in GET-parameter), specify attacks p:xss in the search string.

A string which does not start with / and ends with = is considered to be a parameter (wherein the ending = character is not included into the value). Any string can be specified with a prefix.

Search for anomalies in attacks

To search for anomalies in attacks, use a: or anomaly: prefix.

To refine anomaly search, use the following parameters:

  • size
  • statuscode
  • time
  • stamps
  • impression
  • vector

Example:

attacks sqli a:size will search for all SQL-injection attacks, which have response size anomalies in their requests.

See also

results matching ""

    No results matching ""