Skip to content

Rules defining attack counters

Rules overview

Rules Define forced browsing attacks counter and Define brute-force attacks counter are used to add tags to specific requests. The postanalytics module uses these tags to detect dirbust (forced browsing) and brute‑force attacks respectively.

Applying the rule to real traffic

To apply the rule to real traffic, you need to set a threshold to trigger the rule:

  • Number of 404 responses for the rule Define forced browsing attacks counter
  • Number of requests for the rule Define brute-force attacks counter

Thresholds are configured via triggers. Examples of triggers are available at this link.

Creating and applying the rule

To create and apply the rule:

  1. Create the rule Define forced browsing attacks counter or Define brute-force attacks counter in the Profile & Rules section of the Wallarm Console. The rule consists of the following components:

    • Condition describes the request to add the brute‑force or forced browsing tags to.
    • Counter name defines the name of the tag which will be added to the request. The name should correspond to the following format:
      • d:<name> for the rule Define forced browsing attacks counter
      • b:<name> for the rule Define brute-force attacks counter

  2. Create a trigger with a threshold for the rule to fire. Examples of triggers are available at this link.

Rule examples

  • Add a forced browsing attack tag d:api_fr_user_passwords to requests sent to the path api/frontend/user/passwords of the protected resource

  • Add a brute-force attack tag b:api_fr_user_login to requests sent to the path api/frontend/user/login of the protected resource

Examples of rules for brute force and dirbust counters