New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxy Drop Alert on IP Destinations #778

Merged
merged 12 commits into from Nov 6, 2018

Conversation

Projects
None yet
2 participants
@claudijd
Member

claudijd commented Oct 11, 2018

This alert would fire in cases where we have an attacker who's attempting to get out through the proxy on an IP specific destination, which is presumably suspicious.

@claudijd claudijd changed the title from Quick initial commit of proxy drop ip destinations to Proxy Drop Alert on IP Destinations Oct 11, 2018

@claudijd claudijd requested a review from pwnbus Oct 11, 2018

claudijd added some commits Oct 12, 2018

def onAggregation(self, aggreg):
# aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
# aggreg['value']: value of the aggregation field, ex: toto@example.com
# aggreg['events']: list of events in the aggregation

This comment has been minimized.

@claudijd

claudijd Oct 12, 2018

Member

@pwnbus opinions on stripping this from new alerts? Feels more like template documentation, which serves as clutter in finished alerts.

This comment has been minimized.

@pwnbus

pwnbus Oct 29, 2018

Collaborator

If you want to strip any of the general comments, I'm all for it.

This comment has been minimized.

@claudijd

claudijd Oct 30, 2018

Member

ok, will do

pwnbus added some commits Oct 25, 2018

Show resolved Hide resolved alerts/proxy_drop_ip.py

@pwnbus pwnbus added this to the Release v1.34 milestone Oct 31, 2018

@claudijd

This comment has been minimized.

Member

claudijd commented Nov 5, 2018

I have reviewed 7 days of history on this, and this doesn't seem like a false positive concern.

@pwnbus

pwnbus approved these changes Nov 5, 2018

@pwnbus pwnbus merged commit d71ae0c into master Nov 6, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@pwnbus pwnbus deleted the proxy_drop_ip branch Nov 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment