Run an attack script to see how Contrast captures attack data while protecting your applications.
The following guide is written for customers using Nikto Web Scanner, an open-source web server scanner. While the Nikto scan is running, your Contrast agent will identify the attack and alert you in the UI.
Note: The attack script will also work on an out-of-the-box application, such as WebGoat, which allows you to observe how Contrast works in your environment.
Complete all of the following steps to prepare to run the attack script.
./nikto.pl. You should see the default help message as a result.
perl -vto verify.
With an application setup with Contrast Protect, and Nikto downloaded and verified, complete the following steps to run the attack script and observe the results.
Note: Verify that the IP address of the machine that’s running Nikto isn’t blacklisted.
./nikto.pl -useragent “MyAgent (Demo/1.0)” -h http://www.your-site.com
Note: If your web application has its files under a certain directory, use the
-roption to prepend a directory.
The Attacks page contains the record of all attacks seen by applications that have Contrast Protect enabled. These attacks include both monitored attacks as well as blocked attacks.
Attacks are groups of attack events coming from a single IP address over a sustained period of time. An attack can be comprised of events that target multiple applications and servers as well as multiple attack types, such as SQL Injection, Command Injection or specific CVEs. An attack ends once Contrast agents no longer see attack events for a period of time. If Contrast sees new attack events from the same IP address after an attack is closed, a new attack is created.
Go to the Attacks tab in the Attacks page to view all attacks that have occurred in your organization. Contrast organizes the components of each attack into the following columns.
Source IP: The IP address from which the attack is originating.
Status: The current status of the attack.
An attack status is determined by the highest severity status of the attack events within the attack. If any event has an "Exploited" status, the attack status will be "Exploited." If there are no "Exploited" events, the status will be the next highest severity event's status. The severity order, starting with the highest, is: Exploited, Suspicious, Blocked (P), Blocked, Probed (P), Probed.
Application: Any applications that saw attack events from the IP address while the attack was active.
Server: Any server that saw attack events from the IP address while the attack was active.
Rule: Any attack type identified from the IP address while the attack was active.
Start: The timestamp of the first attack event seen from the IP address during the attack timeframe.
End: The timestamp of the last attack event seen from the IP address during the attack timeframe.
Events: The number of attack events that comprise the attack.
Click on the Source IP to view more details on the attack. In the Overview tab, view each attack event in the grid. Click on each row to expand your view for more details. Under Attack Duration, click the See Timeline link to view the exact time sequence of each event. Use the dropdown menus and search field to find specific events.
In the Notes tab, view more details including the Rate of Events, Severity and Attacker.
In the Attacks page, use the row dropdown menu to blacklist an IP address, suppress the attack, or export the attack details into a CSV or XML-formatted spreadsheet. Tag or suppress multiple attacks by checking the boxes in the grid rows, and selecting the appropriate icons in the batch action menu above the grid.
Note: If you choose to blacklist an IP address, you must enter a name for the new policy and select a timeframe for expiration in the dialog that appears.
In an attack Overview tab, use the row dropdown menu to add an exclusion, create a virtual patch, blacklist an IP address, add a Protect Rule or suppress the event. Tag or suppress multiple attack events by checking the boxes in the grid rows, and selecting the appropriate icons in the batch action menu above the grid.
You can also perform each of these actions by clicking on the event, and selecting the appropriate icon in the expanded description.
The Monitor page allows you to view and triage attacks that are currently happening, and look back to see attacks that occurred within a specific timeframe. The dashboard gives you the full picture of the attackers that attempted to exploit your applications, the type of attack events detected and which applications were involved.
The Monitor overview divides attack event data into three categories: Attackers, Attack Events and Target Applications. Use the dropdown menus at the top of the page to customize your view by time span and environment. Use the search field to find attacks by the attacker's IP information or source name, affected applications, or specific Assess or Protect rules. You can also check the box to Show probed if you want to include information for attack events that resulted in a Probed status.
The Active Attacks badge at the top of the page communicates the current attack status of your organization. This keeps you apprised of any changes that may occur as you delve into details of other attacks.
In the Attackers column, you can see a list of attackers and the number of associated attack events reported within your selected timeframe. Click on the total number of attackers at the top of the column to see the data in the Attacks grid.
If an attacker is identified by a source name, hover over the name to see a list of the IP addresses labeled with this name. If an attacker is unknown (not identified by a source name), the silhouette icon to the left of their IP address includes a question mark. If an attacker successfully exploited an application, it's shown in red. Click on an attacker to go to the relevant Attack Details page.
Note: If the data reported for an attack event matches more than one source name, Contrast applies the name that you updated most recently.
The Attack Events column displays a list of the types of attacks detected, along with the total number of attack events per type. The bar below each attack type shows a breakdown of the attack events by result, such as Exploited (red) or Blocked (green).
In the Target Applications column, Contrast shows each application that has been targeted by an attack. The bar below each application shows a breakdown of the attack events by result, such as Exploited (red) or Blocked (green). Click on the total number of applications to see the data in the Attacks grid. Click on an application to see a filtered view in the Attack Events grid.
Click on an attacker's IP address or source name to see details about an attack. This takes you to the Attack Details page with a summary of information including the attack type, its duration, and affected applications and servers. Contrast shows the total number of events that make up the attack. Click on one to see more details about the individual event.
From this page, you can add the attacker to an IP blacklist, export all the individual events that comprise the attack, or suppress an attack (and its events) altogether. You can also take actions on events as you triage, such as creating virtual patches, configuring Protect rules or adding exclusions.