Run an attack script to see how Contrast captures attack data while protecting your applications.
The following guide is written for customers using Nikto Web Scanner, an open-source web server scanner. While the Nikto scan is running, your Contrast agent will identify the attack and alert you in the UI.
Note: The attack script will also work on an out-of-the-box application, such as WebGoat, which allows you to observe how Contrast works in your environment.
Complete all of the following steps to prepare to run the attack script.
./nikto.pl. You should see the default help message as a result.
perl -vto verify.
With an application setup with Contrast Protect, and Nikto downloaded and verified, complete the following steps to run the attack script and observe the results.
Note: Verify that the IP address of the machine that’s running Nikto isn’t blacklisted.
./nikto.pl -useragent “MyAgent (Demo/1.0)” -h http://www.your-site.com
Note: If your web application has its files under a certain directory, use the
-roption to prepend a directory.
The Attacks page contains the record of all attacks seen by applications that have Contrast Protect enabled. These attacks include both monitored attacks as well as blocked attacks.
Attacks are groups of attack events coming from a single IP address over a sustained period of time. An attack can be comprised of events that target multiple applications and servers as well as multiple attack types, such as SQL Injection, Command Injection or specific CVEs. An attack ends once Contrast agents no longer see attack events for a period of time. If Contrast sees new attack events from the same IP address after an attack is closed, a new attack is created.
Go to the Attacks tab in the Attacks page to view all attacks that have occurred in your organization. Contrast organizes the components of each attack into the following columns.
Source IP: The IP address from which the attack is originating.
Status: The current status of the attack.
An attack status is determined by the status of the attack events within the attack. The status is as "Probed" if all events have a "Probed" status, "Blocked" if all events have either a "Blocked" or "Probed" status, and "Exploited" if any event has an "Exploited" status.
Application: Any applications that saw attack events from the IP address while the attack was active.
Server: Any server that saw attack events from the IP address while the attack was active.
Rule: Any attack type identified from the IP address while the attack was active.
Start: The timestamp of the first attack event seen from the IP address during the attack timeframe.
End: The timestamp of the last attack event seen from the IP address during the attack timeframe.
Events: The number of attack events that comprise the attack.
Click on the Source IP to view more details on the attack. In the Overview tab, view each attack event in the grid; click on each row to expand your view for more details. Under Attack Duration, click the See Timeline link to view the exact time sequence of each event. Use the dropdown menus and search field to find specific events.
In the Notes tab, view more details including the Rate of Events, Severity and Attacker.
In the Attacks page, use the row dropdown menu to blacklist an IP address, suppress the attack, or export the attack details into a CSV or XML-formatted spreadsheet. Tag or suppress multiple attacks by checking the boxes in the grid rows, and selecting the appropriate icons in the batch action menu above the grid.
Note: If you choose to blacklist an IP address, you must enter a name for the new policy and select a timeframe for expiration in the dialog that appears.
In an attack Overview tab, use the row dropdown menu to add an exclusion, create a virtual patch, blacklist an IP address, add a Protect Rule or suppress the event. Tag or suppress multiple attack events by checking the boxes in the grid rows, and selecting the appropriate icons in the batch action menu above the grid.
You can also perform each of these actions by clicking on the event, and selecting the appropriate icon in the expanded description.
The Attack Monitor features an operational dashboard where you can monitor and triage attacks that are currently happening or look back to see attacks within a specific timeframe. You can also configure which environment to display or eliminate ineffective attack events to help you focus on what needs attention right away. Contrast tells the story of all the attackers that attempted to exploit your applications, the type of attack events performed and which applications were involved.
The badge to the right of the Attacks section communicates the current attack status. This keeps you apprised of any changes that may occur as you delve into details of other attacks. Any attacks that are currently happening also display a timeline on the left that shows the activity of all the attack events for the last five minutes. You can click into this activity for a larger view and additional information.
Several controls at the top of the page allow you to customize your view based on time scale, environment and filtering by a specific rule, attacker IP or application you want to quickly find. You can also see breakdowns of what has been exploited, blocked and probed.
You can interact with this page to understand relationships between what's presented. For example, you can click on an attacker and Contrast will highlight the targeted applications and the rules that attacker applied. You can also select multiple attackers, rules or applications by holding down the shift key.
For further analysis, click on a specific rule title or application title for a filtered view of all the attack events based on your selection.
Click on on an attacker IP brings up details about that attack. This takes you to the Attack Details page with some summary information including the attack type, its duration, and affected applications and servers. From this page, you can add the attacker to an IP blacklist, export all the individual events that comprise the attack, or suppress an attack (and its events) altogether. Contrast will show the total number of events that make up that particular attack with the ability to expand into the details of each event. You can take other actions on events as you triage, such as creating virtual patches, configuring protect rules, or adding exclusions.