Web Tap Documentation

PREVIOUS - 2.1 Alert Summary      UP - 2. The Management Interface      NEXT - 2.3 HTTP Request Details

2.2 Alert Details

The alert details page displays extended information about a specific alert and can be accessed by clicking on that alert in the alert summary page.

2.2.1 Metadata

• Client – Specifies the client that generated this alert. The client is a single IP address and (optionally) its fully-qualified domain name (FQDN).
• Domain – The domain associated with this alert. All suspicious HTTP requests in this alert went to a server in this domain
• Servers – A list of the addresses and (optionally) names of servers that received suspicious traffic as part of this alert. The lookup info links will fetch specific information about the particular servers (see Host Information Lookup section).
• Time – The most recent time that Web Tap generated an alert entry in response to suspicious activity.
• Status – Information about the viewed, pending, and priority status of this alert.
• Groups – The list of groups that this alert is a member of.

2.2.2 Host Information Lookup

This “lookup info” option next to host names in the alert metadata section will look up whois information for the specified host from the ARIN database at whois.arin.net as well as routing/AS information from riswhois.ripe.net. The geographic information associated with the routing entry is likely to be more accurate than the ARIN entry. Some IP addresses don’t have detailed ARIN entries, and others may only be registered with the information of a top-level service provider, and do not have information about the actual owner of the IP address. Routing information, however, is much more reliable and will almost always have the correct autonomous system that is responsible for routing traffic to the IP address. The geographic information for the AS is more likely to be accurate than that associated with the ARIN entry. For more information, see http://www.arin.net/whois/ and http://www.ripe.net/ris/tools/riswhois.html.

Note: host information lookup requires Web Tap to have an Internet connection.

2.2.3 Actions

The following actions are possible from the alert detail page:

• Fixed – Sets the alert’s status to fixed
• Ignore – Sets the alert’s status to ignored
• Ignore All – Sets the alert’s status to ignored and adds a filter so that new entries for the same alert (same client and domain) do not reset the status to pending; the alert will remain ignored permanently, even if new malicious activity occurs between the same client and domain.
• Add (Move) to [group] – Will add the alert to the specified group. If the move check box is selected, Web Tap will first remove the alert from its current group(s).
• Trust Domain(s) – Creates a filter for each selected domain that sets the status of all current and new alerts from any client to each domain to be ignored. If only a sub-domain is trusted, then the entire alert may still remain pending; all domains associated with an alert must be trusted in order for its status to go from pending to ignored.
• Trust Servers(s) – Creates a filter for each selected server that sets the status of all current and new alerts from any client to each server to be ignored. If only a subset of the servers in the current alert is trusted, its overall status will still remain pending. All servers associated with an alert must be trusted in order for the alert’s status to change to ignored.

2.2.4 Types

This section lists the type of suspicious activity that Web Tap detected in order to raise the alert. More detailed information about the meaning of each alert type, including common false positives and mitigation strategies, can be found in the Alert Types section.

2.2.5 Trusting User-Agents and Header fields

In addition to a description of the activity, buttons may be present for trusting unrecognized user-agents and header fields. Web Tap will generate an unrecognized user-agent alert when it sees an HTTP request with a value in the user-agent field that has not yet been trusted. The user-agent field identifies the client application and version, and it will often contain a value other than that of a trusted application in the case of malware activity.

Selecting one or more user-agent or header values and clicking on the “Trust User-Agent(s)” or “Trust Header Value(s)” button will remove all of the alert entries for the specified user-agents or headers from all current alerts and set the values as trusted so that Web Tap does not generate any alerts for those values in the future. If an alert no longer has any entries, Web Tap will remove the alert.

2.2.6 Recent HTTP and Alert Activity

This section of the alert details page contains information about the alert entries and recent HTTP request associated with those entries. This allows you to examine the actual network traffic in order to determine the cause of an alert. Clicking on an HTTP request will take you to the HTTP Request Details page, where you can look at the original content of the HTTP request as it appeared on the network.

The first column of the Recent HTTP and Alert Activity summary table, Time, indicates the time at which the HTTP request occurred, or the time when Web Tap identified suspicious activity for an alert entry. The next column, Server, contains the name of the server that received the HTTP request. Server will also contain the IP address for alert entries.

Next, you can see the Method associated with the alert (e.g. GET, POST, HEAD, etc.). GET and POST are the two most popular methods. They are used to retrieve or send a page from a web server, respectively. POST requests have a body, whereas GET requests do not. However, it is still possible to leak large amounts of data in the URL of a GET request. For information about request methods, see the HTTP specification at http://www.w3.org/Protocols/rfc2616/rfc2616.html.

The Size column contains the number of extra bytes in the request. These bytes include data after a ‘?’ character in the URL, as well as data in the body of a post request. This number gives you a general idea of how much data could be leaving your network in the particular request. The actual number of bytes counted by Web Tap may be slightly different than this number to account for variable bytes in other parts of the HTTP request.

Finally, the URL column contains the full expanded URL that was requested in the HTTP request, or the alert type of the row is an alert entry. For more detailed information about types, see the Alert Types section. For HTTP requests, the URL has “http://” and the host name, even though actually HTTP request usually only contains the path. Web Tap also omits script parameters following a ‘?’ in the URL for brevity.

PREVIOUS - 2.1 Alert Summary      UP - 2. The Management Interface      NEXT - 2.3 HTTP Request Details