search close

Detection

access_time Updated Jun 20, 2021

Can Non-Datacenter Traffic be tagged as an anomaly?

By default Signal Sciences tags datacenter IP addresses as an anomaly. Tagging non-datacenter IP addresses as an anomaly can be achieved with a custom rule.

What does the Backdoor tag identify?

Our backdoor tag generally matches known backdoor filenames, many of which have been traditionally PHP (admin.php, r57.php, etc). For many users when these paths return a 200 or a larger response than expected, it may indicate that their system has been compromised or they are unknowingly hosting a backdoor file.

How are JSON API payloads inspected and redacted?

Signal Sciences will automatically parse all JSON key/value pairs and treat them as any other request parameter so attack and anomaly detection, custom signals and redactions will all work properly in the context of these requests.

For example in the following sample requests we can see how redactions would work within the context of a request.

Initial Request

POST /request HTTP/1.1
Content-Length: 72
Content-Type: application/json
Host: api.test.org
{"user":"user@api.test.org","password":"<script>alert(1)</script>mypassword","zip":94089}

Sent to Signal Sciences

POST /request HTTP/1.1
Host: api.test.org

password=

Initial Request

POST /request HTTP/1.1
Content-Length: 72
Content-Type: application/json
Host: api.test.org

{"user":"user@api.test.org","password":"mypassword","zip":"<script>alert(1)</script>94089"}

Sent to Signal Sciences

POST /request HTTP/1.1
Host: api.test.org

zip=<script>alert(1)</script>