-
Notifications
You must be signed in to change notification settings - Fork 9
Respond
Response events are configured as described in the Detect section.
By default, response events are sent to the console. A typical event looks as follows:
{
"action": [
{
"Time": 1715956535,
"RequestID": "f916b220-3c2c-493d-9ff4-a543bc39816c",
"Behavior": "error",
"Delay": "2m",
"Duration": "1h",
"SourceIP": "172.25.0.1",
"Useragent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0",
"Session": "c32272b9-99d8-4687-b57e-a606952ae870"
}
]
}
When a decoy is triggered, all relevant 'response' actions are triggered. Irrelevant actions are ignored (for example: actions which shall match on the 'session', where no session is set). These events are also sent to the configmanager, which updates the /data/blocklist/throttlelist.json file (for 'throttle' behavior) and the /data/blocklist/blocklist.json file (for all other behaviors). Details below:
The UTC time at which the alert is triggered, in timestamp format.
a log should always have a timestamp, for correlation.
The value of the x-request-id header added by Envoy to each received request
may be useful for correlation with other Envoy logs or with application logs.
The type of response which will be executed by the proxy.
useful to know what to expect. If a user complains about a system slow down or about an unreachable system, the reason might be that a 'throttle' or 'drop' behavior is at play
The time which will be spent before the Behavior is executed.
useful to understand why a response is not active. It may just not be active yet.
For how long the response will be in place.
Once the duration is exceeded, the corresponding response action will be cleaned from the blocklist.json or throttlelist.json file by the configmanager. If the duration is set to 'forever', the only way to remove the response is to manually edit the corresponding json file.
The source IP, as resolved by Envoy. Contrarily to the 'alert', contains only the IP address, not the port. If this is set, this means that this IP address will be considered in subsequent requests for defining a match.
useful to debug complaints from users about possible false positives. If the userAgent and/or the session parameters are set, then the matching will be done against the combination of those.
The source user agent, as resolved by Envoy. If this is set, this means that this user agent will be considered in subsequent requests for defining a match.
useful to debug complaints from users about possible false positives. If the IP address and/or the session parameters are set, then the matching will be done against the combination of those.
The session token, as resolved by Envoy. Retrieved based on the configuration of the config-default.json file. If this is set, this means that this session value will be considered in subsequent requests for defining a match.
useful to debug complaints from users about possible false positives. If the IP address and/or the user agent parameters are set, then the matching will be done against the combination of those.