Attacker Profile Page

You can click on an attacker's given name to navigate to that Attacker's Profile page.

Figure 87: Attacker Profile

Attacker Profile

The Attacker Profile page displays any information that pertains to a particular attacker. At the top of the page you will see the Attacker Card, which contains a short overview of the profile. This card contains the attacker's assigned name, last IP used, the first and last date the attacker was active, and the Public ID of the attacker, for use with the Support Processor in unblocking that profile. On the right side of the card there is a threat gauge that indicates the current threat of that attacker, where green, yellow, and red indicate low, medium, and high threat, respectively. The severity icons are displayed as follows:

Available on the right side of the Attacker Profile page is a quick Actions box, where you can rapidly perform various profile-related functions such as blocking the attacker, warning the user, editing the profile, and deleting the profile.

Note: Deleting the profile will essentially erase all information gathered on that attacker, and will effectively remove all blocks or other responses on that profile.

Underneath the attacker card and quick actions box is a series of tabs, where all of the attacker's specific activity information resides. The Incidents tab contains a list of all incidents triggered by that attacker. The Incident name, complexity, count, first and last time triggered are all available for each item in the list. Additionally you can click the Details icon (the eye) to view more information about any particular incident.

Responses tab– The Responses tab contains information relating to all of the active and inactive responses issued to that attacker. Each entry contains the actual name of the response issued, the configuration (if any) used when issuing the response, the time the response was created, the delay set (if any), the time the response expires (if at all), the time the response was finally deactivated (if it has been deactivated).

If the response is active, you can click the Deactivate Response icon (the stop sign under Actions) to deactivate the response instantly. Alternatively, you can click the Deactivate Selected button or to deactivate all responses, click the Deactivate All button

Figure 88: Responses tab - Deactivate

Responses tab - Deactivate

It is in this tab that you can manually activate Counter Responses on the current attacker. The available counter responses are:

Consecutive requests might be grouped together and are viewable through the Sessions tab. Each entry in this tab contains the Remote Address used during the session (the IP), the Browser and Operating System used during the session, the number of Requests made and Pages returned during that session, the number of Errors generated by the server in response to requests in that session, as well as the First and Last Active times. You can also click on the Details icon (the eye) to view more information about any particular session.

Locations tab–The Locations tab contains a list of all locations used by the attacker. For each location, you are able to see the Remote Address (IP) associated with that location, the City, Region, and Country associated with the location (if they can be found), and the First and Last Active times for the location. Depending on the location, you might also be able to load a map showing that location (if it can be determined) by clicking on the Map icon. You can also click on the Details icon (the eye) to view more information on any particular location, including all other attackers that were found to be using the same location, and other Incidents, Sessions, or Environments used in conjunction with that location. If WebApp Secure can determine the attacker was using a specific Browser and Operating System combination, an entry in the Environments tab will be added. Each entry contains the Browser and Operating System used, along with the full User Agent string and First and Last active dates. If you want to find other attackers that used the same Environment, click on the magnifying glass icon. This will bring you to a page where you can see other Attackers that used this Environment, Incidents produced with this Environment, Sessions found that were using this Environment, and Locations that used this Environment.