cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to highlight a Pen-Tester's IP?

AntonioSousa
DynaMight Guru
DynaMight Guru

I have had several cases where pen-testing has disrupted monitoring, creating problems that have to be diagnosed and traced back to the user. I have compiled a series of ways of dealing with these issues, including Request Attributes for client IP, MDAs that track those users, maintenance windows, and other tricks. I had the idea to convert some of this data into Problems, but then again, I want to reduce them, not make some more. I have also been considering using custom annotations to highlight these cases in the UI, but have not yet implemented anything.

I believe a lot of you have dealt with this issue. What type of tricks do you have to deal with allowed pen-testers?

Antonio Sousa
6 REPLIES 6

chris_v
Dynatrace Champion
Dynatrace Champion

Sounds like I do most of that, the only thing I'll add is.  I use web request naming (a global rule) to rename all requests with the testers IP (a server side request attribute), as (in my case) "Nessus Scan", and then mute that request.

So the testing does not interfere with any real users data going to the normally named web requests, and being muted doesn't raise problems.

added benefit of not filling Dynatraces database with high cardinality data that's full of random characters and invalid paths etc.

@chris_v,

This is an excellent suggestion! I only have one issue here, and that is that you might block other valid requests in the /24 subnet. How do you deal with this?

Antonio Sousa

In this use case the permitted testing is run internally, so we can use the full unmasked private IPs, we're only masking public IPs.

The request attribute rule currently has 4 data source rules each a unique IP.

@AntonPineiro suggests some header info. that may be a usable option depending if the testing tools make themselves known that way. Nessus/Tenable from what I've seen often - but not always - includes an identifiable mark in the requests made (e.g. it'll be in the URL and/or user agent). and of course if you can control the requests being made, you can ensure a header is added for identification.

@chris_v,

In my case they are masquerading as real browsers, because of browser rules being implemented, but it's another good idea.

Antonio Sousa

👏👏👏👏👏👏👏👏👏

The true delight is in the finding out rather than in the knowing.

AntonPineiro
DynaMight Guru
DynaMight Guru

Hi,

Combination of specific HTTP headers and request attributes. It means, what you see in the documentation.

Best regards

❤️ Emacs ❤️ Vim ❤️ Bash ❤️ Perl

Featured Posts