Attack Details
In Attack Details, you can view detailed attack behaviors, including attack time, source and destination IP addresses, path, etc. You can also further view detailed information of attack behaviors or mark some attack behaviors as “False positives”.
After expanding search settings, the attack details list can be filtered according to attack type, working mode, matching work, and risk level. You can also perform a fuzzy search for certain IP attack behaviors after filling in the IP address.
| Attack information | Description |
|---|---|
| Latest attack time | The time the attack behavior occurred |
| Source IP | The source IP of the attack behavior, if the real IP field is configured, this source IP is the IP address passed by the real IP field |
| Destination IP | The destination IP of the attack behavior is generally the IP resolved by the CNAME protection domain name corresponding to the domain name |
| Request path | The request path of the attack behavior, without parameters |
| Region | The regional attribution information of the source IP of the attack behavior |
| Attack count | The trigger count of the attack behavior |
| Working mode | The working mode of the corresponding domain name |
| Matching action | The action of the rule matched by this attack behavior, only related to the rules, this item is not affected by the working mode |
| Operation | Includes two functions: details and false positives |
| Details | Detailed information of attack behavior: ● Domain name: The domain name of the attack request ● Request method: The request method of the attack request, GET, POST, HEAD, etc. ● Request protocol: The request protocol of the attack request, http or https ● Request port: The port requested by the attack request: 80, 443, etc. ● Attack time: The time the attack request was processed ● Target IP: The IP requested by the attack request ● Client IP: The source IP of the attack request, which may be the IP address of a third-party proxy ● Client port: The source port of the attack request ● Region: The regional attribution information of the IP that initiated the attack request ● Attack type: The type of attack was determined, CC attack, injection attack, etc. ● Risk level: The severity of the attack, high, medium, and low risk ● Working mode: The domain name’s working mode, blocking mode, warning mode ● Match action: The attack request is a match rule action is intercepted or released ● Request path: The path of the attack request, including parameters ● Request content: The body part of the attack request ● Request header (UA): The User-Agent field of the attack request ● Referer: The Referer field of the attack request ● Proxy IP (XFF): The real IP field of the attack request, if not set, it will be empty ● Risk items: The feature characters of the rule triggered in the attack request ● Request ID: The string that uniquely identifies this attack request |
| False positive | After clicking this button, similar requests will no longer trigger rules, that is, will not judge as an attack, CC attacks cannot be misreported, for details, see False Positive Details |
!> Note:
After clicking [False Positive], the following will occur:
1 Similar attacks in the future will not be displayed, i.e., they will not be judged as attacks. False positives are based on the characteristics of the attack and are pass-throughs. If it is a commonly used IP, please add it to the whitelist if you want to whitelist it.
2 Our security engineers regularly count and analyze false positives to continuously update and perfect the rule system.