FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to highlight a Pen-Tester's IP?

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru

‎04 Jul 2023 11:35 PM - last edited on ‎05 Jul 2023 08:11 AM by Community Team

I have had several cases where pen-testing has disrupted monitoring, creating problems that have to be diagnosed and traced back to the user. I have compiled a series of ways of dealing with these issues, including Request Attributes for client IP, MDAs that track those users, maintenance windows, and other tricks. I had the idea to convert some of this data into Problems, but then again, I want to reduce them, not make some more. I have also been considering using custom annotations to highlight these cases in the UI, but have not yet implemented anything.

I believe a lot of you have dealt with this issue. What type of tricks do you have to deal with allowed pen-testers?

Antonio Sousa
0 Kudos
Reply
6 REPLIES 6

Go to solution
chris_v
Dynatrace Champion
Dynatrace Champion

‎05 Jul 2023 06:42 AM

Sounds like I do most of that, the only thing I'll add is.  I use web request naming (a global rule) to rename all requests with the testers IP (a server side request attribute), as (in my case) "Nessus Scan", and then mute that request.

So the testing does not interfere with any real users data going to the normally named web requests, and being muted doesn't raise problems.

added benefit of not filling Dynatraces database with high cardinality data that's full of random characters and invalid paths etc.

Reply

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru
In response to chris_v

‎05 Jul 2023 07:34 PM

@chris_v,

This is an excellent suggestion! I only have one issue here, and that is that you might block other valid requests in the /24 subnet. How do you deal with this?

Antonio Sousa
0 Kudos
Reply

Go to solution
chris_v
Dynatrace Champion
Dynatrace Champion
In response to AntonioSousa

‎06 Jul 2023 01:04 AM

In this use case the permitted testing is run internally, so we can use the full unmasked private IPs, we're only masking public IPs.

The request attribute rule currently has 4 data source rules each a unique IP.

@AntonPineiro suggests some header info. that may be a usable option depending if the testing tools make themselves known that way. Nessus/Tenable from what I've seen often - but not always - includes an identifiable mark in the requests made (e.g. it'll be in the URL and/or user agent). and of course if you can control the requests being made, you can ensure a header is added for identification.

Reply

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru
In response to chris_v

‎06 Jul 2023 08:49 AM

@chris_v,

In my case they are masquerading as real browsers, because of browser rules being implemented, but it's another good idea.

Antonio Sousa
0 Kudos
Reply

Go to solution
DanielS
DynaMight Guru
DynaMight Guru
In response to chris_v

‎06 Jul 2023 01:44 AM

👏👏👏👏👏👏👏👏👏

The true delight is in the finding out rather than in the knowing.
0 Kudos
Reply

Go to solution
AntonPineiro
DynaMight Guru
DynaMight Guru

‎05 Jul 2023 07:49 AM

Hi,

Combination of specific HTTP headers and request attributes. It means, what you see in the documentation.

Best regards

❤️ Emacs ❤️ Vim ❤️ Bash ❤️ Perl
Reply
Ask a question

Featured Posts