AtomicEdge

Documentation

Understanding Attack Types

Learn to identify and interpret different types of security threats in your logs.

Common Attack Patterns

SQL Injection Attacks

What you'll see in logs:

URI: /login.php?id=1' OR '1'='1
Rule ID: 942100
Group: coreruleset

What it means: Attackers try to manipulate your database by injecting SQL code into form fields or URLs. This can lead to data theft, unauthorized access, or database corruption.

Why it's dangerous:

  • Can expose sensitive customer data
  • May allow unauthorized admin access
  • Could corrupt or delete your database

Cross-Site Scripting (XSS)

What you'll see in logs:

URI: /search?q=<script>alert('xss')</script>
Rule ID: 941100
Group: coreruleset

What it means: Attackers try to inject malicious JavaScript code to steal user data, hijack sessions, or redirect visitors to malicious sites.

Why it's dangerous:

  • Can steal user login credentials
  • May hijack user sessions
  • Could redirect users to malicious websites

File Inclusion Attacks

What you'll see in logs:

URI: /page.php?file=../../../etc/passwd
Rule ID: 930100
Group: coreruleset

What it means: Attackers try to access sensitive files on your server by manipulating file paths in URLs.

Why it's dangerous:

  • Can expose server configuration files
  • May reveal sensitive system information
  • Could lead to complete server compromise

Brute Force Attacks

What you'll see in logs:

URI: /wp-admin/admin-ajax.php
Rule ID: 912001
Group: wordpress
Multiple entries from same IP within minutes

What it means: Automated tools try thousands of username/password combinations to break into your admin area.

Why it's dangerous:

  • Can lead to unauthorized admin access
  • May lock out legitimate users
  • Often precedes more serious attacks

Bot and Scanner Traffic

What you'll see in logs:

URI: /admin/config.php
Rule ID: 913100
Group: coreruleset
User-Agent: sqlmap/1.0

What it means: Automated tools scan your website looking for vulnerabilities, outdated software, or security weaknesses.

Why it's concerning:

  • Identifies vulnerabilities for future attacks
  • Consumes server resources
  • Often followed by targeted attacks

Attack Severity Levels

High Severity

  • SQL Injection attempts
  • Remote code execution
  • File upload attacks
  • Authentication bypass

Medium Severity

  • Cross-site scripting (XSS)
  • Local file inclusion
  • Brute force attempts
  • Scanner activity

Low Severity

  • Suspicious user agents
  • Malformed requests
  • Protocol violations
  • Rate limit violations

Geographic Attack Patterns

High-Risk Regions

Common sources of automated attacks:

  • Countries with lax cybersecurity enforcement
  • Regions with high concentrations of compromised computers
  • Areas known for hosting malicious infrastructure

Attack Timing

  • Business Hours: Often targeted attacks during your local business hours
  • Off Hours: Automated attacks typically run 24/7
  • Weekends: Many attacks increase when IT staff is unavailable

Response Priorities

Immediate Action Required

  • Multiple high-severity attacks from the same source
  • Successful bypass attempts (check access logs)
  • Attacks targeting known vulnerabilities in your software

Monitor Closely

  • Persistent scanning from specific IPs
  • New attack patterns not seen before
  • Attacks targeting new pages or functionality

Normal Activity

  • Occasional low-severity blocks
  • Known scanner bots (blocked successfully)
  • Geographically distributed attacks (not coordinated)

Need Help?

  • 💬 Live Chat: Get help interpreting attack patterns
  • 📧 Email Support: Send suspicious log entries for analysis
  • 📞 Security Hotline: Emergency response for active attacks