< Back to rules search
NGINX HTTP requests from security scanner
Set up the nginx integration.
Detect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent.
Inspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an
Triage and response
- Determine if this IP is making authenticated requests to the application.
- If the IP is making authenticated requests to the application:
- Investigate the HTTP logs and determine if the user is attacking your application.
The HTTP headers in the query are from darkqusar’s gist