Mozilla Security Consecutive Request Set Frequency
For events matching the message matcher, identify scenarios where the same set of request paths are being requested in the same order, and generate violation notices/TSV output for clients that exceed set_threshold consecutive occurrences within the timer interval.
The acceptable_variance configuration parameter can be used to specify the upper bounds on the number of unique paths that will be tracked. If a client makes requests to >= this number of unique paths, the client is considered varied enough and is no longer tracked during this interval.
1. Sample Configuration
filename = "moz_security_pathsetfreq.lua"
message_matcher = "Logger == 'input.nginx'"
ticker_interval = 60
preserve_data = false
id_field = "Fields[remote_addr]" -- field to use as the identifier
-- id_field_capture = ",? *([^,]+)$", -- optional e.g. extract the last entry in a comma delimited list
request_field = "Fields[request] -- field containing HTTP request
-- request_field_capture = "%S+%s+(%S+)" -- optional, e.g., extract second string in field
-- send_iprepd = false -- optional, if true plugin will generate iprepd violation messages
-- violation_type = "fxa:client_pathsetfreq" -- required in violations mode, iprepd violation type
set_threshold = 50 -- consecutive repeats to generate violation/tsv output
acceptable_variance = 5 -- >= unique request paths to ignore client for interval
-- no_single_set = true -- if true, disable tracking set with single path (e.g., repeated)
source code: moz_security_pathsetfreq.lua