ml-scan-web-log

Detect anomaly web access. src_ip, status, method, path, query, user_agent fields are required.

ml-scan-web-log [features=FEATURES]

features=FEATURES: Specify 't' to output all features.

Output Fields

Field	Type	Name	Description
verdict	String	Verdict	attack or benign
tags	String	Tags	Characteristics of request. e.g. #not_found, #static
is_not_found	Integer	Is not found	1 if resource not found, 0 otherwise. e.g. status 404
is_error	Integer	Is error	1 if error occurred, 0 otherwise. e.g. statue 500
is_cloud_asn	Integer	Is cloud ASN	1 if src_ip is belongs to cloud service provider, 0 otherwise.
is_hosting_asn	Integer	Is hosting ASN	1 if src_ip is belongs to hosting provider, 0 otherwise.
is_asm_asn	Integer	Is ASM ASN	1 if src_ip is belongs to attack surface management provider, 0 otherwise.
is_broadband_asn	Integer	Is broadband ASN	1 if src_ip is belongs to broadband service provider, 0 otherwise. e.g. Korea Telecom
is_service_asn	Integer	Is service ASN	1 if src_ip is belongs to web service provider, 0 otherwise. e.g. facebook
is_good_asn	Integer	Is good ASN	1 if src_ip is belongs to broadband, web service, or attack surface management provider, 0 otherwise.
is_bad_asn	Integer	Is bad ASN	1 if src_ip belongs to cloud or hosting provider. 0 otherwise.
is_static	Integer	Is static resource	1 if resource is static, 0 otherwise. e.g. image, stylesheet, javascript
is_scanning	Integer	Is scanning	1 if request has known scanning pattern, 0 otherwise.
is_exploit	Integer	Is exploit	1 if request has known exploit pattern, 0 otherwise.
is_index	Integer	Is index page	1 if resource is root page, 0 otherwise.
is_hidden_file	Integer	Is hidden file	1 if resource starts with /., 0 otherwise.
is_traversal	Integer	Is path traversal	1 if path contains "../" sequences, 0 otherwise.
is_php	Integer	Is php resource	1 if resource is PHP, 0 otherwise.
chrome_ver	Integer	Chrome version	e.g. 131
edge_ver	Integer	Edge version	e.g. 131
safari_ver	Integer	Safari version	e.g. 537
is_browser	Integer	Is browser	1 if user_agent is common web browser, 0 otherwise. e.g. Chrome, MSEdge, Firefox, Safari, Opera
is_asm	Integer	Is ASM agent	1 if user_agent is known attack surface management crawler, 0 otherwise.
is_seo	Integer	Is SEO agent	1 if user_agent is known search engine optimization crawler, 0 otherwise.
is_go	Integer	Is Go agent	1 if user_agent is programmed by Go language, 0 otherwise.
is_java	Integer	Is Java agent	1 if user_agent is programmed by Java language, 0 otherwise.
is_python	Integer	Is Python agent	1 if user_agent is programmed by Python language, 0 otherwise.
is_custom_bot	Integer	Is custom agent	1 if user_agent is programmed bot, 0 otherwise.
is_shell	Integer	Is shell agent	1 if user_agent is shell program, 0 otherwise. e.g. curl, wget
is_social	Integer	Is social agent	1 if user_agent is social agent, 0 otherwise. e.g. facebook crawler
is_search_engine	Integer	Is search engine	1 if user_agent is search engine crawler, 0 otherwise. e.g. google, bing
is_scanner	Integer	Is scanner	1 if user_agent is known scanner, 0 otherwise. e.g. zgrab, masscan
is_vpn_client	Integer		1 or 0
is_unknown	Integer	Is unknown agent	1 if user_agent is not classified as browser or bot, 0 otherwise.
is_good_agent	Integer	Is good agent	1 if user_agent is one of the following: search engine crawler, social crawler, search engine optimization crawler, or vpn client, 0 otherwise.
is_good_req	Integer	Is good request	1 if request is good request, 0 otherwise. e.g. get static resource is classified as good request.
is_bad_req	Integer	Is bad request	1 if request is bad request, 0 otherwise. e.g. hidden file access is classified as bad request.
is_special_query	Integer	Is special querystring	1 if querystring contains special characters, 0 otherwise.