Skip to content

Exporting Malicious Hits to MinIO

MinIO is a high-performance, S3-compatible object storage system. It is commonly used for data archiving, backups, and application data storage where full control and scalability are required. You can set up Wallarm to send files with the information about detected hits to a MinIO S3-compatible bucket. Information will be sent in the files of JSON format each 10 minutes.

Data format

Every 10 minutes, Wallarm exports data on detected hits to a MinIO S3-compatible bucket. A hit is a serialized malicious request that includes the original request and metadata added by the Wallarm node.

Files are saved in JSON format using the naming convention hitlogs-{timestamp}.json.

Data fields for each hit:

  • time - date and time of hit detection in the Unix Timestamp format

  • request_id

  • ip - attacker's IP

  • Hit source type: datacenter, tor, remote_country

  • application_id

  • domain

  • method

  • uri

  • protocol

  • status_code

  • attack_type

  • block_status

  • payload

  • point

  • tags

Setting up integration

To set up a MinIO S3-compatible bucket integration:

  1. Create a MinIO S3-compatible bucket for Wallarm using either MinIO Console or MinIO Client (mc).

  2. Proceed to Wallarm Console UI → IntegrationsMinIO block or click the Add integration button and choose MinIO.

  3. Enter an integration name.

  4. Specify the MinIO API endpoint.

  5. Specify the created MinIO S3-compatible bucket name.

  6. Specify the data for Wallarm request authentication:

    • Access key
    • Secret key

  7. Make sure in the Regular notifications section, hits in the last 10 minutes are selected to be sent. If not chosen, data will not be sent to the bucket.

  8. Click Test integration to check configuration correctness, availability of the target system, and the notification format.

  9. Click Add integration.

MinIO integration

To review the data in your bucket, open the bucket in the MinIO Console and use Object Browser:

Hitlogs in MinIO bucket

Below is an example JSON file with hits detected in the last 10 minutes:

[
{
    "time":"1687241470",
    "request_id":"d2a900a6efac7a7c893a00903205071a",
    "ip":"127.0.0.1",
    "datacenter":"unknown",
    "tor":"none",
    "remote_country":null,
    "application_id":[
        -1
    ],
    "domain":"localhost",
    "method":"GET",
    "uri":"/etc/passwd",
    "protocol":"none",
    "status_code":499,
    "attack_type":"ptrav",
    "block_status":"monitored",
    "payload":[
        "/etc/passwd"
    ],
    "point":[
        "uri"
    ],
    "tags":{
        "lom_id":7,
        "libproton_version":"4.4.11",
        "brute_counter":"c188cd2baa2cefb3f3688cb4008a649e",
        "wallarm_mode":"monitoring",
        "final_wallarm_mode":"monitoring"
    }
},
{
    "time":"1687241475",
    "request_id":"b457fccec9c66cdb07eab7228b34eca6",
    "ip":"127.0.0.1",
    "datacenter":"unknown",
    "tor":"none",
    "remote_country":null,
    "application_id":[
        -1
    ],
    "domain":"localhost",
    "method":"GET",
    "uri":"/etc/passwd",
    "protocol":"none",
    "status_code":499,
    "attack_type":"ptrav",
    "block_status":"monitored",
    "payload":[
        "/etc/passwd"
    ],
    "point":[
        "uri"
    ],
    "tags":{
        "lom_id":7,
        "libproton_version":"4.4.11",
        "brute_counter":"c188cd2baa2cefb3f3688cb4008a649e",
        "wallarm_mode":"monitoring",
        "final_wallarm_mode":"monitoring"
    }
}
]

Wallarm Cloud IP addresses

To provide Wallarm Cloud access to your system, you may need a list of its public IP addresses:

35.235.66.155
34.102.90.100
34.94.156.115
35.235.115.105
34.94.85.217
34.94.51.234
34.102.59.122
34.94.238.72
35.235.100.79
34.102.45.38
34.94.241.21
34.102.90.100
34.94.203.193
34.94.238.221
34.94.9.23

34.141.230.156
34.91.138.113
34.90.114.134
35.204.127.78
34.90.24.155

Disabling and deleting an integration

You can delete or temporarily disable the integration. While deleting stops sending notificatioins and completely deletes all configuration, disabling just stops sending notifications which you can at any moment re-enable with the same settings.

If for the integration the System related events are selected to trigger notifications, Wallarm will notify about both of these actions.

System unavailability and incorrect integration parameters

Notifications to the system are sent via requests. If the system is unavailable or integration parameters are configured incorrectly, the error code is returned in the response to the request.

If the system responds to Wallarm request with any code other than 2xx, Wallarm resends the request with the interval until the 2xx code is received:

  • The first cycle intervals: 1, 3, 5, 10, 10 seconds

  • The second cycle intervals: 0, 1, 3, 5, 30 seconds

  • The third cycle intervals: 1, 1, 3, 5, 10, 30 minutes

If the percentage of unsuccessful requests reaches 60% in 12 hours, the integration is automatically disabled. If you receive system notifications, you will get a message about automatically disabled integration.