✨add default/recommanded duration for decoy respond

TarradeMarc · TarradeMarc · commit ae09b2095d62 · 2025-06-05T09:27:13.000+02:00
diff --git a/controlpanel/cad/src/app/components/alert-action-table/alert-action-table.component.html b/controlpanel/cad/src/app/components/alert-action-table/alert-action-table.component.html
@@ -1,11 +1,51 @@
+<app-tooltip [showTooltip]="showTooltip"
+[title]="tooltipTitle"
+[text]="tooltipText"
+[link]="tooltipLink"
+[topPosition]="topPosition"
+[leftPosition]="leftPosition"
+(tooltipHover)="onHoverInfo()"
+(tooltipLeave)="onLeaveInfo()">
+</app-tooltip>
 <table class="action-table">
     <thead>
         <tr>
-            <th id="source">Source</th>
-            <th id="behavior">Behavior</th>
-            <th id="delay">Delay</th>
-            <th id="duration">Duration</th>
-            <th id="property">Property</th>
+            <th id="source">
+                Source
+                <img class="info-icon" src="info.svg"
+                (mouseenter)="onHoverInfo('source', 'Defines what to look for in subsequent request(s)', 'https://github.com/SAP/cloud-active-defense/wiki/Detect#source', $event)"
+                (mouseout)="onLeaveInfo()"
+                />
+            </th>
+            
+            <th id="behavior">
+                Behavior
+                <img class="info-icon" src="info.svg"
+                (mouseenter)="onHoverInfo('behavior', 'What will happen to requests matching with what is specified in the source field', 'https://github.com/SAP/cloud-active-defense/wiki/Detect#behavior', $event)"
+                (mouseout)="onLeaveInfo()"
+                />
+            </th>
+            <th id="delay">
+                Delay
+                <img class="info-icon" src="info.svg"
+                (mouseenter)="onHoverInfo('delay', 'The number of seconds / minutes / hours to wait before applying the response. \'n\' is for \'now\' (no delay)', 'https://github.com/SAP/cloud-active-defense/wiki/Detect#delay', $event)"
+                (mouseout)="onLeaveInfo()"
+                />
+            </th>
+            <th id="duration">
+                Duration
+                <img class="info-icon" src="info.svg"
+                (mouseenter)="onHoverInfo('duration', 'The number of seconds / minutes / hours the response will be applied before expiring. \'d\' is for the default/recommanded maximum value of time and \'f\' is for \'forever\' (infinite duration)', 'https://github.com/SAP/cloud-active-defense/wiki/Detect#duration', $event)"
+                (mouseout)="onLeaveInfo()"
+                />
+            </th>
+            <th id="property">
+                Property
+                <img class="info-icon" src="info.svg"
+                (mouseenter)="onHoverInfo('property', 'How many seconds to throttle the request. Can only be in seconds and can be a range of seconds when using \'-\' (e.g. 20-60)', 'https://github.com/SAP/cloud-active-defense/wiki/Detect#property', $event)"
+                (mouseout)="onLeaveInfo()"
+                />
+            </th>
             <th class="end-action"></th>
         </tr>
         <tr class="tr-separator"><td class="row-separator" colspan="6"><hr class="head-separator"/></td></tr>
@@ -34,11 +74,12 @@
             </td>
             <td>
                 <div class="table-form-inputception">
-                    <input class="input-action-table inner-input" type="text" name="duration" id="duration" [(ngModel)]="action.duration" (input)="onItemChange()" [disabled]="action.durationExtension == 'forever' || !isEdit" appOnlyNumbers>
+                    <input class="input-action-table inner-input" type="text" name="duration" id="duration" [(ngModel)]="action.formDuration" (input)="onItemChange()" [disabled]="action.durationExtension == 'forever' || !isEdit" appOnlyNumbers>
                     <select class="inner-select" name="durationExtension" id="durationExtension" [(ngModel)]="action.durationExtension" (change)="onDurationExtensionChange(action.durationExtension, i); onItemChange()" [disabled]="!isEdit">
                         <option value="s">s</option>
                         <option value="m">m</option>
                         <option value="h">h</option>
+                        <option value="default">d</option>
                         <option value="forever">f</option>
                     </select>
                 </div>
diff --git a/controlpanel/cad/src/app/components/alert-action-table/alert-action-table.component.scss b/controlpanel/cad/src/app/components/alert-action-table/alert-action-table.component.scss
@@ -15,6 +15,12 @@
         th {
             text-align: start;
             padding: 0.2rem 0.5rem;
+            .info-icon {
+                height: 14px;
+                align-self: flex-start;
+                margin-top: -5px;
+                cursor: default;
+            }
         }
         .end-action {
             box-sizing: content-box;
diff --git a/controlpanel/cad/src/app/components/alert-action-table/alert-action-table.component.ts b/controlpanel/cad/src/app/components/alert-action-table/alert-action-table.component.ts
@@ -5,15 +5,17 @@ import { DelayType, DurationType, RespondType } from '../../models/decoy';
 import { FormsModule } from '@angular/forms';
 import { OnlyNumbersDirective } from '../../directives/only-numbers.directive';
 import { OnlyValidRespondPropertyDirective } from '../../directives/only-valid-respond-property.directive';
+import { TooltipComponent } from '../tooltip/tooltip.component';
 
 export interface FormRespond extends RespondType {
   delayExtension: 's' | 'm' | 'h' | 'now',
-  durationExtension: 's' | 'm' | 'h' | 'forever'
+  durationExtension: 's' | 'm' | 'h' | 'forever' | 'default',
+  formDuration?: DurationType | number | undefined
 }
 
 @Component({
     selector: 'app-alert-action-table',
-    imports: [CommonModule, SourceSelectComponent, FormsModule, OnlyNumbersDirective, OnlyValidRespondPropertyDirective],
+    imports: [CommonModule, SourceSelectComponent, FormsModule, OnlyNumbersDirective, OnlyValidRespondPropertyDirective, TooltipComponent],
     templateUrl: './alert-action-table.component.html',
     styleUrl: './alert-action-table.component.scss'
 })
@@ -22,6 +24,37 @@ export class AlertActionTableComponent {
   @Output() actionArrayChange = new EventEmitter<FormRespond[]>();
   @Input() isEdit = true;
 
+  //#region Tooltip
+  tooltipTitle = '';
+  showTooltip = false;
+  tooltipText = '';
+  tooltipLink = '';
+  topPosition: any;
+  leftPosition: any;
+  tooltipTimeout:any;
+
+  onHoverInfo(tooltipTitle?: string, tooltipText?: string, tooltipLink?: string, e?: MouseEvent) {
+    clearTimeout(this.tooltipTimeout);
+    this.showTooltip = true;
+    if (tooltipTitle) this.tooltipTitle = tooltipTitle;
+    if (tooltipText) this.tooltipText = tooltipText;
+    if (tooltipLink) this.tooltipLink = tooltipLink;
+    if (e) {
+      this.topPosition = e.clientY ?? this.topPosition;
+      this.leftPosition = e.clientX ?? this.leftPosition;
+    }
+  }
+  onLeaveInfo() {
+    this.tooltipTimeout = setTimeout(() => {
+      this.showTooltip = false;
+      this.tooltipText = '';
+      this.topPosition = null;
+      this.leftPosition = null;
+    }, 100)
+  }
+//#endregion
+
+
   onClickAddAction() {
     this.actionArray.push({ source: '', behavior: 'error', delayExtension: 's', durationExtension: 's' });
     this.actionArrayChange.emit(this.actionArray);
@@ -46,9 +79,27 @@ export class AlertActionTableComponent {
     if (newExtension == 'now') this.actionArray[index].delay = 'now';
     else if (this.actionArray[index].delay == 'now') this.actionArray[index].delay = undefined;
   }
-  onDurationExtensionChange(newExtension: 's' | 'm' | 'h' | 'forever', index: number) {
-    if (newExtension == 'forever') this.actionArray[index].duration = 'forever';
-    else if (this.actionArray[index].duration == 'forever') this.actionArray[index].duration = undefined;
+  onDurationExtensionChange(newExtension: 's' | 'm' | 'h' | 'default' | 'forever', index: number) {
+    if (newExtension == 'default') {
+      if (this.actionArray[index].source.includes('userAgent')) {
+        this.actionArray[index].durationExtension = 'h';
+        this.actionArray[index].formDuration = 720;
+      }
+      else if (this.actionArray[index].source.includes('ip')) {
+        this.actionArray[index].durationExtension = 'h';
+        this.actionArray[index].formDuration = 48;
+      }
+      else if (this.actionArray[index].source.includes('session')) {
+        this.actionArray[index].durationExtension = 'h';
+        this.actionArray[index].formDuration = 24;
+      }
+      else {
+        this.actionArray[index].durationExtension = 'h';
+        this.actionArray[index].formDuration = 720;
+      }
+    }
+    if (newExtension == 'forever') this.actionArray[index].formDuration = 'forever';
+    else if (this.actionArray[index].formDuration == 'forever') this.actionArray[index].formDuration = undefined;
   }
 
   sourceToArray(source: string) {
diff --git a/controlpanel/cad/src/app/pages/add-decoy/alert-action/alert-action.component.ts b/controlpanel/cad/src/app/pages/add-decoy/alert-action/alert-action.component.ts
@@ -135,20 +135,20 @@ export class AlertActionComponent implements OnInit, ValidateDecoyFormDeactivate
     if (!newActions) return;
     if (!this.decoy.detect) this.decoy.detect = { seek : { in: 'header' }};
     if (!this.decoy.detect.alert) this.decoy.detect.alert = { severity: this.alertForm.get('severity')?.value };
-    this.decoy.detect.respond = newActions.map(({ delayExtension, delay, durationExtension, duration, ...rest }) => {
+    this.decoy.detect.respond = newActions.map(({ delayExtension, delay, durationExtension, formDuration, ...rest }) => {
       let newDelay = '';
       let newDuration = '';
       let newRespond: RespondType = rest;
       if (delayExtension !== 'now' && delayExtension !== undefined && delay !== undefined) {
         newDelay = delay + delayExtension;
       } else newDelay = 'now'
-      if (durationExtension !== 'forever' && durationExtension !== undefined && duration !== undefined) {
-        newDuration = duration + durationExtension;
+      if (durationExtension !== 'forever' && durationExtension !== undefined && formDuration !== undefined) {
+        newDuration = formDuration + durationExtension;
       } else newDuration = 'forever'
       if (delay !== undefined) {
         newRespond.delay = newDelay as DelayType;
       }
-      if (duration !== undefined) {
+      if (formDuration !== undefined) {
         newRespond.duration = newDuration as DurationType;
       }
       return newRespond;
diff --git a/proxy/wasm/alert/alert.go b/proxy/wasm/alert/alert.go
@@ -156,6 +156,14 @@ func SetAlertAction(alerts []AlertParam, config config_parser.ConfigType, header
         }
         if respondItem.Duration != "" {
           updateBlocklistItem["Duration"] = respondItem.Duration
+        } else {
+          if (strings.Contains(respondItem.Source, "userAgent")) {
+            updateBlocklistItem["Duration"] = "720h"
+          } else if (strings.Contains(respondItem.Source, "ip")) {
+            updateBlocklistItem["Duration"] = "48h"
+          } else if (strings.Contains(respondItem.Source, "session")) {
+            updateBlocklistItem["Duration"] = "24h"
+          }
         }
         updateBlocklistItem["Time"] = strconv.Itoa(int(time.Now().Unix()))
         if updateBlocklistItem["Behavior"] == "throttle" {
diff --git a/proxy/wasm/cloud-active-defense.wasm b/proxy/wasm/cloud-active-defense.wasm
