Merge pull request #1274 from wallarm/feature/docs-2434-tcp-traffic-m…

…irror-analysis add the docs on tcp traffic mirror analysis
wallarm · Aug 22, 2024 · 895b0fe · 895b0fe
2 parents 4b005d7 + 84f1691
commit 895b0fe
Show file tree

Hide file tree

Showing 53 changed files with 761 additions and 58 deletions.
diff --git a/docs/4.10/installation/api-gateways/layer7-api-gateway.md b/docs/4.10/installation/api-gateways/layer7-api-gateway.md
@@ -17,7 +17,7 @@ Among all supported [Wallarm deployment options](../supported-deployment-options
 
 ## Limitations
 
-The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#advantages-and-limitations).
+The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#limitations).
 
 ## Requirements
 

diff --git a/docs/4.10/installation/cloud-platforms/aws/ami.md b/docs/4.10/installation/cloud-platforms/aws/ami.md
@@ -22,7 +22,7 @@
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../../oob/overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [inline-docs]:                      ../../inline/overview.md
 [oob-docs]:                         ../../oob/overview.md

diff --git a/docs/4.10/installation/cloud-platforms/gcp/machine-image.md b/docs/4.10/installation/cloud-platforms/gcp/machine-image.md
@@ -18,7 +18,7 @@
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../../oob/overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [inline-docs]:                      ../../inline/overview.md
 [oob-docs]:                         ../../oob/overview.md

diff --git a/docs/4.10/installation/nginx/all-in-one.md b/docs/4.10/installation/nginx/all-in-one.md
@@ -25,7 +25,7 @@
 [platform]:                         ../supported-deployment-options.md
 [inline-docs]:                      ../inline/overview.md
 [oob-docs]:                         ../oob/overview.md
-[oob-advantages-limitations]:       ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../oob/overview.md#limitations
 [web-server-mirroring-examples]:    ../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
 [img-grouped-nodes]:                ../../images/user-guides/nodes/grouped-nodes.png
 [wallarm-token-types]:              ../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation

diff --git a/docs/4.10/installation/oob/ebpf/deployment.md b/docs/4.10/installation/oob/ebpf/deployment.md
@@ -198,12 +198,14 @@ To test that the Wallarm eBPF operates correctly:
 
 ## Limitations
 
-* The solution does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.
+* Due to its out-of-band (OOB) operation, which analyzes traffic independently from actual flow, the solution has several inherent limitations:
 
-    Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../..//user-guides/events/analyze-attack.md).
+    * It does not instantly block malicious requests. Wallarm only observes attacks and provides you with the [details in Wallarm Console](../../../user-guides/events/analyze-attack.md).
+    * [Rate limiting](../../../user-guides/rules/rate-limiting.md) is not supported as it is impossible to limit load on target servers.
+    * [Filtering by IP addresses](../../../user-guides/ip-lists/overview.md) is not supported.
 * As server response bodies are not mirrored:
 
-    * Vulnerability detection based on [passive detection](../../../about-wallarm/detecting-vulnerabilities.md#passive-detection) is not supported
-    * Displaying API endpoint [response structure in API Discovery](../../../api-discovery/exploring.md#endpoint-details) is not supported
+    * Vulnerability detection based on [passive detection](../../../about-wallarm/detecting-vulnerabilities.md#passive-detection) is not supported.
+    * Displaying API endpoint [response structure in API Discovery](../../../api-discovery/exploring.md#endpoint-details) is not supported.
 
 * While the solution is in beta, not all Kubernetes resources can be mirrored effectively. Therefore, we recommend enabling traffic mirroring specifically for NGINX Ingress controllers, Kong Ingress controllers, or regular NGINX servers in Kubernetes.
diff --git a/docs/4.10/installation/oob/overview.md b/docs/4.10/installation/oob/overview.md
@@ -18,29 +18,29 @@ The diagram below provides a visual representation of the general traffic flow i
 
 ![OOB scheme](../../images/waf-installation/oob/wallarm-oob-deployment-scheme.png)
 
-## Advantages and limitations
+## Advantages
 
 The OOB approach to the Wallarm deployment offers several advantages over other deployment methods, such as in-line deployments:
 
 * It does not introduce latency or other performance issues that can occur when the security solution operates in-line with the primary data path. 
 * It provides flexibility and ease of deployment, as the solution can be added or removed from the network without affecting the primary data path.
 
-Despite the OOB deployment approach safety, it has some limitations:
+## Limitations
 
-* Wallarm does not instantly block malicious requests since traffic analysis proceeds irrespective of actual traffic flow.
+Despite the OOB deployment approach safety, it has some limitations. The table below details the limitations associated with various deployment options:
 
-    Wallarm only observes attacks and provides you with the [details in Wallarm Console](../..//user-guides/events/analyze-attack.md).
-* Vulnerability discovery using the [passive detection](../../about-wallarm/detecting-vulnerabilities.md#passive-detection) method does not function properly. The solution determines if an API is vulnerable or not based on server responses to malicious requests that are typical for the vulnerabilities it tests.
-* The [Wallarm API Discovery](../../api-discovery/overview.md) does not explore API inventory based on your traffic as server responses required for the module operation are not mirrored.
-
-    An exception is the [eBPF](ebpf/deployment.md) solution, which conducts API inventory discovery by analyzing response codes.
-* The [protection against forced browsing](../../admin-en/configuration-guides/protecting-against-bruteforce.md) is not available since it requires response code analysis which is currently not feasible.
-    
-    An exception is the [eBPF](ebpf/deployment.md) solution, which analyzes response codes, making it suitable for this purpose.
+| Feature | [eBPF](ebpf/deployment.md) | | [Web server mirror](web-server-mirroring/overview.md) |
+| --- | --- | --- | --- | 
+| Instant blocking of malicious requests | - | - |
+| Vulnerability discovery using the [passive detection](../../about-wallarm/detecting-vulnerabilities.md#passive-detection) | - | - |
+| [API Discovery](../../api-discovery/overview.md) | + (excludes response structure) | - |
+| [Protection against forced browsing](../../admin-en/configuration-guides/protecting-against-bruteforce.md) | + | - |
+| [Rate limiting](../../user-guides/rules/rate-limiting.md) | - | - |
+| [IP lists](../../user-guides/ip-lists/overview.md) | - | - |
 
 ## Supported deployment options
 
 Wallarm offers the following Out-of-Band (OOB) deployment options:
 
-* Many available Wallarm artifacts can be used to [deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc.](web-server-mirroring/overview.md) These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.
 * [eBPF-based solution](ebpf/deployment.md)
+* Many available Wallarm artifacts can be used to [deploy Wallarm for analyzing traffic mirrored by services like NGINX, Envoy, Istio, etc.](web-server-mirroring/overview.md) These services typically offer built-in features for traffic mirroring, and Wallarm artifacts are well-suited for analyzing traffic mirrored by such solutions.
diff --git a/docs/4.10/installation/oob/web-server-mirroring/aws-ami.md b/docs/4.10/installation/oob/web-server-mirroring/aws-ami.md
@@ -27,7 +27,7 @@ search:
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [wallarm-api-via-proxy]:            ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
 [img-grouped-nodes]:                ../../../images/user-guides/nodes/grouped-nodes.png

diff --git a/docs/4.10/installation/oob/web-server-mirroring/docker-image.md b/docs/4.10/installation/oob/web-server-mirroring/docker-image.md
@@ -23,7 +23,7 @@ search:
 [api-token]:                        ../../../user-guides/settings/api-tokens.md
 [wallarm-token-types]:              ../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
 [platform]:                         ../../supported-deployment-options.md
-[oob-advantages-limitations]:       ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../overview.md#limitations
 [web-server-mirroring-examples]:    overview.md#configuration-examples-for-traffic-mirroring
 [memory-instr]:                     ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [ip-lists-docs]:                    ../../../user-guides/ip-lists/overview.md

diff --git a/docs/4.10/installation/oob/web-server-mirroring/gcp-machine-image.md b/docs/4.10/installation/oob/web-server-mirroring/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [wallarm-api-via-proxy]:            ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
 [img-grouped-nodes]:                ../../../images/user-guides/nodes/grouped-nodes.png

diff --git a/docs/4.10/installation/oob/web-server-mirroring/linux/all-in-one.md b/docs/4.10/installation/oob/web-server-mirroring/linux/all-in-one.md
@@ -31,7 +31,7 @@ search:
 [img-grouped-nodes]:                ../../../../images/user-guides/nodes/grouped-nodes.png
 [wallarm-token-types]:              ../../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
 [ip-lists-docs]:                    ../../../../user-guides/ip-lists/overview.md
-[oob-advantages-limitations]:       ../../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../../../oob/overview.md#limitations
 [web-server-mirroring-examples]:    ../../../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
 [download-aio-step]:                #step-3-download-all-in-one-wallarm-installer
 [enable-traffic-analysis-step]:     #step-5-enable-wallarm-node-to-analyze-traffic

diff --git a/docs/4.10/installation/packages/aws-ami.md b/docs/4.10/installation/packages/aws-ami.md
@@ -27,7 +27,7 @@ search:
 [allocate-memory-docs]:             ../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../oob/overview.md#limitations
 [wallarm-mode]:                     ../../admin-en/configure-wallarm-mode.md
 [inline-docs]:                      ../inline/overview.md
 [oob-docs]:                         ../oob/overview.md

diff --git a/docs/4.10/installation/packages/gcp-machine-image.md b/docs/4.10/installation/packages/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
 [allocate-memory-docs]:             ../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../oob/overview.md#limitations
 [wallarm-mode]:                     ../../admin-en/configure-wallarm-mode.md
 [inline-docs]:                      ../inline/overview.md
 [oob-docs]:                         ../oob/overview.md

diff --git a/docs/5.0/installation/nginx/all-in-one.md b/docs/5.0/installation/nginx/all-in-one.md
@@ -24,7 +24,7 @@
 [api-token]:                        ../../user-guides/settings/api-tokens.md
 [platform]:                         ../supported-deployment-options.md
 [oob-docs]:                         ../oob/overview.md
-[oob-advantages-limitations]:       ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../oob/overview.md#limitations
 [web-server-mirroring-examples]:    ../oob/web-server-mirroring/overview.md#configuration-examples-for-traffic-mirroring
 [img-grouped-nodes]:                ../../images/user-guides/nodes/grouped-nodes.png
 [wallarm-token-types]:              ../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation

diff --git a/docs/5.0/installation/oob/tcp-traffic-mirror/configuration.md b/docs/5.0/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
diff --git a/docs/5.0/installation/oob/tcp-traffic-mirror/deployment.md b/docs/5.0/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
diff --git a/docs/5.0/installation/oob/web-server-mirroring/aws-ami.md b/docs/5.0/installation/oob/web-server-mirroring/aws-ami.md
@@ -27,7 +27,7 @@ search:
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [wallarm-api-via-proxy]:            ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
 [img-grouped-nodes]:                ../../../images/user-guides/nodes/grouped-nodes.png

diff --git a/docs/5.0/installation/oob/web-server-mirroring/docker-image.md b/docs/5.0/installation/oob/web-server-mirroring/docker-image.md
@@ -23,7 +23,7 @@ search:
 [api-token]:                        ../../../user-guides/settings/api-tokens.md
 [wallarm-token-types]:              ../../../user-guides/nodes/nodes.md#api-and-node-tokens-for-node-creation
 [platform]:                         ../../supported-deployment-options.md
-[oob-advantages-limitations]:       ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../overview.md#limitations
 [web-server-mirroring-examples]:    overview.md#configuration-examples-for-traffic-mirroring
 [memory-instr]:                     ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [ip-lists-docs]:                    ../../../user-guides/ip-lists/overview.md

diff --git a/docs/5.0/installation/oob/web-server-mirroring/gcp-machine-image.md b/docs/5.0/installation/oob/web-server-mirroring/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [wallarm-api-via-proxy]:            ../../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md
 [img-grouped-nodes]:                ../../../images/user-guides/nodes/grouped-nodes.png

diff --git a/docs/5.0/installation/packages/aws-ami.md b/docs/5.0/installation/packages/aws-ami.md
@@ -27,7 +27,7 @@ search:
 [allocate-memory-docs]:             ../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../oob/overview.md#limitations
 [wallarm-mode]:                     ../../admin-en/configure-wallarm-mode.md
 [oob-docs]:                         ../oob/overview.md
 [wallarm-api-via-proxy]:            ../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md

diff --git a/docs/5.0/installation/packages/gcp-machine-image.md b/docs/5.0/installation/packages/gcp-machine-image.md
@@ -22,7 +22,7 @@ search:
 [allocate-memory-docs]:             ../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../oob/overview.md#limitations
 [wallarm-mode]:                     ../../admin-en/configure-wallarm-mode.md
 [oob-docs]:                         ../oob/overview.md
 [wallarm-api-via-proxy]:            ../../admin-en/configuration-guides/access-to-wallarm-api-via-proxy.md

diff --git a/docs/5.0/installation/supported-deployment-options.md b/docs/5.0/installation/supported-deployment-options.md
@@ -474,6 +474,12 @@ Wallarm supports many deployment options enabling you to seamlessly integrate th
             <p>Out-of-band deployment on Kubernetes using the eBPF technology</p>
         </a>
 
+        <a class="do-card" href="../../installation/oob/tcp-traffic-mirror/deployment/">
+            <img class="non-zoomable" src="../../images/platform-icons/tcp-mirror-analysis.svg" />
+            <h3>TCP Traffic Mirror Analysis</h3>
+            <p>Out-of-band deployment for TCP traffic mirror analysis</p>
+        </a>
+
         <div id="mirroring-by-web-servers" class="do-card">
             <img class="non-zoomable" src="../../images/platform-icons/web-server-mirroring.svg" />
             <h3>Mirroring by NGINX, Envoy and similar</h3>

diff --git a/docs/ar/installation/oob/tcp-traffic-mirror/configuration.md b/docs/ar/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
diff --git a/docs/ar/installation/oob/tcp-traffic-mirror/deployment.md b/docs/ar/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
diff --git a/docs/ja/installation/oob/tcp-traffic-mirror/configuration.md b/docs/ja/installation/oob/tcp-traffic-mirror/configuration.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"
diff --git a/docs/ja/installation/oob/tcp-traffic-mirror/deployment.md b/docs/ja/installation/oob/tcp-traffic-mirror/deployment.md
@@ -0,0 +1 @@
+--8<-- "latest/installation/oob/tcp-traffic-mirror/deployment.md"
diff --git a/docs/latest/admin-en/configure-logging.md b/docs/latest/admin-en/configure-logging.md
@@ -14,6 +14,7 @@ Log files are located within the `/opt/wallarm/var/log/wallarm` directory. Here
 * `appstructure-out.log` (only in the Docker containers): the log of the [API Discovery](../api-discovery/overview.md) module activity.
 * `tarantool-out.log`: the log of the postanalytics module operations.
 * `wcli-out.log`: logs of most Wallarm services, including brute force detection, attack export to the Cloud, and the status of node synchronization with the Cloud, etc.
+* `go-node.log`: TCP traffic reassembling logs (only for the [TCP traffic mirror analysis deployment](../installation/oob/tcp-traffic-mirror/configuration.md)).
 
 ##  Configuring Extended Logging for the NGINX‑Based Filter Node
 

diff --git a/docs/latest/installation/api-gateways/layer7-api-gateway.md b/docs/latest/installation/api-gateways/layer7-api-gateway.md
@@ -17,7 +17,7 @@ Among all supported [Wallarm deployment options](../supported-deployment-options
 
 ## Limitations
 
-The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#advantages-and-limitations).
+The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided [link](../oob/overview.md#limitations).
 
 ## Requirements
 

diff --git a/docs/latest/installation/cloud-platforms/aws/ami.md b/docs/latest/installation/cloud-platforms/aws/ami.md
@@ -22,7 +22,7 @@
 [allocate-memory-docs]:             ../../../admin-en/configuration-guides/allocate-resources-for-node.md
 [limiting-request-processing]:      ../../../user-guides/rules/configure-overlimit-res-detection.md
 [logs-docs]:                        ../../../admin-en/configure-logging.md
-[oob-advantages-limitations]:       ../../oob/overview.md#advantages-and-limitations
+[oob-advantages-limitations]:       ../../oob/overview.md#limitations
 [wallarm-mode]:                     ../../../admin-en/configure-wallarm-mode.md
 [inline-docs]:                      ../../inline/overview.md
 [oob-docs]:                         ../../oob/overview.md
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		--8<-- "latest/installation/oob/tcp-traffic-mirror/configuration.md"