|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IDS: access.log monitoring?
From: Randy Taylor (gnu
charm.net)Date: Tue Nov 21 2000 - 06:19:50 CST
- Next message: Stapleton, Bernard (Australia): "IDS: IDS Integration"
- Previous message: lukebeventures.co.uk: "IDS: RE: access.log monitoring?"
- In reply to: Mike Blomgren: "IDS: access.log monitoring?"
- Next in thread: Steven M. Christey: "Re: IDS: access.log monitoring?"
- Reply: Randy Taylor: "Re: IDS: access.log monitoring?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
At 10:59 AM 11/20/00 +0100, Mike Blomgren wrote:
>Does anyone have experience from actively monitoring access.log, or the
>likes, for Webuser anomalies? I.e. if the webbserver starts returning many
>'404 Unauthorized' messages, you might expect someone is trying to search
>site for vulnerable (non-existent) CGI's.
>
>This type of host based monitoring would be particularily interesting on
>webservers running ssl/https, since a network based IDS might have some
>trouble decrypting the requests... ;o)
>
>What else should one look for, other than 404's?
An interesting thing to look for is sustained browsing activity from one
IP address over a relatively short period of time. Something like Teleport Pro
will stand out like a sore thumb, but the human equivalent usually doesn't.
If someone drills down into your site(s), exploring many links, it can be
a precursor indicator of an attack. Information-gathering through non-malicious
means such as this is a good way to stage a preliminary assessment of
a target while staying "buried in the noise".
This can be extended to multiple IP addresses that are either related by
number (such as 192.168.1.x ), or by blocks (such as multiple Class C's
assigned to one ISP), or by geographic location.
A third analysis method is to associate otherwise unrelated but sustained
activity from multiple sources separated by either short periods of time,
or that are roughly concurrent. This can be an indicator of potential attackers
working together to assess a target.
Yes, I have witnessed successful attacks against sites that began using
these methods. I didn't discover the web activity until the post-mortem,
however. :(
Best regards,
Randy
-----
Assume it's razor wire and dress appropriately.
-- Harvey, Lord Randomfactor
- Next message: Stapleton, Bernard (Australia): "IDS: IDS Integration"
- Previous message: lukebeventures.co.uk: "IDS: RE: access.log monitoring?"
- In reply to: Mike Blomgren: "IDS: access.log monitoring?"
- Next in thread: Steven M. Christey: "Re: IDS: access.log monitoring?"
- Reply: Randy Taylor: "Re: IDS: access.log monitoring?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]