What's the best way to detect web applications attacks?
https://stackoverflow.com/questions/138432
-
02-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What is the best way to survey and detect bad users behavior or attacks like deny of services or exploits on my web app ?
I know server's statistics (like Awstats) are very useful for that kind of purpose, specially to see 3XX, 4XX and 5XX errors (here's an Awstats example page) which are often bots or bad intentioned users that try well-known bad or malformed URLs.
Is there others (and betters) ways to analyze and detect that kind of attack tentative ?
Note : I'm speaking about URL based attacks, not attacks on server's component (like database or TCP/IP).
Solution
Log everything. Then examine the logs by hand, and find things that are uninteresting and write a parser that discards those log entries. Once you've done that, rinse and repeat until you're left with just the interesting things. Now that you have only interesting log entries to read, decide which ones are dangerous and which ones are harmless but annoying, and fix as appropriate.
OTHER TIPS
If you have the budget, go with a Web Application Firewall (WAF). These are built specifically for recognizing and blocking application-layer attacks. There are also some cheap WAFs, even an open-source one or two.
Note however that you should still practice secure coding etc; a WAF is great for defense in depth, and temporary virtual patching.
I usually write my own log analyzer, that tries to follow the events that usually happens when the navigation is done by shomething NOT humans. Like:
Direct access to pages with URL or parameters unknown
Feedback forms loaded, compiled and posted in less than, say, 10 seconds
Wrong referrer sequences
HTML or "critical" character sequences in posted fields
And so on...
First you have to say what is or is not a potential exploit, sometimes a url may be a valid request and sometimes it may be a XSS attack. A lot of traffic may be a DDoS or it may be a result of being mentioned on a slashdot article.
Next, you can view logs for various types of attack - such as DDoS, which you'll want to check using IP tools (as a lot of DDoS attacks are made on non-web ports, such as SYN floods).
Then you want to install mod_security and set up some rules for it (you can find a lot of pre-defined rulesets on the web). This reads the request and parses it for common or known attacks (such as urls that contain sql or html type text).
More network as a whole but SATAN is very good
http://www.porcupine.org/satan/
SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.
