views:

220

answers:

5

What is the best way to survey and detect bad users behavior or attacks like deny of services or exploits on my web app ?

I know server's statistics (like Awstats) are very useful for that kind of purpose, specially to see 3XX, 4XX and 5XX errors (here's an Awstats example page) which are often bots or bad intentioned users that try well-known bad or malformed URLs.

Is there others (and betters) ways to analyze and detect that kind of attack tentative ?

Note : I'm speaking about URL based attacks, not attacks on server's component (like database or TCP/IP).

+2  A: 

Log everything. Then examine the logs by hand, and find things that are uninteresting and write a parser that discards those log entries. Once you've done that, rinse and repeat until you're left with just the interesting things. Now that you have only interesting log entries to read, decide which ones are dangerous and which ones are harmless but annoying, and fix as appropriate.

Jeff Hubbard
That's indeed a good approach... It's time consuming but peharps the only way.
paulgreg
The good part about it is that you only have to go through the pain one time, and then it's reusable indefinitely.
Jeff Hubbard
A: 

More network as a whole but SATAN is very good

http://www.porcupine.org/satan/

SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.

Paul Whelan
+1  A: 
Axeman
+1  A: 

First you have to say what is or is not a potential exploit, sometimes a url may be a valid request and sometimes it may be a XSS attack. A lot of traffic may be a DDoS or it may be a result of being mentioned on a slashdot article.

Next, you can view logs for various types of attack - such as DDoS, which you'll want to check using IP tools (as a lot of DDoS attacks are made on non-web ports, such as SYN floods).

Then you want to install mod_security and set up some rules for it (you can find a lot of pre-defined rulesets on the web). This reads the request and parses it for common or known attacks (such as urls that contain sql or html type text).

gbjbaanb
+1  A: 

If you have the budget, go with a Web Application Firewall (WAF). These are built specifically for recognizing and blocking application-layer attacks. There are also some cheap WAFs, even an open-source one or two.

Note however that you should still practice secure coding etc; a WAF is great for defense in depth, and temporary virtual patching.

AviD