tags:

views:

220

answers:

5
+1  Q: 

What's the best way to detect web applications attacks ?

What is the best way to survey and detect bad users behavior or attacks like deny of services or exploits on my web app ?

I know server's statistics (like Awstats) are very useful for that kind of purpose, specially to see 3XX, 4XX and 5XX errors (here's an Awstats example page) which are often bots or bad intentioned users that try well-known bad or malformed URLs.

Is there others (and betters) ways to analyze and detect that kind of attack tentative ?

Note : I'm speaking about URL based attacks, not attacks on server's component (like database or TCP/IP).

+2  A: 

Log everything. Then examine the logs by hand, and find things that are uninteresting and write a parser that discards those log entries. Once you've done that, rinse and repeat until you're left with just the interesting things. Now that you have only interesting log entries to read, decide which ones are dangerous and which ones are harmless but annoying, and fix as appropriate.

Jeff Hubbard  2008-09-26 09:30:02
That's indeed a good approach... It's time consuming but peharps the only way.
paulgreg  2008-09-26 09:34:36
The good part about it is that you only have to go through the pain one time, and then it's reusable indefinitely.
Jeff Hubbard  2008-09-26 09:37:24
A: 

More network as a whole but SATAN is very good

http://www.porcupine.org/satan/

SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.

Paul Whelan  2008-09-26 09:31:52
+1  A: 
Axeman  2008-09-26 09:36:55
+1  A: 

First you have to say what is or is not a potential exploit, sometimes a url may be a valid request and sometimes it may be a XSS attack. A lot of traffic may be a DDoS or it may be a result of being mentioned on a slashdot article.

Next, you can view logs for various types of attack - such as DDoS, which you'll want to check using IP tools (as a lot of DDoS attacks are made on non-web ports, such as SYN floods).

Then you want to install mod_security and set up some rules for it (you can find a lot of pre-defined rulesets on the web). This reads the request and parses it for common or known attacks (such as urls that contain sql or html type text).

gbjbaanb  2008-09-26 09:44:23
+1  A: 

If you have the budget, go with a Web Application Firewall (WAF). These are built specifically for recognizing and blocking application-layer attacks. There are also some cheap WAFs, even an open-source one or two.

Note however that you should still practice secure coding etc; a WAF is great for defense in depth, and temporary virtual patching.

AviD  2008-09-26 13:11:02

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security