What is the best way to survey and detect bad users behavior or attacks like deny of services or exploits on my web app ?
在我的网络应用程序中调查和检测不良用户行为或拒绝服务或漏洞攻击的最佳方法是什么?
I know server's statistics (like Awstats) are very useful for that kind of purpose, specially to see 3XX, 4XX and 5XX errors (here's an Awstats example page) which are often bots or bad intentioned users that try well-known bad or malformed URLs.
我知道服务器的统计数据(如Awstats)对于这种目的非常有用,特别是看到3XX,4XX和5XX错误(这里是一个Awstats示例页面),这些错误通常是机器人或恶意用户,它们会尝试众所周知的错误或格式错误的URL 。
Is there others (and betters) ways to analyze and detect that kind of attack tentative ?
还有其他(和更好的)方法来分析和检测这种类型的攻击吗?
Note : I'm speaking about URL based attacks, not attacks on server's component (like database or TCP/IP).
注意:我说的是基于URL的攻击,而不是对服务器组件的攻击(如数据库或TCP / IP)。
5 个解决方案
#1
3
Log everything. Then examine the logs by hand, and find things that are uninteresting and write a parser that discards those log entries. Once you've done that, rinse and repeat until you're left with just the interesting things. Now that you have only interesting log entries to read, decide which ones are dangerous and which ones are harmless but annoying, and fix as appropriate.
记录一切。然后手动检查日志,找到不感兴趣的内容并编写一个丢弃这些日志条目的解析器。一旦你做完了,冲洗并重复,直到你只剩下有趣的东西。既然您只有有趣的日志条目可供阅读,请确定哪些是危险的,哪些是无害但令人讨厌,并在适当的时候进行修复。
#2
2
If you have the budget, go with a Web Application Firewall (WAF). These are built specifically for recognizing and blocking application-layer attacks. There are also some cheap WAFs, even an open-source one or two.
如果您有预算,请使用Web应用程序防火墙(WAF)。它们专为识别和阻止应用层攻击而构建。还有一些便宜的WAF,甚至是开源的一两个。
Note however that you should still practice secure coding etc; a WAF is great for defense in depth, and temporary virtual patching.
但请注意,您仍应练习安全编码等; WAF非常适合深度防御和临时虚拟补丁。
#3
1
I usually write my own log analyzer, that tries to follow the events that usually happens when the navigation is done by shomething NOT humans. Like:
Direct access to pages with URL or parameters unknown
Feedback forms loaded, compiled and posted in less than, say, 10 seconds
Wrong referrer sequences HTML or "critical" character sequences in posted fields And so on...
我经常编写自己的日志分析器,它试图跟踪通过shomething而不是人类完成导航时经常发生的事件。喜欢:直接访问带有URL或参数未知的页面反馈表单加载,编译和发布的时间少于10秒错误的引用者序列HTML或发布字段中的“关键”字符序列依此类推......
#4
1
First you have to say what is or is not a potential exploit, sometimes a url may be a valid request and sometimes it may be a XSS attack. A lot of traffic may be a DDoS or it may be a result of being mentioned on a slashdot article.
首先,您必须说明什么是潜在的利用或不是潜在的利用,有时网址可能是有效的请求,有时可能是XSS攻击。很多流量可能是DDoS,也可能是在slashdot文章中被提及的结果。
Next, you can view logs for various types of attack - such as DDoS, which you'll want to check using IP tools (as a lot of DDoS attacks are made on non-web ports, such as SYN floods).
接下来,您可以查看各种类型攻击的日志 - 例如DDoS,您需要使用IP工具进行检查(因为许多DDoS攻击都是在非Web端口上进行的,例如SYN flood)。
Then you want to install mod_security and set up some rules for it (you can find a lot of pre-defined rulesets on the web). This reads the request and parses it for common or known attacks (such as urls that contain sql or html type text).
然后你想安装mod_security并为它设置一些规则(你可以在网上找到很多预定义的规则集)。这将读取请求并解析它以查找常见或已知的攻击(例如包含sql或html类型文本的URL)。
#5
0
More network as a whole but SATAN is very good
整个网络越多,但SATAN非常好
http://www.porcupine.org/satan/
SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.
SATAN是一个帮助系统管理员的工具。它识别几种常见的与网络相关的安全问题,并在不实际利用它们的情况下报告问题。
#1
3
Log everything. Then examine the logs by hand, and find things that are uninteresting and write a parser that discards those log entries. Once you've done that, rinse and repeat until you're left with just the interesting things. Now that you have only interesting log entries to read, decide which ones are dangerous and which ones are harmless but annoying, and fix as appropriate.
记录一切。然后手动检查日志,找到不感兴趣的内容并编写一个丢弃这些日志条目的解析器。一旦你做完了,冲洗并重复,直到你只剩下有趣的东西。既然您只有有趣的日志条目可供阅读,请确定哪些是危险的,哪些是无害但令人讨厌,并在适当的时候进行修复。
#2
2
If you have the budget, go with a Web Application Firewall (WAF). These are built specifically for recognizing and blocking application-layer attacks. There are also some cheap WAFs, even an open-source one or two.
如果您有预算,请使用Web应用程序防火墙(WAF)。它们专为识别和阻止应用层攻击而构建。还有一些便宜的WAF,甚至是开源的一两个。
Note however that you should still practice secure coding etc; a WAF is great for defense in depth, and temporary virtual patching.
但请注意,您仍应练习安全编码等; WAF非常适合深度防御和临时虚拟补丁。
#3
1
I usually write my own log analyzer, that tries to follow the events that usually happens when the navigation is done by shomething NOT humans. Like:
Direct access to pages with URL or parameters unknown
Feedback forms loaded, compiled and posted in less than, say, 10 seconds
Wrong referrer sequences HTML or "critical" character sequences in posted fields And so on...
我经常编写自己的日志分析器,它试图跟踪通过shomething而不是人类完成导航时经常发生的事件。喜欢:直接访问带有URL或参数未知的页面反馈表单加载,编译和发布的时间少于10秒错误的引用者序列HTML或发布字段中的“关键”字符序列依此类推......
#4
1
First you have to say what is or is not a potential exploit, sometimes a url may be a valid request and sometimes it may be a XSS attack. A lot of traffic may be a DDoS or it may be a result of being mentioned on a slashdot article.
首先,您必须说明什么是潜在的利用或不是潜在的利用,有时网址可能是有效的请求,有时可能是XSS攻击。很多流量可能是DDoS,也可能是在slashdot文章中被提及的结果。
Next, you can view logs for various types of attack - such as DDoS, which you'll want to check using IP tools (as a lot of DDoS attacks are made on non-web ports, such as SYN floods).
接下来,您可以查看各种类型攻击的日志 - 例如DDoS,您需要使用IP工具进行检查(因为许多DDoS攻击都是在非Web端口上进行的,例如SYN flood)。
Then you want to install mod_security and set up some rules for it (you can find a lot of pre-defined rulesets on the web). This reads the request and parses it for common or known attacks (such as urls that contain sql or html type text).
然后你想安装mod_security并为它设置一些规则(你可以在网上找到很多预定义的规则集)。这将读取请求并解析它以查找常见或已知的攻击(例如包含sql或html类型文本的URL)。
#5
0
More network as a whole but SATAN is very good
整个网络越多,但SATAN非常好
http://www.porcupine.org/satan/
SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.
SATAN是一个帮助系统管理员的工具。它识别几种常见的与网络相关的安全问题,并在不实际利用它们的情况下报告问题。