Solved

modsec for IIS & Apache : what exactly is my colleagues  doing

Posted on 2013-11-14
3
251 Views
Last Modified: 2013-11-16
I've seen my colleagues sieving out lines of text containing
code "403" from Apache logs & then match it against a list
(or database) of signatures, then code certain type of rules
into modsec.conf & I think they have to restart IIS for the
newly created rules to take effect.  They repeated do the
above action daily.

Q1:
What exactly is the purpose of the above manual tasks & 
is there any way (or any tool out there) to automate the
above tasks so that modsec / modsecurity will automatically
block malicious attacks : are they're building rules that
checks the content of http/https to block out new patterns
of attacks (such as URL scan, data injection ?? or what
types of attacks) ?

Q2:
Is there an equivalent for IIS esp automated building
of rules & automatically effect the rules.  What my
colleagues are doing are too tedious

Q3:
What are some of the free mailing lists that actively
discuss & provide support for modsecurity for IIS
& Apache?
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 39648223
A1 more of concern is that it denies legitimate requests. You might want to use it to observe violations and adjust rules before rolling into production
A2 if tools are python/perl/tcl scripts you can make IIS emit NCSA log and they are all set
A3 have you tried modsecurity website?
0
 

Author Comment

by:sunhux
ID: 39648252
Following up on

Q2:
Do you have any sample Perl script that could do this &
make IIS emit NCSA log?  What's NCSA?

Q3:
I've tried the url / link below but it never send me an email
to subscribe to the mailing list:
  https://lists.sourceforge.net/lists/listinfo/mod-security-users
Is it still active?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 39649228
Q2:
Get to administering IIS, it is on first page, 3rd selectable log format.
Q3:
Your mailserver is broken, that list gets ~10 mails/day.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Single domain/site being blocked.... but why and where? 10 68
PCAnywhere 2 121
Problem to go to Web page 2 119
optimal method deal ransomware in files folders 9 119
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question