Solved

modsec for IIS & Apache : what exactly is my colleagues  doing

Posted on 2013-11-14
3
254 Views
Last Modified: 2013-11-16
I've seen my colleagues sieving out lines of text containing
code "403" from Apache logs & then match it against a list
(or database) of signatures, then code certain type of rules
into modsec.conf & I think they have to restart IIS for the
newly created rules to take effect.  They repeated do the
above action daily.

Q1:
What exactly is the purpose of the above manual tasks & 
is there any way (or any tool out there) to automate the
above tasks so that modsec / modsecurity will automatically
block malicious attacks : are they're building rules that
checks the content of http/https to block out new patterns
of attacks (such as URL scan, data injection ?? or what
types of attacks) ?

Q2:
Is there an equivalent for IIS esp automated building
of rules & automatically effect the rules.  What my
colleagues are doing are too tedious

Q3:
What are some of the free mailing lists that actively
discuss & provide support for modsecurity for IIS
& Apache?
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 39648223
A1 more of concern is that it denies legitimate requests. You might want to use it to observe violations and adjust rules before rolling into production
A2 if tools are python/perl/tcl scripts you can make IIS emit NCSA log and they are all set
A3 have you tried modsecurity website?
0
 

Author Comment

by:sunhux
ID: 39648252
Following up on

Q2:
Do you have any sample Perl script that could do this &
make IIS emit NCSA log?  What's NCSA?

Q3:
I've tried the url / link below but it never send me an email
to subscribe to the mailing list:
  https://lists.sourceforge.net/lists/listinfo/mod-security-users
Is it still active?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 39649228
Q2:
Get to administering IIS, it is on first page, 3rd selectable log format.
Q3:
Your mailserver is broken, that list gets ~10 mails/day.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question