Solved

modsec for IIS & Apache : what exactly is my colleagues  doing

Posted on 2013-11-14
3
256 Views
Last Modified: 2013-11-16
I've seen my colleagues sieving out lines of text containing
code "403" from Apache logs & then match it against a list
(or database) of signatures, then code certain type of rules
into modsec.conf & I think they have to restart IIS for the
newly created rules to take effect.  They repeated do the
above action daily.

Q1:
What exactly is the purpose of the above manual tasks & 
is there any way (or any tool out there) to automate the
above tasks so that modsec / modsecurity will automatically
block malicious attacks : are they're building rules that
checks the content of http/https to block out new patterns
of attacks (such as URL scan, data injection ?? or what
types of attacks) ?

Q2:
Is there an equivalent for IIS esp automated building
of rules & automatically effect the rules.  What my
colleagues are doing are too tedious

Q3:
What are some of the free mailing lists that actively
discuss & provide support for modsecurity for IIS
& Apache?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 39648223
A1 more of concern is that it denies legitimate requests. You might want to use it to observe violations and adjust rules before rolling into production
A2 if tools are python/perl/tcl scripts you can make IIS emit NCSA log and they are all set
A3 have you tried modsecurity website?
0
 

Author Comment

by:sunhux
ID: 39648252
Following up on

Q2:
Do you have any sample Perl script that could do this &
make IIS emit NCSA log?  What's NCSA?

Q3:
I've tried the url / link below but it never send me an email
to subscribe to the mailing list:
  https://lists.sourceforge.net/lists/listinfo/mod-security-users
Is it still active?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 39649228
Q2:
Get to administering IIS, it is on first page, 3rd selectable log format.
Q3:
Your mailserver is broken, that list gets ~10 mails/day.
0

Featured Post

To Patch or not to Patch? That is the question!

Don't get caught out like thousands of others around the world in the recent Ransomware Fiasco!
Discuss..
- Why it's not a good idea to wait before Patching
- Sensible approaches to Patching discussed
- Add your feedback, comments and suggestions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question