Re: [mod-security-users] statistics

[Andras G. <an...@an...>]

Hi,

Write a munin or MRTG plugin for this and additonaly you can set up email=
 notification, depeding on=20
the seriousness (number of tries, type of tries etc) of the action. I wou=
ld say that be careful of=20
emailing because you can DoS yourself easily.

False positives should be detected by yourself by examining the error log=
 and carefully adding=20
rules. Your customers should be aware of such IDS is in use and know what=
 they can't do. Of course=20
these rules mustn't stop the usefulness of PHP or CGI (Perl).

Imho you should start with a simple script then add functionality as it n=
eeds. You can also pipe=20
through the log messages thourgh a script which examines it (maybe makes =
an sql insert, and you=20
client may be surprised by the attack logging) and then logs it. This att=
ack logging for customers=20
is so good imho that I'll make a script for this in february on our new s=
erver. :)

One of our clients used some silly ../ like things in of his html forms (=
action maybe) so i had to=20
turn off the anti-directory-traversal rule. I almost rent a seat for him =
on the next Mars mission.=20
(I develop PHP apps and never used and even never thought about using .. =
in the client side of the=20
coding.)

Regards,
Andrej


Justin Grindea =EDrta:

> hi,
>=20
> I've asked here before and kept googling but can't find any piece of sc=
ript
> that can parse the audit log(s) and provide a picture of what's going o=
n.
>=20
> I'd like to know for example top attacking IP's, top attacked sites, to=
p=20
> signatures used.
>=20
> Also I'm thinking about email notification of possible intrussions,=20
> anyone has a sane logic
> and possible script for notifications? Maybe email for one IP getting x=
=20
> errors in y seconds?
>=20
> Such script could also help detect false positives, I'm always having=20
> troubles detecting them
> before my clients :(
>=20
> thanks,
>     Justin