Hi all, I just wanted to let the list know of a way to detect intrusions via IIS. It may work for other web servers, too. We have just build a new rule to use the nt event log to detect (so far unknown) attacks... Well effectively, we detect intrusions after they happend. So the intruder most probably already got in. This will not save you from the intrusion, but at least you know you need to react. For it to work, we assume the following: 1. IIS process tracking is activated (and hopefully works reliable enough ;)) 2. The web site is accessed by anonymous users, only 3. The server is a dedicated web server If 2 or 3 are not the case, we can probably still use the same idea, but the filter needs to be more advanced. It is important to know that anonymous requests are run in the security context of a specifically designated NT account. In most cases this is the IUSR_xxx account where xxx is typically the machine name. This account can be configured in the IIS admin console. So you need to lookup the details there. What we now do is we look at the event log in short intervals. When we detect a program start (security event log, source "Security", event id 592) AND the user is the IUSR_xxx account AND it is not a program we know IIS needs to run (e.g. perl.exe is run for PERL scripts; php.exe is for PHP scripts) then chances are very high that someone has successfully intruded our machine via IIS. So it would probably be a good idea to forward the event log record to an admin in charge (via email or whatever). I hope this is helpful. As always, comments are very welcome. I would particularly like to know if that works with Apache under win32 ;) Rainer Gerhards Adiscon _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 10:07:00 PST