Specific rules to detect / alert Web Apps Scan (nikto, w3af, skipfish, ...)
246 views
Skip to first unread message
Js Opdebeeck
Feb 25, 2011, 11:47:21 AM2/25/11
to ossec...@googlegroups.com
Hello;
I try to recognise certain 'standard' pattern that can match Web application Scans like :
- nikto (match 'Nikto')
- w3af (match 'w3af.sourceforge.net')
- Skipfish
- ...
But there is a lot of limitations.
- apps like Skipfish it doesn't works (no clear pattern).
Method :
- Empty web server + logs + ossec
- Scan with a tool
- Check the logs and ossec
- Determine if specific or generic word or pattern exists
- Create the rule
- Scan again
- Check Ossec (new alert should arise).
Does someone already created some rules that can increase this kind of detection ?
Kind regards
Js
Jeremy Lee
Feb 25, 2011, 11:56:06 AM2/25/11
to ossec...@googlegroups.com
Are you looking for specific keywords in the browser string?
OSSEC has some rules to detect on SQL Injection/XSS/etc attacks. But there is probably lots of room and flexibility for expanding the keyword detection. If you really want to find out, just "grep -i [whatever keyword] /var/ossec/rules/*" and see if your keyword shows up.
Another possibility is to use ModSecurity and then have OSSEC monitor the ModSec logs. OSSEC comes with prepackaged modsec rules in the apache_rules.xml file. Although, you'll probably need to tweak the rules a bit to get them working to your liking.
OSSEC has some rules to detect on SQL Injection/XSS/etc attacks. But there is probably lots of room and flexibility for expanding the keyword detection. If you really want to find out, just "grep -i [whatever keyword] /var/ossec/rules/*" and see if your keyword shows up.
Another possibility is to use ModSecurity and then have OSSEC monitor the ModSec logs. OSSEC comes with prepackaged modsec rules in the apache_rules.xml file. Although, you'll probably need to tweak the rules a bit to get them working to your liking.
Reply all
Reply to author
Forward
0 new messages