Detect System Attacks

This option group subsection contains basic Web attack monitoring criteria to thwart basic attacks on any Web server that produces any kind of access log.
The global Web Attack Detection Settings area consists of the following:
  • Web Access Log File Path: This area configures the Web access log path, which the rules in this policy subsection sift through to find malicious request strings.
    Symantec Critical System Protection
    provides a default location for the Apache Web server HTTP access log. Symantec recommends that you research which path location is best for this portion of the policy, since other Web server packages may be configured with different HTTP access log paths..
    The log format must follow W3C guidelines.
  • Whitelisted IP Addresses: This area configures the IP addresses that are allowed or otherwise ignored in this monitoring subsection. These IP addresses are for tools like automated vulnerability scanning systems on enterprise networks, where you know that at regular intervals Web attack tests occur.
  • Blacklisted IP Addresses: This area configures the IP addresses that are not allowed access to the host system. Blacklisted IP addresses may be any addresses outside an internal network range if this area monitored an intranet Web host. Blacklisted IP addresses may also be known bad IP addresses from any of the blacklists available on the Internet.
  • IIS HTTP Success Code: The IIS HTTP Success Code is the trailing HTTP code on all requests that signifies that the request has been successfully processed on the host Web system. A success code that is paired with a maliciously crafted URI string would indicate a possible compromised system.
  • IIS HTTP Error Code: The IIS HTTP Error Code is the HTTP error code that signifies a bad HTTP request. A high frequency repeating number of these found in the access log signifies that a possible Web vulnerability scan is occurring.