System Attack Detection

This option group subsection contains basic Web attack monitoring criteria to thwart basic attacks on any Web server that produces any kind of access log.
The access log must follow W3C guidelines. The majority of Web server applications on Windows servers are Internet Information Services (IIS). By default, System Attack Detection is set up for IIS. You can set up this area for any Web hosting application. Within this option group subsection there is a global settings area to set several unique properties for the rest of the system attack monitor.
The global settings area consists of the following:
  • Alert only on Success Attack Attempt (Code 200): This area configures all the attack detection rules to look for the trailing code 200 when a suspicious string is found in the access log. Trailing code 200 means a successful process request. This setting dramatically decreases the amount of false positives and provides administrators with events that are considered processed by the hosting system.
  • Web Access Log File Path: This area configures the Web access log path, which the rules in this policy subsection sift through to find malicious request strings.
    Symantec Critical System Protection
    provides a default IIS 7 location.
  • Whitelisted IP Addresses: This area configures the IP addresses that are allowed or otherwise ignored in this monitoring subsection. These IP addresses are for tools like automated vulnerability scanning systems on enterprise networks, where you know that at regular intervals Web attack tests occur.
  • Blacklisted IP Addresses: This area configures the IP addresses that are not allowed access to the host system. Blacklisted IP addresses may be any addresses outside an internal network range if this area monitored an intranet Web host. Blacklisted IP addresses may also be known bad IP addresses from any of the blacklists available on the Internet.
  • IIS HTTP Success Code: The IIS HTTP Success Code is the trailing HTTP code on all requests that signifies that the request has been successfully processed on the host Web system. A success code that is paired with a maliciously crafted URI string would indicate a possible compromised system.
  • IIS HTTP Error Code: The IIS HTTP Error Code is the HTTP error code that signifies a bad HTTP request. A high frequency repeating number of these found in the access log signifies that a possible Web vulnerability scan is occurring.