Fingerprinting Port 80 Attacks

pg writes "I found an interesting article on www.cgisecurity.com that explains common fingerprints in web server, and web application attacks. It goes to describe how to detect most known, and unknown attacks. This may come in handy when trying to detect another internet worm."

Snort

[Frums]

Hmm, Snort has signatures written for all of these =)

Partial solution for log trash

[wytcld]

Here's how to get part way there (in this case for Nimda). In httpd.conf:

SetEnvIf Request_URI "cmd\.exe" ATTACK
SetEnvIf Request_URI "root\.exe" ATTACK
CustomLog /www/logs/access_log common env=!ATTACK
CustomLog /www/logs/attack_log common env=ATTACK

<Location />
Order Allow,Deny
Allow from all
Deny from env=ATTACK
ErrorDocument 403 "
</Location>

And then optionally for individual bad directories:

<Location /scripts/>
Deny from all
ErrorDocument 403 "
</Location>

At this point requests for cgi.exe are not being logged in access_log but only attack_log (leave out the attack_log line if you don't want even that much). They'll still show in error_log (but with a shorter error statement). The ErrorDocument line instructs Apache to send back nothing and just drop the connection - not as nasty as a tar pit, but at least you don't waste outgoing bandwidth, generally tighter than incoming for a Webserver. Also, Apache doesn't waste any time checking the file system on these requests, since the rules preclude that.