IDS mailing list archives

Re: HTTP LOG files Labeling

From: Christian Bockermann <chris () jwall org>
Date: Thu, 22 May 2008 01:38:36 +0200


Am 21.05.2008 um 21:13 schrieb Stefano Zanero:

wangweifrequent () gmail com wrote:
Are there some methods or tools or IDS that can be used toautomatically detect HTTP attacks?
If there were any, why would you be doing your research ? :)


Good point. :-)

@wang: You might have want to have a look at the paper "AnomalyDetection of Web-based Attacks" by Giovanni Vigna and ChristopherKruegel (as well as "A multi-model approach to the detection of web-based attacks" by them).They did log file analysis on access log data using statisticalmodels. This might work for you as a labeling approach.

BTW: If you are interested in more detailed data than provided byaccess log files you might want to have a look at ModSecurity or myWebTap application (http://www.jwall.org/web/tap/) for recordingcomplete user-input sent to web-applications.


Regards,
    Chris

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

HTTP LOG files Labeling wangweifrequent (May 20)
- RE: HTTP LOG files Labeling dai.morgan (May 21)
- <Possible follow-ups>
- Re: HTTP LOG files Labeling abhicc285 (May 21)
- Re: HTTP LOG files Labeling wangweifrequent (May 21)
  - Re: HTTP LOG files Labeling Stefano Zanero (May 21)
    - Re: HTTP LOG files Labeling Christian Bockermann (May 22)
    - Re: HTTP LOG files Labeling Stefano Zanero (May 22)
- Re: Re: HTTP LOG files Labeling wangweifrequent (May 22)
  - Re: HTTP LOG files Labeling Stefano Zanero (May 22)
    - Re: HTTP LOG files Labeling "Zow" Terry Brugger (May 23)