dataset of intrusion detection for apache log - apache2

FOUND ON : HoneyNet Project. in scan31 and scan34
PHPIDS have a filter rules to detect attack pattern in web access log file.
I want to ask how do I know that PHPIDS can detect the attack (xss, sqli, any attack they told that they can detect) in apache log access file. ( not from using it. )
What dataset PHPIDS uses to confirm that their filter rules can detect.
I really want that dataset to know that my detecting program can detect the attack.
(Dataset here means Apache log file that contains many attack pattern and I know how many attack pattern it has in a log file).
If my program can detect all attack patterns in that dataset, it means my program works!
Can I have a link of website where I can download a dataset of attack on webaccess attack (apache log)?
I found some dataset of DARPA. Do they have a dataset about web access log?

Yes the Darpa 1999 IDS dataset has web access logs which you could inspect. It contains apache httpd access logs as well as error logs.

VELOS Dataset contains many different types of attacks that can be detected by your program. It definitely includes webaccess attacks. The traffic is mainly in multiple pcap files and tcpdump text files. Also, it's true that you can check also DARPA datasets (1998-2000).

Related

Permission of uploads folder and server files folder on dedicated server

I will be running a website on a dedicated server, where users will be allowed to upload files (I am not checking those files for viruses).
Lets say the folders are like so -
parent_folder -> website (folder which contains server files)
parent_folder -> uploads (folder which contains user uploads)
Question. Will file permission on website folder as 750, and on uploads folder as 770 suffice?
(Note1: Owner - Root; Group - Apache; website is a social network)
(Note2: As Apache (www-data) will handle uploads, I believe 770 may be required in place of 740)
(Note3: As Apache (www-data) will only need to read files in website folder, therefore 750)
(Note4: Server will be maintained by a single user)
I think whether it's good enough or not depends on what risk you are willing to take. For a basic protection, it may be good.
What you have to consider is what would happen if files are stolen either by an unauthenticated attacker, or I suppose there would be some kind of an access control and users would have access to their own files, in which case an obvious risk is a user being able to access others' files. How would it affect your website / business if this happened? Are you willing to take this risk? Who are the attackers you are trying to protect against? Opportunist script kiddies? Knowledgable attackers specifically targeting your site? Nationstate-level attacks? You have to answer these first.
The drawback of this solution is that any application or operating system level breach will most likely give access to all uploaded files of all users. Should your application be vulnerable to things like local file inclusion, directory traversal, even SQL injection with certain databases or a lot more vulnerabilities, your files can be downloaded. Whether you want to protect them more depends on your use case.
More secure options could be storing them on a separate server (some kind of a file repository), encrypting them with user-specific keys (and then key management and cryptography in general is a huge topic itself), you could implement mime-type identification with whitelists to only allow certain file types (this is a slightly different aspect), or you could even add end to end encryption to protect against yourself (operations staff), etc. You can go lengths in terms of protecting these files, if you want to, but it gets very complex very quickly.

What can I do with generated error logs?

I'm currently working on a web application which generates daily error (and non error) logs.
The current system outputs a log per task to a text file, and outputs critical errors as well as "start" and "finish" type messages to an email account.
The current workflow is as follows: scour the email box for errors, then go and find the .txt file to look at the associated errors and find the cause.
There are around 30 txt files split across about 5 servers.
This system was set up before me, but I'm looking for any advice on how to deal with the situation.
I have control of the script forming the error logs so can do pretty much anything - but I'm lost where to start: I'd considered some kind of web facing dashboard tool, maybe output the files to RSS or something?
Are there any external or internal tools I should be using?
Of course you may use the SQL Server Reporting Services or review this comparison table, there are some packages which may support SQL Server but they may be overwhelming for your task.
It's not really clear what your problem is or what you want to do, but if I understand correctly, your biggest problem is that some messages are logged to a log file but others are sent by email. Therefore, there is no single location that has all error messages in it and that makes analysis and troubleshooting difficult.
The best solution would be to use a logging framework that supports multiple logging destinations (file, DB, email) and severities. That would allow you to specify a configuration like "all errors are logged to a text file and critical ones are also sent by email", so you can ensure that you have everything in one place for general analysis but critical errors are also handled with priority.
You didn't mention what programming language you use, but assuming it's .NET-based then log4net and Enterprise Library are two common frameworks and there are many questions about them here on SO. Googling should give you a good idea of the pros and cons for your situation. If you're using a different language then you can look for the equivalent package: log4j (Java), logging (Python) etc.

Sharing files without letting the end users store them into their PC

We got PDF files that are only allowed to be viewed in the office. Some users keep those files in the flash drive disk and bring them home or send them to their email. What'd be the best way to prevent this situation. Taking a screenshot of screen is still enabled.
Network : 100 Mbps LAN-based
Number of concurrent users to view file
: Around 50 at a time.
If a user can read a file, he can copy it. You definitely need a piece of software to act as the go-between. There are a few software solutions out there that use DRM encryption to protect your PDF files. Some claim to prevent screen captures as well.
In your situation, you would probably want to have the DRM software check for a license certificate server on your network to ensure they are at the office before letting them open the file. This would allow them to still use take-home thumbdrives and laptops to get work done.
Try searching for "PDF DRM" and see what you find.

Writing log files using Java EE

I need to create application logs to capture users signing in/out and their requests, for that.
We're using Java EE, and thought that creating new log files (new txt file for each day) would be a good approach, but I see that people discourage doing that, the question is: why not do it that way, and what is the correct approach?
also - is there some way to get the application directory?
log4j is one of the popularly used logger for Java EE applications and the others are slf4j,logback
log4j has many features, one them being able to create daily log files.
and to answer your question,
creating daily log files does not cause any harm to your application.
Logging to text files and rolling them daily is quite a normal approach and discouraging it per se is not justified.
For some specific uses it may be improper, for example if you log sensitive data (passwords, card numbers, etc.). There may be also issues with some cluster configurations, but then you have to ask a more detailed question.
Log4J works fine, but once you have many different Applications logging to many different Log files in different locations, you encounter the problem of having to search many log files to find the trace of certain Transaction.
One colleague recommended GrayLog2 once, which makes the viewing of the Log Files a lot easier.
You might want to take a look at that as well, depending on how many Log files your planning to keep.
http://graylog2.org/about

asp.net windows forms - best place to persist application data

For Windows.Forms, I have an application that needs to get a unique install id for each install from my server, and then persist this data so once registered, the install ID is included on all communications back to the server. The application is in occasional contact with the server.
How can I persist this data on the client in a way that is not easily tampered with?
First, you should note that if the data is on the local file system and your application can read and write it, it will always be possible for a determined user to tamper with it... perhaps not easy, but possible nonetheless.
That said, there are a number of options you could consider, including (but not limited to) :
encrypting the data with a key defined in your assembly : pretty safe is the user has no programming skills, but an advanced user could disassemble your app to find the key. Obfuscation could make it harder to extract the key, but not impossible.
using an isolated storage : I'm not sure whether the data is encrypted or not, but at least it's not easily found, hidden in a deep folder hierarchy... Not so safe is the user knows where to look, however
writing the data in a binary format, which makes it harder to read or modify for a non expert user
using a piece of native code to encrypt the data : similar to the first option, but a native DLL is harder to disassemble than a .NET assembly, so it requires more skills to find the key
Again, all these approches are not bulletproof : as long as your program can access the data, an advanced user could always reverse engineer it and do the same...
You could save the data in the windows registry. You'll use the [HKCU\Software\YourAppName] hive key if it's a per-user setting, or [HKLM\Software\YourCompany] if it's a global setting. However, the data would need to be encrypted, because its trivila to get the values in these keys

Resources