Starting with version 2.50 of EventSentry you can now determine whether events appear a specified number of times in a certain time period. We will use this feature to determine whether an intruder is trying to guess passwords of known user accounts.
An intranet site accessible from the Internet requiring authentication is the occasional action of dictionary attacks.
When an attack is detected, we want to stop the WWW service, wait 3 minutes to discourage the attacker, and then restart the WWW service when a dictionary attack is detected. Optionally we can be notified by email when a dictionary attack is detected.
•In order for the sample batch script to work you will need to download and install the free NTToolkit from our web site. The NTToolkit contains the sleep.exe utility that you can use to pause processing for a specified time.
•Auditing needs to be enabled in order for the OS to generate audit failure events. Depending on your domain setup you will either have to create these filters on the web server directly or on the domain controllers.
Using the day & hour feature of filters it is possible to only restart the service during certain times of the day. For example, you could only take the automatic measures to restart the service in the evenings or weekends.
|1.||Create a batch script to stop and restart the WWW service.|
|2.||Add a process action to launch the custom batch script.|
|3.||Create a threshold filter to detect the audit failures.|
|4.||Create a regular filter to launch the process action and optionally a SMTP action.|
1. Creating the batch script
Using notepad (notepad.exe) or any other ASCII editor of your choice start an empty file.
The contents of the file are shown below:
net stop inetsrv
net start inetsrv
It is important that the location of the file sleep.exe can be found in the PATH variable, otherwise line 2 of the script will need to be adapted so that the file sleep.exe can be found.
When finished, save the file preferrably in a new directory such as c:\batch for example and give it a descriptive name, such as es_restart_service.cmd.
2. Adding a process action
Right-Click the notifications container and select Add Target. Then, choose a name for the new action (e.g. "Restart WWW Service") and configure all required process options. In this scenario we will only need to configure the file name option. An example is shown in the screenshot below:
You can optionally check the Start this process on the desktop checkbox which will run the batch script visible on the console. This might be beneficial for an administrator who is logged on the server at the time.
3. Create a threshold filter to detect the audit failures
Threshold filters are similar to ordinary filters, except that you can take actions based on the number of events that appear in a certain time frame. In this case, we want to determine whether a certain number (20) of audit failure events were written to the event log within 20 minutes.
•Right-click any Filters container (local filters, global filters or group filters) and select Add Filter.
•Configure the general filter options. For audit failures the filter should be configured as shown in the screenshot below:
|If the audit failures only apply to certain user accounts, then you can restrict the Filter Text field more by specifying user names in this field:|
|are one example. Please remember that wildcard support needs to be activated when using wildcards such as the * character. Wildcard support is activated in the global options.|
•Configure the threshold options. According to our scenario we are looking for a minimum of 20 events in 20 minutes. Just like in the previous example we are not interested in the actual events (as such, both process events after/before checkbox remain cleared) but instead only need to know when the threshold has been fulfilled. If you are interested in these events then you can check one or both of those checkboxes so that events are actually forwarded to that action.
|The correct configuration is shown in the screenshot below:|
4. Create a regular filter to launch the process action and optionally a SMTP action
Like in the previous example, the threshold filter will write an event (this time with the error severity) to event log. We will use that event to trigger the launch of our process action and the batch file.
•Right-click any Filters container (local filters, global filters or group filters) and select Add Filter. We recommend that you choose the same container as in step 2.
•Configure the general filter options. For threshold events the filter should be configured as shown in the screenshot below:
|Notice that the Restart WWW Service is selected as the action for this filter. You could also add an SMTP action to the notification list here if you wanted to be notified by email when the process is being launched.|