Starting with EventSentry v4.2.3, web attacks can be detected with a set of regular expression rules that can be applied to any monitored log file, including IIS log files.
New EventSentry installations (not pre 4.2.x upgrades) automatically have these rules activated in all IIS Windows log file packages (except for 2008), users who upgraded from an earlier version of EventSentry can manually load these rules by following these steps:
- Open the management console
- Navigate to Packages -> Log Files -> [Log File Package]
- Expand the package and locate the desired log file
- Click on "Event Log Alerts", enable if necessary, make sure settings are set to Exclude
- Click the Load button
- Browse to the resources sub folder of the EventSentry installation directory (C:\Program Files (x86)\EventSentry\resources by default) and select either the es_ids_web.txt or es_ids_web_owa.txt file.
- You can use these regular expression with any log file from a web server, they are not restricted to IIS.
- The file es_ids_web_owa.txt is recommended for IIS servers running OWA to avoid false positives.
- To delete all rules from the list, simply double-click the minus - button