Installation
-
Download the WebAnomaly intrusion detection system.
Apply the following patch to the code to enable the system to modify the HOST HTTP header according to the anomaly score. Install the system according to the documentation provided with the package.
-
Install the Apache web server and the suPHP module.
SuPHP is the equivalent of suExec for PHP and allows the web server to execute different PHP pages with different user privileges. If your application does not use PHP you do not need this package.
-
Patch the libmysql library with the following patch to enable the runtime log of the SQL queries.
-
Install the MySQL database.
-
Install and compile the SQLAnomaly component.
Configuration
-
Create two different accounts on the web server (smart and dumb in our experiments) and the corresponding groups
-
Edit the webanomaly configuration file to add HTTP server pool entries for the "smart" and "dumb" hosts.
For example:
<weblock:http-server iface="eth0" addr="smart" http-port="80" type="normal"/> <weblock:http-server iface="eth0" addr="dumb" http-port="80" type="restricted"/> -
Configure two virtual hosts on the Apache web server and set up suPHP to execute the two virtual hosts under the two users created in the previous step.
For example:
NameVirtualHost * <VirtualHost *> ServerName smart ServerAdmin webmaster@localhost suPHP_Engine on suPHP_UserGroup smart smart DocumentRoot /var/www/smart/ <Directory/> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/smart/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all suPHP_AddHandler x-httpd-php suPHP_AddHandler x-httpd-php5 </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> <VirtualHost *> ServerName dumb ServerAdmin webmaster@localhost suPHP_Engine on suPHP_UserGroup dumb dumb DocumentRoot /var/www/dumb/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/dumb/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all suPHP_AddHandler x-httpd-php suPHP_AddHandler x-httpd-php5 </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> -
Install the web application under the two virtual hosts (inside /var/www/smart and /var/www/dumb in our example).
-
Configure the webanomaly models and perform the required training phase. Refer to the webanomaly documentations for the details on how to perform this process.
-
Configure the MySQL database in order to grant the right permissions to the two users (usually the dumb user is not granted the permission to access the sensible tables).
-
Run the SQLAnomaly component on the dynamically generated SQL queries log.