On the free end you could install Snort on the server and add a rule for detecting improper use of your app, but this is the same problem you had before. In order to write the rule you have to know at least at a general level how the app could be misused, and if you knew that you would fix the holes. Snort has general rules that can detect attempted webserver exploits but I imagine app specific stuff might be tricky to generalize. You might also set up alerts on bandwidth/db usage to detect when someone is mining you.
As far as SQL Injection style attacks go, you can handle this by wrapping your data access in a layer that detects improper parameters. I haven't yet examined how the Jakarta OJB handles attempted SQL Injection that gets passed through the Query mechanism, but in general systems that rewrite the SQL from a template (such as the normal JDBC mechanism) stop at least some injection attacks by forcing a typecast - then you only have to worry about string parameters. Another approach I've seen used is to mask what server you are running to send exploiters on a wild goose chase. i.e. make Tomcat report that it's IIS or something similar, and try to not make your struts actions look like actions (*.do). That at least makes more work for them. The best approach to App security is of course to build it in from the beginning, and not by patching it in later. -Chip -----Original Message----- From: Denis Avdic [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 11:48 AM To: Struts Users Mailing List Subject: [OT] Application Security Hello, This is really off topic, but since everyone is working in similar conditions I though I'd ask you all a question. How is everyone handling security in your applications? More specifically, we have a site where someone violated our acceptable use policy and basically tried to retrieve all our data through a previously unseen hole. Now, we patched it and we can definitely go on and keep patching holes when we find them, but I would like to set up something to prevent that from happening in the first place. I am talking about setting up an Intrusion detection system or something similar, where I could be at least alerted in real time that something funky is happening, and that I don't have to accidentaly stumble across the action in the log file. How are you (if you are) handling this? Are there open source tools to set this up? Commercial? TIA, Denis --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
