Monitor errors and detect potential attacks on webservers.
Apache. Alerts for Apache webservers
- Apache Critical Error: Alert of critical errors on Apache such as seg faoult or php fatal error.
- Apache common errors: Alert of generic Apache errors.
- Apache Invoke dir as script: Alert of Apache error “Attempt to invoke directory as script”.
- Apache client denied by server conf: Attempted access to a restricted resource (or outside the DocumentRoot).
- Apache FQDN servername not resolved: Warn when the Apache server name is not associated to a FQDN.
- Apache bind to addr fail: Alert when the Apache server cannot use the defined listening port (this normally happens when the port is already in use by another service, it has no privileges, due to SELinux/AppArmor policies, etc).
- Apache favicon not found: Alert when the webserver does not have a favicon (icon displayed in the navigation bar when web site is visited).
- Apache too many 404 errors: Too many 404 errors (resources not found) have been generated in a defined time interval (normally adverts of a potential resource scanning or broken links in the web application).
- Apache mixing ports error: Apache configuration error in virtualhosting environments.
- Apache too many byte range requests: Alert when too many 206 petitions (Partial content) occur in a short interval of time (could mean bulk downloads or possible Apache Range Heaer Dos).
- Apache PHP fatal error: Alert when numerous PHP errors occur.
- Apache Shutdown: Alert when the Apache server shuts down.
- Apache Startup: Alert when the Apache server starts up.
IIS. Alerts for Microsoft IIS webservers.
- IIS Critical Error: Alert of generic errors on Microsoft ISS servers.
HTTP Attack. Alert of generic HTTP attacks.
- Malicious Http Methods: Alert of unusual use of HTTP methods such as PUT or WebDAV extensions (depending on the service, this behavior can sometimes be legitimate).
- Proxy Abuse: Alert when attempted use of webserver as a proxy to try to access external or internal resources (depending on the service, this behavior can sometimes be legitimate).
Suspicious User Agent. Alert of unusual activity on the webserver from uncommon browsers or tools used for task automation.