We host quite a few public websites and attempted hacks are regular on a lot of the sites. One of the things I was interested in doing was being able to blocked certain keywords from even being accepted in the URL. Because we use TMG to publish all our websites currently, you can configure the HTTP filter to block keywords on each publishing rule (cool!). Check this site out on how to do it – http://www.elmajdal.net/ISAServer/Keyword_Filtering_With_ISA_Server_2006.aspx

So I went to our splunk instance to do some searching to find some keywords which I could block, but also make sure the keywords didn’t appear in any legitimate traffic. Some of the keywords I found I could block pretty easily were as follows;

– union, having, select, blackhat, information_schema

You can also look at blocking certain user agent strings like for example “Havij” which is a popular sql injection tool and also “sqlmap”

There are some others as well but I consider those a bit of our IP so unfortunately I’m not going to share them all with you. However I encourage you to log all your traffic to splunk and do some keyword search of your own. I’m sure if you poked some security tools like Nessus at a website, you’d find a heap more.

Happy splunking!

**19/07/2012 – added information_schema to list of keywords and user agent string blocking

Advertisements