This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention - More detail about attack patterns?

I'm looking at either a supplement or alternative to fail2ban that we have already running on a publicly exposed Apache server. I can see that under IPS setting on the Sophos UTM, there are attack patterns relevant to HTTP Servers/Apache:

We have been adding fail2ban jails to our Apache server in response to attacks that occur, but I'm wondering if these IPS attack patterns might offer a less reactive approach to the problem...

For example: We noticed a Russian IP sending thousands of HTTP GET/POST requests to the server, so we created a fail2ban jail to ban any IP that sends a certain number of requests over a 30 second period. This works, but seems patchwork.

Would the scenario described above be a relevant use-case for Sophos IPS? Is there a way I can see what patterns "Attacks against Servers > HTTP Servers > Apache" is tracking? Maybe this is concealed so that attackers can't work around them?

Thanks,

Ryan

This thread was automatically locked due to age.

0 Karlos over 7 years ago

Hi Ryan,

UPDATE: We do actually have a public facing guide of our IPS rules that you can refer to.

Thanks,
Karlos

Karlos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Cancel
Vote Up 0 Vote Down

Cancel