Web driven alert verification

A web attack is an attack against a web server through the HTTP Protocol. By analyzing known web attacks, we find out that each one has its own behavior. Vestiges of their behavior could be detected in non-body parts of the HTTP Protocol. Such information can be used to verify web alerts generated by Web Application Firewalls (WAFs) and Web Intrusion Detection Systems (Web IDSs). In this paper, we propose a method to verify web alerts generated by mentioned sensors. The goal of the alert verification component is to eliminate or tag alerts that do not represent successful attacks. Our approach is based on analyzing HTTP Transaction metadata, including Request method, Request Headers, Status Code, and Response Headers. We implemented an alert verification module, reconfigured ModSecurity, modified a subset of the OWASP ModSecurity Core Rule Set, and developed knowledge-base of web attack vectors to evaluate our method. We show that our approach significantly reduces false and non-relevant alerts with quite low processing overhead, thus enhances the quality of the results.