|

(click here to view actual article)
March 22,
2005 - Larkware reviews ThreatSentry version 2.0
By Mike
Gunderloy
ThreatSentry is an inexpensive intrusion detection and
prevention system that integrates well with Microsoft
IIS - in fact, it integrates better with IIS than any
other intrusion detection software that I've seen.
ThreatSentry is implemented as an ISAPI filter, an
managed through an MMC snap-in, so its use and
technology are a perfect fit for the rest of the IIS
world. Basically, it keeps an eye on IIS requests as
they go by, and when it sees something suspicious,
stomps on it for you. Some of its capabilities overlap
those of Microsoft's free UrlScan utility, but
ThreatSentry offers more flexibility and a greater range
of response options for traffic that you'd rather do
without.
Although ThreatSentry comes
with its own database of predefined rules to watch out
for common web attacks (such as HTTP verbs that you
probably don't want to get through and request strings
that are part of known worms), that's only the
beginning. When you first install it, the software
launches in a training mode, where it listens in as
normal traffic flows on your server. This gives it a
baseline of what requests are supposed to look like, and
it uses this to build up a database of known good page
requests. If future traffic is markedly different from
the training database, ThreatSentry gets suspicious and
denies it. The administrator can monitor the log of
blocked requests and train ThreatSentry further by
confirming them or by marking the requests as OK,
further fine-turning its notion of what should be
allowed.
You can choose whether you
want bad requests to be blocked entirely, or just to be
logged with notification to you. If they're blocked, you
can also firewall the offending IP address from your
server across the board so it can't get into any other
mischief.
I tried ThreatSentry on the
Larkware server, which also hosts a batch of other
sites, and it performed as advertised, knocking down a
pile of the nuisance traffic that plagues any server on
the Internet these days. Installation was easy,
management was simple, and it was basically software I
could just forget about and monitor every now and then
as it went about its business. For $99, this seems like
a pretty cheap bit of peace of mind to add to any server
that's on the net. If you want to give it a look
yourself, you can download a 30-day trial from the
Privacyware site.
|