Secure Web Serving Filter Generator (SNORT)

This Perl script converts the detection signatures used by Snort into HTTP request filter rules which can be imported directly into Zeus Web Server (version 4.1 and above).

As new exploits are discovered, it is recommended to update your Request Filters to ensure that your back-end web infrastructure has the best protection possible. To make this easier, new filters can be imported from a text file directly into the Adminstration Server and deployed to each of the Zeus Web Servers without any downtime whatsoever.

The current Snort rule set can be downloaded from http://www.snort.org/dl. This rule set is then used by sniff-snort to generate the Zeus-compatible request filter.

Instructions for use

Download the current Snort rule set

Extract the rules from the tar archive, e.g.:

$ gzip -c -d snortrules.tar.gz | tar xvf -

Run sniff-snort on the rules directory that has just been extracted, e.g.:
```
$ ./sniff-snort snortrules > zeus-rules.txt
```
go to your Zeus Administration Server

Global Configuration

under Global Configuration, go to Request Filtering

Add Multiple Rules

click on Add Multiple Rules

Uploading a File

under Uploading a File, specify the filename for the filter file you have downloaded (it is recommended to merge this with your existing ruleset)
Apply and commit the changes.

What is HTTP request filtering?

Zeus announced the Secure Web Serving Solution in October 2001, offering a scalable solution for those wishing to protect their IIS servers from Denial of Service or virus attacks. Zeus Web Server has a market-leading security record and additional features now further harden protection and enhance the Secure Web Serving Solution.

Zeus Web Server is the only web server to have such built-in protection, helping to resist Denial of Service attacks and viruses such as Code Red and Nimda. The Zeus Service Protection Policy provides a range of measures to protect web servers, web applications and back-end infrastructures from a range of attacks, including:

Connection counting and limiting to protect against attempts to overload the web server or web application with excessive numbers of HTTP-based requests
Request filtering to guard against known HTTP-based attacks
Request checking to protect against malformed HTTP requests

What is Snort?

Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort was written by Marty Roesch <roesch@sourcefire.com> and is available from Snort.org. It is covered by their license terms.

Content Manager [Administrator] 14 December 2005

Recently...

Other Resources

The ZWS Online Support service is provided as is, without warranty or specific endorsement by Zeus Technology. For technical support queries, please contact Zeus Technical Support. Articles and comments may not reflect the views of Zeus Technology. • Disclaimer and Privacy statement.