Port80 Software » Products » ServerDefender AI

ServerDefender Starting at $649.95

Welcome to ServerDefender AI

ServerDefender AI Web application firewall is designed to provide immediate protection for Web sites and applications running on the Microsoft IIS Web server by blocking known HTTP and application layer attack signatures. In addition, ServerDefender AI provides a host of features to support the successful implementation of your Web application security policies:

Detailed security alert logging and notification options
Powerful exceptions to combat false positives without sacrificing security
Request frequency limits and network level IP blocking to counter malicious bots
An advanced Behavioral Engine option to extend the power of the built-in Request rules

Installation and Activation

System Requirements

The System Requirements for ServerDefender AI are as follows:

A compatible version of IIS and Windows:

IIS 7.5 / Server 2008 R2 with Service Pack 1
IIS 7.0 / Server 2008 with Service Pack 2
IIS 6.0 / Server 2003 with Service Pack 2
IIS 5.0 / Server 2000 with Service Pack 4

Runtimes:

.NET 2.0 or better
SQL Server 2005 or better

Compatible hardware:

x86 (32-bit)
x64 (64-bit)

Notes:

For IIS 7.x / Server 2008 installations, the following IIS Role Services must be installed:

ISAPI Extensions
IIS 6.0 Management Compatibility

If an existing SQL Server instance is not available, or you do not wish to use your existing instance as ServerDefender AI's data provider, you will have the option during installation to download and install SQL Server 2005 Express Edition.
IIS instances that have application pools running in 32-bit mode on 64-bit hardware require use of the 32-bit ServerDefender AI installer.
Mixed-mode scenarios in 64-bit Server 2008/IIS 7.x (i.e., one or more application pools in 32-bit mode and one or more in 64-bit mode) are not currently supported.
IIS 6.0 instances should be in default isolation mode (Worker Process Isolation Mode) rather than in IIS 5.0 isolation (compatibility) mode.

Major Components

ServerDefender AI consists of the following major program components:

An ISAPI Wildcard Extension (for IIS 6 and 7) or Filter (for IIS 5), written in fast-executing native code that is loaded by IIS to implement the primary ServerDefender AI functionality.
The ServerDefender AI Settings Manager, a Microsoft Management Console (MMC) application that provides users with administrator rights the ability to configure ServerDefender AI's various settings.
A Windows Service (TSSvc.exe) that is used to manage ServerDefender AI's data providers.

Installation

ServerDefender AI uses separate installers for 32-bit and 64-bit hardware.

Apart from this the installation process is fairly straightforward. There are however a few configuration options of which you should be aware in advance.

The first step is simply to read and accept the License Agreement:

ServerDefender AI Screen Shot

Next you must decide which SQL Server instance will be used as the ServerDefender AI data provider. The default option is to download SQL Server 2005 Express Edition and create a new local instance:

Alternatively, you can specify an existing local or network instance of any edition of SQL Server 2005 or later. If you choose to specify an existing local instance, the installer will attempt to detect all installed local instances and ask you to select which one to use:

If instead you elect to specify an existing network instance, the Data Link Properties dialog will come up so that you can configure and test the connection to that instance:

Once the configuration of the database instance is complete, the following dialog will appear:

Click the Browse button to change the default installation directory for ServerDefender AI:

The Advanced Options button allows you to view and/or change advanced settings:

The advanced installation options include the following:

Security Mode:

By default ServerDefender AI will launch in Inactive mode, meaning that security events will be detected and logged, but the requests that triggered those events will not be blocked. This mode is strongly recommended if you are installing ServerDefender AI version 2 for the first time.

If you are reinstalling the software, or installing to additional machines, having already established a configuration baseline on one machine, then you may wish to opt to have ServerDefender AI start in Active mode. In this case, requests that trigger security events will be blocked.

Additional Options:

If ServerDefender AI is being installed on an Exchange server intended to support OWA, check the box labeled Allow Outlook Web Access HTTP Methods.
If Server Defender AI version 1.x was previously installed on this server, and you wish to import the data from that instance (IntrusionLog.mdb, YEVS.mdb, MappingRules.xml and IP Lists), check the box labeled Import SDAI v1 Data.
To preserve all Security Alert and Training Data when updating ServerDefender AI version 2.x, place a check in the box labeled Preserve Existing Data. Note: the update must use the previous SQL Server instance. When unchecked, any existing Security Alerts and Training Data will be cleared, and the most current set of default rules and settings will be applied.
To preserve predefined rules and IP Lists (blocked, allowed, previously blocked) when updating ServerDefender AI version 2.x, place a check in the box labeled Preserve Existing Rules and Settings. Any new rules will be installed, and any custom rules previously added will be preserved. Conflicts will be resolved in favor of the version 2 default rule set.

Activation

When first installed ServerDefender AI defaults to trial mode. You may continue to use ServerDefender AI in trial mode for up to 30 days, during which time all of its features will be fully functional. At the end of the trial period, ServerDefender AI will cease functioning, but your IIS server will continue to run normally.

Any time during the trial period, or after that period has ended, you can choose to activate ServerDefender AI, thereby continuing (or, if the trial has ended, restoring) full functionality.

Activation always requires the prior purchase of a ServerDefender AI license from www.port80software.com, or the purchase of an additional activation if you already own a ServerDefender AI license and are seeking to activate an additional server.

(Note: You will need both your Email-of-Record as well as the corresponding License Key to complete your activation. Both of these should be listed on your purchase receipt.)

Once you have a valid license, there are several options for completing the activation:

While in trial mode, you will be presented with an Product Activation screen each time you launch the ServerDefender AI Settings Manager. If your IIS server is permitted to initiate outbound SSL (HTTPS) connections on port 443, you can use the option shown on this screen to activate online.
Alternatively, you can launch a version of the Product Activation screen from within the Settings Manager:
If your server is prevented for security reasons from making outbound HTTPS connections, you can instead use email-based activation. Please contact Port80 Software technical support (support@port80software.com) for more information about this option.

Getting Started With Settings Manager

The ServerDefender AI Settings Manager allows you to control most system configuration settings and policies, and provides access to the Training Database data and the Security Alert Log. The Settings Manager can be launched using the shortcut in the Port80/ServerDefender AI Start menu program group, or by selecting double-clicking the ServerDefender AI desktop icon.

Once the Settings Manager is launched, you will see that it is organized in the form of a tree-view control, with the tree displayed in the left-hand pane. The top-level node in this tree is labeled with the Machine Name of the local computer.

If you fully expand this top-level node, you will find that it contains three sub-nodes:

Management
Training Data
Security Alert Log

The Training Data and Security Alert Log nodes are for viewing and interacting with the ServerDefender AI databases. You can use the links above to jump to detailed descriptions the roles of these databases in the operation of ServerDefender AI.

The Management node contains all of the ServerDefender AI configuration settings. If you completely expand this node in the Settings Manager tree view control, you will see the following hierarchical structure of sub-nodes, each of which represents a major area of functionality:

Management.Services
Management.Policy
Management.Policy.Threat Management Options
Management.Policy.Training Duration
Management.Policy.Training Data
Management.Rules
Management.Rules.Requests
Management.Rules.Requests.HTTP Methods
Management.Rules.Requests.URL Paths
Management.Rules.Requests.Parameters
Management.Rules.Requests.HTTP Request Headers
Management.Rules.IP Addresses
Management.Rules.IP Addresses.Trusted
Management.Rules.IP Addresses.Blocked
Management.Rules.IP Addresses.Previously Blocked

Note: You can use the links above to jump directly to detailed descriptions of each of these functional areas.

Working With Security Modes

ServerDefender AI's overall behavior is governed by three different Security Modes. Knowing and controlling which mode ServerDefender AI is in at any given time is fundamental to successful operation of the product. There are various ways to view and change the current Security Mode, but the easiest and fastest is to use the right-click menu option on the Machine Name node of the Settings Manager's tree view control:

The expected behavior of ServerDefender AI when it is in each of the three Security Modes is as follows:

Monitoring - Inactive :: This is ServerDefender AI's "log only" mode. When this mode is selected ServerDefender AI will not block any requests, but it will log any that violate the security rules. These potential threats will be recorded in the Security Alert Log (SAL) just as if they had been blocked.
Monitoring - Active :: Once you have mitigated false positive risk by running ServerDefender AI in Monitoring - Inactive for a suitable amount of time, you can then switch to this mode. At that point ServerDefender AI will begin blocking requests that violate the security rules.
Training Mode :: This mode is used when enabling ServerDefender AI's optional Behavioral Engine feature. The Behavioral Engine requires priming with a baseline of request data obtained in Training Mode. This can be done using IIS log data, or with requests that are recorded while running in Training Mode, or both.

Note: We strongly recommend running ServerDefender AI in Monitoring - Inactive mode first. This will give you an opportunity to identify any false positives (innocent requests that violate the existing security rules) and make the appropriate exceptions and/or rule changes for those requests.

If you decide to enable the Behavioral Engine option, you should also run Monitoring - Inactive mode after all of the Training Data has been accumulated. This will allow you observe the effects of your Training Data on the Behavioral Engine, and make any necessary adjustments either to the Training Data itself or to the Behavioral Engine settings.

In all cases, then, the rule of thumb for safe operation of ServerDefender AI is this:

Always check the effects of your configuration changes by running in Monitoring - Inactive mode before changing to Monitoring - Active mode.

Service Properties

The Services node provides access to key information regarding the state of ServerDefender AI's major systems. In the listview control (in the right pane) you will see a single row indicating: whether ServerDefender AI has been successfully loaded (the Status column), its current Security Mode, and whether the Network IP blocking feature is on or off.

Notes:

ServerDefender AI's main executable code is automatically loaded by all IIS worker processes upon initialization. If you examine the Status column when IIS is offline, or before a first request has been made, the Status column will show ServerDefender AI to be "Down". At all other times, it should report that ServerDefender AI is in the "Running" state.

Network IP Blocking refers to the ability to block an attacker's IP before it reaches IIS, and to do so on all of the server's ports simultaneously, not only those used by IIS. Use of this feature requires a machine reboot following installation. Without this reboot, ServerDefender AI can still block IPs, but it will not be able to do so at the network layer.

The Services node can be used to configure certain system-level settings. To do this, use the Properties right-click menu option, or simply double-click the row in the listview pane, to launch the Services Properties dialog. This dialog again reports ServerDefender AI's status, as well as that of the Network IP Blocking feature. In addition, it provides radio button controls to display and select the current Security Mode:

Also on the Services Properties dialog you will find a checkbox for enabling and disabling ServerDefender AI's Behavioral Engine. This feature of ServerDefender AI uses a baseline of Training Data to block malicious requests that might not be caught by any of the built-in Request Rules.

To configure Behavioral Engine settings, click the Advanced Settings button. This launches the Advanced Behavioral Engine Settings dialog:

This dialog contains a number of important settings:

Untrusted Events Sensitivity - This controls how closely a request must match one that is marked as "Untrusted" in the Training Database before itself being blocked. The lower the percentage, the more a new request can differ from a known-untrusted one, and still be blocked as a malicious variant.
Trusted Events Sensitivity - This setting does the same thing for Trusted Events in the Training Database: the lower the percentage, the more that a new request can differ from a known-trusted one, and still be considered safe. This allows "Trusted" events to counter-balance the effects of "Untrusted" ones, diminishing the risk of false positives.
Include Parameters - This setting instructs the Behavioral Engine to include the request parameters as well as the URL proper when comparing incoming requests to Untrusted and Trusted events in the Training Database.

Threat Management Options

The Threat Management Options can be found under the Management/Policy node:

Double-click the row in the list view (right) pane, or right-click that row and select Properties, to launch the Threat Management Properties dialog. This dialog allows you to manage ServerDefender AI's response to untrusted events. Threat Management configuration options are divided into two tabs, the Notification tab, and the Action tab:

The Notification Tab

The Notification Tab (pictured above) controls how local and remote notifications of untrusted events are delivered. There are a number of notification options:

Visual and Audio Alert - Generates a system tray pop-up and locally displays the Security Alert Event Detail and Management Options dialog, with detailed information about the specific untrusted event.
Display 20 Most Recent Security Alerts - Adds summary information about the untrusted event to a dialog capable of displaying the 20 most recent events, opening the dialog if it is not already displayed.
Send Security Alerts via E-mail - Sends an email alert for each untrusted event. Click the Settings button to configure the email settings:

Notes: Use semicolons to separate multiple recipient email addresses. A test email will be automatically sent to the recipient(s) when this feature is enabled. After the first alert, subsequent untrusted event notifications are sent in batches of approximately 20 per email, to minimize excessive email traffic.
Send Security Alerts via SMS Text/Pager - Sends an SMS alert to a number on the AT&T or Verizon network. Click the Settings button to configure the SMS details:
Write to Application Log - A Warning event is logged in the Windows Application Log for each untrusted event.
Visual Alert via MS Messenger Service - Displays a visual alert on one or more remote machines in the Windows network. Click the Settings button to select the target computers:

Note: The Windows Messenger Service must be running on the target machine. This service is disabled by default on workstation editions of Windows beginning with XP Service Pack 2.

The Notification tab also provides a means to filter which categories of untrusted events will generate notifications. To do this, click the Global Notification Filter button. This will launch the Global Notification Filter dialog:

There are four categories of untrusted events, and the untrusted event notifications may be enabled or disabled for each category:

Rules Engine - This refers to untrusted events raised when there is a violation of one of the HTTP Method, URL Path (deny), Parameter, or HTTP Request Headers rules, all of which are found under the Rules/Requests node.
Behavioral Engine - This refers to untrusted events raised by the Behavioral Engine, based upon events marked as Untrusted in the Training Database.
Blocked IPs - This refers to the dynamic addition of an IP address to the Blocked IP Addresses list (in Rules/IP Addresses).
Request Frequency - This refers to the violation of one of the Request Frequency rules found on the Request Frequency tab of the URL Path rules Properties sheet (Rules/Requests/URL Paths).

Note: These global notification settings can be overridden on a per-rule basis. When an individual rule has a notification setting different from the global setting for the event category, the setting for the individual rule takes precedence.

The Action Tab

The Action tab determines the action to be taken when ServerDefender AI detects an untrusted event while running in "Monitoring - Active" mode.

Notes: When the security mode is "Monitoring - Active" all untrusted requests are automatically blocked, regardless of the settings below, which have to do with additional actions that may be taken. Also, when the security mode is "Monitoring - Inactive" you will notice that most of the options on the Action tab are unavailable. This is because ServerDefender AI is designed to take no action that would affect end-users while it is in that mode.

The Action tab options are as follows:

Post 404 Status Code for Blocked IPs - This option is deprecated (the 404 Status Code is now used by default for all untrusted requests).
Add Untrusted IPs to the Blocked List - This option monitors IP addresses that have caused too many errors in too short a time and dynamically adds them to the locked IP list. To configure the thresholds for the maximum error frequency, as well as the duration of the IP block, click the Settings button:
Deny All Ports with Network IP Blocking - With this option, untrusted IPs may be blocked not only for HTTP(S) requests, but also for service requests of all kinds, on all system ports.
Notes: Because it requires use of a kernel mode driver, this feature will be inactive if the computer has not been restarted since ServerDefender AI was installed. This feature is not supported on 64-bit Server 2003.
Stop Web Services - This option issues a STOP control to the World Wide Web Publishing service (W3SVC) when an untrusted event occurs.
Note: This is obviously an extreme measure which should only be considered for older versions of Windows/IIS (e.g., Windows 2000 / IIS 5.0) and then only when system uptime is an insignificant consideration.
Hide HTTPS Request Data - This option hides parameter data for untrusted requests, rather than recording and displaying it in the Security Alert Log or any alert notification messages.
Note: Unlike most features on the Action tab, this one affects the behavior of ServerDefender AI in all security modes.
Filter multipart requests not larger than - Applying input validation to very large multipart requests (such as those used in HTTP file uploads) can be extremely costly in terms of server resources, significantly impairing performance. This option limits the size of such message bodies that ServerDefender AI will scrutinize.

Training Duration

The Training Duration node can be found under the Management/Policy node:

Double-click the row in the list view (right) pane, or right-click that row and select Properties, to launch the Policy Properties dialog. Although ServerDefender AI automatically determines the optimal number of events required for training, the training period can be adjusted manually using this dialog:

Training Data Settings

The Training Data Settings can be found under the Management/Policy node:

Double-click the row in the list view (right) pane, or right-click that row and select Properties, to launch the Policy Properties dialog, which allows you to specify what types of events should be collected during training:

HTTP Method Rules

The first type of Request Rules listed under Management/Rules/Requests are those pertaining to HTTP Methods:

Double-click the HTTP Methods row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog:

The rules listed here specify whether particular HTTP methods should be allowed or denied (blocked).

Note: To easily enable all of the HTTP methods required by MS Exchange Server's Out Web Access (OWA), place a check in the box labeled "Allow Outlook Web Access Operations"

To configure the details of a particular method rule, select it and click the Change button. This launches the HTTP Method Rule Details dialog:

As you can, you have several options when configuring each individual HTTP Method rule:

The method itself may be either allowed or denied.
You can choose whether or not to send a notification if and when a request is denied due to the rule.
When a request is denied you can choose to have the client IP automatically added to the Blocked IP List.
That same IP can also be released from the Blocked IP List after a designated period of time has elapsed.

URL Path Rules

The next type of Request Rules listed under Management/Rules/Requests are those pertaining to URL Paths:

Double-click the URL Paths row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog.

The Deny Tab

The rules on the Deny tab specify whether particular patterns or signatures should be allowed or denied in the URL Paths of requests submitted to the server. If a URL Path is denied, the request will be blocked:

The buttons at the bottom of the tab allow you to add new Deny rules, and edit or remove existing ones. Clicking Add, or selecting a rule and clicking Edit, brings up the Deny Request Rule Details dialog:

Here you have a number of options for configuring each individual Deny rule:

The Signature field specifies the signature (pattern) that must occur in the request's URL path for the rule to apply to that request. The signature must be an exact (but case insensitive) match.
The Appears flag specifies where the signature must appear in the URL path, in order to trigger the rule: you may specify that it must appear as the rightmost characters in the path, or that it can appear anywhere in the URL path.
The Except field allows you to specify exceptions to the rule. Exceptions must contain the entire rule signature, plus one or more immediately adjacent characters. Multiple exceptions can be separated with a semicolon.
The Notify field specifies whether or not to send a notification when a request is denied.
The Enable field turns the rule on or off.
The AutoBlockIP field determines whether the client IP is automatically added to the Blocked IP List when a request is denied.
The Unblock after option specifies the duration of any automatic client IP block.

The Request Frequency Tab

The rules on the Request Frequency tab allow you to limit the frequency with which certain URLs can be requested. Requests for URLs matching the selectors listed here can be blocked if they exceed the specified frequency threshold:

The buttons at the bottom of the tab allow you to add new Request Frequency rules, and edit or remove existing ones. Clicking Add, or selecting a rule and clicking Edit, brings up the Request Frequency Rule Details dialog:

Several rule configuration options are provided:

URL Signature - This must exactly match the (relative) URL path of the request that is to be frequency-restricted. Be sure to include the initial forward slash ("/") to indicate the Web root, and do not include any query string data in the signature.
Requests - The number of requests that are permitted within the time period given in the next field.
Seconds - The time period used to monitor the request frequency.
Notify - Whether or not to send a notification if a request to this URL path is blocked due to excessive request frequency.
Enable - This switches the rule on and off.
AutoBlockIP - This specifies whether client IPs that violate the request frequency rule should be added to the Untrusted IPs list.
Unblock after - specifies the duration of any such automatic client IP block.

Parameter Rules

The next type of Request Rules listed under Management/Rules/Requests are the Parameter Rules. These are the most powerful, flexible and important rules for preventing common Web application attacks such as SQL Injection and Cross-Site Scripting (XSS):

Double-click the Parameters row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog.

The Deny/Allow Tab

The rules on the Deny/Allow tab specify whether particular patterns or signatures should be allowed or denied in the input parameters (query string variables, post data, cookies) of requests submitted to the server. If any parameter input is denied, the request will be blocked:

The buttons at the bottom of the tab allow you to add new Parameter rules, and edit or remove existing ones. Clicking Add, or selecting a rule and clicking Edit, brings up the Add/Edit Request Parameter Classification dialog:

There are numerous configuration options on this dialog:

Signature - This is the pattern to be compared against the parameter data in the request. The "Apply rule to" and "Signature properties" sections (below) control where and how the pattern will be applied.
Exclude URLs - This field allows you to specify URLs that are exceptions to the rule--that is, URLs that may be requested with parameter data matching the rule signature. Depending on the current Signature Properties (see below) URL exceptions may be specified for a rule in one of two ways: as one or more exact matching URLs, each starting with a forward slash ("/") to indicate the relative Web root; or else as a regular expression. If using exact-matching URLs, you may separate multiple URL exceptions with a comma, semicolon or white space.
Status - Whether the rule is enabled ("deny") or disabled ("allow").
Notify - Whether a notification should be sent when a request is blocked due to a violation of the rule.
AutoBlockIP - Whether the client IP that issued a blocked request should be added to the Untrusted IPs list.
Unblock after - The duration of any such IP block.
Apply rule to - These checkboxes determine which categories of input parameter data will be subject to the rule: the GET method checkbox applies the rule to query string parameters; the POST method checkbox applies it to all post data; the Cookie checkbox applies it to incoming cookie data; and the HTTP requests checkbox extends the rule to SSL/TLS/HTTPS requests.
Signature properties - This section determines how the rule signature (and any exceptions) will be interpreted. The Regular expression option transforms the signature and exception fields from exact-matches to regular expression matches, permitting much greater flexibility in the crafting of signatures and exceptions.

The Length Tab

The Length tab specifies the maximum length of GET or POST parameter data that may be submitted with any single request. If the limit is exceeded, the request will be blocked:

Note: This limit applies to the cumulative size of all input parameters in a GET or POST request.

The configuration options are as follows:

Maximum length - The maximum size in bytes of all GET or POST input parameters.
Notify - Whether a notification should be sent when a request is blocked based on the rule.
Enable - Whether the rule should be enforced.
AutoBlockIP - Whether any client IPs that violate the rule should be immediately added to the list of Untrusted IPs.
Unblock after - How long any such IP block should last.

HTTP Header Rules

The last type of Request Rule listed under Management/Rules/Requests are the HTTP Header Rules:

Double-click the HTTP Request Headers row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog:

This dialog lists the rules controlling which HTTP headers will be treated as untrusted and denied. If an HTTP header is denied, the request containing it will be blocked. The buttons at the bottom of the tab allow you to add new Deny rules, and edit or remove existing ones. Clicking Add, or selecting a rule and clicking Edit, brings up the Deny Request Rule Details dialog:

The standard configuration options are available here as with other Request Rule types

Trusted IPs

The first node under Management/Rules/IP Addresses contains the list of Trusted IP addresses:

Double-click the Trusted row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog:

Note: The IP addresses listed here will be exempted from all ServerDefender AI rules. Since the server will effectively be unprotected from attack by any of the IP addresses listed here, us extreme caution in adding IP addresses and especially IP address ranges to this list.

The buttons at the bottom of the tab allow you to add new IPs or IP ranges to the trusted list, edit or remove existing ones, and quickly find (move the focus to) any IP in the list. Clicking Add, or selecting a list item and clicking Edit, brings up the Trusted IP Address Rule Details dialog:

To add a single IP address you need only fill in the From field (the To field will be filled in once the new rule is saved). To add a range, fill in both From and To fields.

Blocked IPs

The second node under Management/Rules/IP Addresses contains the list of currently Blocked IP addresses:

Double-click the Blocked row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog:

Note: IP addresses are added to the list dynamically when global and/or rule-specific Automatic IP blocking is enabled. You can however also configure the list manually, per the instructions below. Note that the time of the initial block is indicated for each IP or range.

The buttons at the bottom of the tab allow you to add new IPs or IP ranges to the Blocked list, edit or remove existing ones, and quickly find (move the focus to) any IP in the list. Clicking Add, or selecting a list item and clicking Edit, brings up the Blocked IP Address Rule Details dialog:

To add a single IP address you need fill in only the From field (the To field will be filled in once the new rule is saved). To add a range, fill in both From and To fields. The Unblock option allows you to specify an interval after which the IP (or range) will be removed from the list. You may also chose to be notified when an IP address is removed from the list.

Previously Blocked IPs

The third and final node under Management/Rules/IP Addresses contains the list of currently Previously Blocked IP addresses:

Double-click the Previously Blocked row in the list view (right) pane, or right-click that row and select Properties, to launch the Rules Properties dialog:

IP addresses are added to the list dynamically when unblocked by another rule. You can however also maintain the list manually, using the standard buttons at the bottom of the tab. This can be useful for identifying and tracking recurring Blocked IPs.

Training Database

The Training Data node (and the associated Training Mode) is specific to ServerDefender AI's Behavioral Engine. The Behavioral Engine is disabled by default, but when activated, is dependent on a baseline of typical activity which is created by organized a set of HTTP requests collected either in real time or from an existing IIS log file. That baseline is displayed in the Training Data node:

Note: The Behavioral Engine is an advanced feature and its use should be considered only after thorough validation that ServerDefender AI's built-in request rules, along with any newly added rules and exceptions, are producing no false positives (inadvertent blocks of innocent requests). Contact Port80 Support (support@port80software.com) if you need assistance with this feature.

While running in Training Mode (See Working With Security Modes) ServerDefender AI collects new training events "live". It is possible, however, to establish the behavioral baseline utilizing existing IIS logs. To do so, select the Machine Name node in the tree view (left) pane, and then the Import Existing IIS Log option from that node's right-click menu:

This brings up the Import IIS Log dialog, from which you can select the log files to be imported, and track how many events are being added to your Training Database by the import:

Once the required number of training events has been collected and the baseline has been established, ServerDefender AI will shift automatically into Monitoring - Inactive mode. Once adequate review of the training database has been completed (reclassifying events as needed), ServerDefender AI can safely be switched to Monitoring – Active mode.

Note: When using existing IIS logs for training, ServerDefender AI will process the log from the earliest date first. Thus if 1000 events are required to complete the training baseline, only the 1000 (unique) events within the log that have the earliest dates will be used for that purpose.

The Training Database lists both Trusted and Untrusted events. These form the baseline for the Behavioral Engine’s perspective of what is normal for your server. The Behavioral Engine then extrapolates from this Trusted/Untrusted baseline to allow or deny similar events in the future. It is therefore vitally important to review the events in the Training Database to ensure that ServerDefender AI has classified them accurately.

By default, only events that violate a built-in Request rule will be marked as Untrusted. It is therefore up to you to classify any additional events as untrusted, that are known to be so, but that did not violate any built-in Request rule. Candidates for such manual classification might be known past attacks (from your IIS logs) or exploits that the server was exposed to during a planned penetration test.

To manually classify an event as untrusted, right-click it and select the Classify Event as Untrusted menu option:

Security Alert Log

The Security Alert Log (SAL) is the ServerDefender AI's main logging facility for untrusted events:

Note: A read-only version of the Security Alert Log can also be accessed by right-clicking the ServerDefender AI system tray icon and selecting the Show Security Log menu option.

Most of the fields in the SAL are self-explanatory but one in particular must be highlighted here:

The Type column

The Type column is vitally important to the correct understanding and use of ServerDefender AI. It indicates the specific rule that caused the request to be classified as untrusted and therefore (if ServerDefender AI was in Active - Monitoring mode at the time) blocked.

This information about the source of an untrusted event classification is crucial in retracing the reason for any possible false positives (innocent requests that were inadvertently blocked) in order that an appropriate exception can be made for that rule. It also helpful in identifying such false positives in the first place.

Note: If the Behavioral Engine is in use, and the request was blocked due to it, rather than due to a built-in Request rule, then the Type column will indicate this fact with the notation "Behavioral engine".

Working With The SAL

Apart from finding data about untrusted events, here are number of useful tasks you can perform with the SAL:

To sort the SAL by the most frequently targeted URLs, use the All Tasks right-click menu option and select Most Frequent Target URL:

To sort the SAL by the client IPs that are responsible for the most frequent untrusted events, use the All Tasks right-click menu option and select Most Active Source IP:

To immediately add suspect IP addresses to the Blocked IPs list, select one or more untrusted events (rows) and use the right-click menu option Add IP to Blocked List:

To create a text file version of the current SAL for reporting or offline analysis, use the Security Alert Log node's Export List right-click menu option: