SIEM, Vulnerability Scanning, Server Monitoring and Compliance Training for IT Professionals
Table of Contents

Intrusion Prevention System (IPS) - IIS IP Address Restriction Actions

IIS IP Address Restriction Actions enable you to automatically block IPs that are actively attacking an IIS Web Server. This action is typically used by network administrators that want to automatically detect, Intrusion Detection System (IPS), and block attacking IPs, Intrusion Prevention System (IPS).

Note
Use this Action in conjunction with an Intrusion Detection System (IDS)Template (e.g. IIS W3C Log Monitor or IIS W3C Log Consolidation configured to simultaneously monitor the file contents). Once the IIS IP Address Restriction Action is assigned to the IDS, the result is an Intrusion Prevention System (IPS) Action.

IIS IP Restriction Tutorial

In this Topic

To create an IIS IP Address Restriction Action

  • From the Menu Bar select File | New. The Create New Object View displays.
  • Select Alerts and Actions. The New Action view displays.
  • Use the Name text box to specify a unique name.
  • From the Type drop-down select IIS IP Address Restriction.
  • Use the Windows server or workstation drop-down to target the managed server running IIS.
Important
This action requires the Agent to be installed on each managed system and each assigned Template configured to use the Agent. For more information see: Agents
  • Use the Website textbox to specify the friendly name of the website as listed in IIS Manager.
  • Use the IP textbox to specify the {key} you defined in your IDS IIS W3C Log Monitor. The default value is {c-ip}. The key must be wrapped with {} characters.
Important
To test this action, specify a real IP address in this field, then once successfully tested, verify the results in IIS Manager. Once verified, don't forget to set this value back to {c-ip} before saving.
  • Use the Allow checkbox to either block (unchecked) or pass (checked) the IP address's requests.
Intrusion Prevention System (IPS) - IIS IP Restriction Action
Intrusion Prevention System (IPS) - IIS IP Restriction Action

To create an IDS IIS W3C Log Monitor

When setting up your IDS IIS W3C Log Monitor or Consolidation Template, add a monitor, set the Filter Type to Column Frequency, assign a filter (e.g. 404 and 500 HTTP Response Codes), set the column key to c-ip to group HTTP requests by calling IP address, then lastly, set the frequency (e.g. > 50 times every 1 minute).

Important
The c-ip column must be defined in your IDS IIS W3C Log Monitor or Consolidation Template.
IDS IIS Phishing Attach Rule with IPS IIS IP Restriction Action
IDS IIS Phishing Attach Rule with IPS IIS IP Restriction Action

Testing the IIS IP Address Restriction Action

  • Use the Select server or workstation drop-down to specify the managed system to test the action on.
  • Click the Test button.
Important
When managing a remote machine, the rule is added through the Agent on the managed machine. If the managed machine is configured to keep the Agent connected, the test is immediate, otherwise the test is queued to execute the next time the Agent connects. If the Agent is configured to connect at a frequency greater than once a minute, the test may timeout, however, the rule will still be added the next time the Agent connects.

Related Topics

Actions

Agents

Log Monitor Template

Log Consolidation Template

Define CSV and W3C Log Entry Columns