Scrutinizer README

What is it?
-----------

The scrutinizer is an OpenSource Project aimed to protect web application
from HTTP (D)DoS Attacks. Its a toolkit consisting out of an analysis
engine which analyzes web server access logs in almost real time, an
apache module which is able to block wrongdoers on the web server, an
extension to block offenders already on netfilter firewalls and a set
of visualization tools.  The analysis engine uses statistical anomaly
detection to expose offenders. It continuously reads the access logfile
of a web server and rates the requests. If a defined threshold is exceeded
by a client (ip address) protecting measures gets prefaced and the client
gets temporarily blacklisted. An Apache module informs the client with a
friendly hint that he should behave himself. If the client doesn't follow
the advice he will be blocked on the firewall so he can't reach the web
server anymore. All the defense mechanisms are time based cause the engine
never can be 100% certain that its decision is right.  The engine uses
several rating functions to decide if a client is harmful or not. Along
them we rate the request rate, the active time period, the time spreading
of the requests, the requested resources and the proportions of how much
the same resources get requested. Each web server is charged differently,
depending on the resources it offers and the customers it attracts. So
each one has its own unique fingerprint. Do describe this fingerprint we
train the engine using access logfiles of previous days. So the engine
adapts itself to a given web server. At the end the administrator is
able to fine tune the system that it meets the corporate policy.

Why do i need it?
-----------------

The scrutinizer is for webserver administrators and security engineers
which have to ensure the availability of their webserver. Currently
you have to get your hands dirty and to care about the system. It's a
nifty tool which can help you a lot about knowing what's going on on
your server.  But before you can use it, you have to configure and train
it properly. This is not a easy task in the current version.
After training the work isn't done. The training session propose
parameters for the rating functions which has to be adjusted once again.
This is because for two reasons. The first, you can weight the different
statistical tests like you want it. The second, during training we
can't expect training data without anomalies. This means the data is
not clean of attacks or other things that don't represents normal
behaviour. However these data can be used nevertheless to train the
system when the fraction of non-normal behaviour is small (this is the 
most common situation). The only thing you have to do, is telling
the system, were you set the limit that not single peaks mess up
the hole rating system. 
If you succed to configure, train and adjust the parameters you have a
really strong tool. It will collect informations about the behavior of 
the requesting clients and is able to automatically block them if they 
don't follow your policies, defined with the parameters.
Thus offender won't be able anymore to bring your system down to its knees
with a simple flood of resource consuming requests. The scrutinizer will
recognize the offenders and block them on the firewall or take other 
counter measures, depending what you've specified.


Where is it?
------------

The latest version can be obtained here:

http://www.solutix.ch/scrutinizer


Because of the lack of a comfortable installation and configuration
routines you're invited to contact the developers. If you have
any questions, suggestions, bugs, etc. please send a mail to
scrutinizer@solutix.ch.

Installation
------------

Please read INSTALL for instructions.

Documentation
-------------

Documentation is available at www.solutix.ch/scrutinizer.

License
-------

Scrutinizer is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNETT FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.

You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Consult LICENSE for complete license information.
