Google suggests setting up Google Alerts like a clipping service to detect malware or blog spam on your own web site or blog. They also show how malware can be found using the Google Webmaster Tools, as well as how to reconcile your Google malware status if your site has been used for spam or other nefarious purposes.

Also of interest are a few other books. SQL Hacks has a hack on Processing Web Server Logs that discusses some interesting ways of querying SQL databases that have imported web server (Apache, IIS) logs. Practical mod_perl speaks to Server Maintenance Chores, which discusses the many performance and other maintenance issues regarding web server log files, including some hints to deal with DDoS and spam targeted at the HTTP layer. Building Scalable Web Sites has a section on Statistics, Monitoring, and Alerting that goes into detail about customization of environmental variables using mod_rewrite into the Apache log format interface. Sams Teach Yourself Apache 2 in 24 Hours has an hour dedicated to Logging and Monitoring with one of the best examples of Apache’s log format directives and information on the Common Log Format (CLF). My favorite documentation on Apache’s log format directives is from Ivan Ristic’s Apache Security book, which is mandatory reading for anyone implementing Apache httpd — the entire chapter on Logging and Monitoring goes way more in-depth than any other title on the subject matter I’ve seen yet. For IIS, you’ll want to check out the two Syngress press titles: Microsoft Log Parser Toolkit and Security Log Management, which cover the IISW3C Input Format in great detail and Log File Conversion topics, respectively. Another book for IIS administrators is the Microsoft Windows Server 2003 Insider Solutions: Shortcuts and Best Practices, which covers Monitoring IIS Access Through Auditing and Logging, although the Microsoft Press titles on your specific version of IIS will certainly be worthwhile reads, as well.

My favorite overall read by far has been the most recent SQL Server Forensic Analysis by Kevvie Fowler! Kevvie also spoke about SQL Server Forensics at the most recent BlackHat US with his presentation on [PDF] SQL Server Database Forensics and the co-existing whitepaper on [PDF] A Real World Scenario of a SQL Server 2005 Database Forensics. These blew my mind away. In the book, Kevvie Fowler shows how to trace back SQL injection from IIS logs into the “plan cache” of a SQL Server 2005 instance. Using this information, an incident handler can easily figure out not only that data has been or could have been breached, but which specific data and in what way. The book is highly technical, so I might suggest that people just introducing themselves with Windows Forensics start with Mastering: Windows Network Forensics and Investigation, another good book that covers IIS logs, Microsoft Log Parser, the Event Viewer, and audit events.

Considering the amount of recent breachery via SQL injection in high profile websites, I think that the web application tier is going to need some major improvements to incident handling approaches. It’s not like SQL injection has been making news much lately. I can’t seem to find any examples of SQL injection in the news, right?