[Bro] mod_security and bro

Seth Hall seth at net.ohio-state.edu
Mon Nov 20 10:45:29 PST 2006

Hi, since the bro workshop, I've been thinking about a lot of ways  
that bro could be used that it isn't currently being used.  I had  
talked to Brian about how bro could go about detecting http  
application level attacks like cross site scripting and sql injection  
and we sort of came to the agreement that bro doesn't really work at  
this level currently.

Over the weekend I realized that mod_security (http:// 
www.modsecurity.org/) does what I'm thinking of in terms of detecting  
web application attack signatures.  My question is, does it seem  
reasonable to strip the apache specific code from mod_security and  
instrument it with broccoli to receive http events?  It's sort of  
just an extension on the sensitive_URIs variable, but it could at  
least be code that is maintained externally for detecting this  
specific subset of attacks.


More information about the Bro mailing list