[Bro] mod_security and bro

nikns nikns at secure.lv
Mon Nov 20 11:29:57 PST 2006

Perhaps this would be interesting for you:

On Mon, Nov 20, 2006 at 01:45:29PM -0500, Seth Hall wrote:
>Hi, since the bro workshop, I've been thinking about a lot of ways  
>that bro could be used that it isn't currently being used.  I had  
>talked to Brian about how bro could go about detecting http  
>application level attacks like cross site scripting and sql injection  
>and we sort of came to the agreement that bro doesn't really work at  
>this level currently.
>Over the weekend I realized that mod_security (http:// 
>www.modsecurity.org/) does what I'm thinking of in terms of detecting  
>web application attack signatures.  My question is, does it seem  
>reasonable to strip the apache specific code from mod_security and  
>instrument it with broccoli to receive http events?  It's sort of  
>just an extension on the sensitive_URIs variable, but it could at  
>least be code that is maintained externally for detecting this  
>specific subset of attacks.
>   .Seth
>Bro mailing list
>bro at bro-ids.org

More information about the Bro mailing list