[Bro] mod_security and bro

Christian Kreibich christian at whoop.org
Mon Nov 20 11:50:44 PST 2006

Hi Seth,

On Mon, 2006-11-20 at 13:45 -0500, Seth Hall wrote:
> Hi, since the bro workshop, I've been thinking about a lot of ways  
> that bro could be used that it isn't currently being used.  I had  
> talked to Brian about how bro could go about detecting http  
> application level attacks like cross site scripting and sql injection  
> and we sort of came to the agreement that bro doesn't really work at  
> this level currently.
> Over the weekend I realized that mod_security (http:// 
> www.modsecurity.org/) does what I'm thinking of in terms of detecting  
> web application attack signatures.  My question is, does it seem  
> reasonable to strip the apache specific code from mod_security and  
> instrument it with broccoli to receive http events?  It's sort of  
> just an extension on the sensitive_URIs variable, but it could at  
> least be code that is maintained externally for detecting this  
> specific subset of attacks.

mhmm -- I've only looked at their core signature set, but my impression
was that it's largely a set of regex signatures, with some additional
operations to check whether numerical values are in a certain range,
etc. Is that roughly correct?

Having a Broccoli-enabled version of that module would certainly be
sweet. Currently I'm not sure whether coding that up (and maintaining it
for future modsecurity releases) or supporting their signatures in Bro
(similar to snort2bro) is the way to go.


More information about the Bro mailing list