[Bro] mod_security and bro

Seth Hall seth at net.ohio-state.edu
Mon Nov 20 12:10:28 PST 2006

On Nov 20, 2006, at 2:50 PM, Christian Kreibich wrote:
> On Mon, 2006-11-20 at 13:45 -0500, Seth Hall wrote:
>> Over the weekend I realized that mod_security (http://
>> www.modsecurity.org/) does what I'm thinking of in terms of detecting
>> web application attack signatures.  My question is, does it seem
>> reasonable to strip the apache specific code from mod_security and
>> instrument it with broccoli to receive http events?  It's sort of
>> just an extension on the sensitive_URIs variable, but it could at
>> least be code that is maintained externally for detecting this
>> specific subset of attacks.
> mhmm -- I've only looked at their core signature set, but my  
> impression
> was that it's largely a set of regex signatures, with some additional
> operations to check whether numerical values are in a certain range,
> etc. Is that roughly correct?
> Having a Broccoli-enabled version of that module would certainly be
> sweet. Currently I'm not sure whether coding that up (and  
> maintaining it
> for future modsecurity releases) or supporting their signatures in Bro
> (similar to snort2bro) is the way to go.

Ah, good point.  I guess I hadn't spent enough time looking around at  
the rules for mod_security.  I just went and looked a little longer  
at the rules and it seems that they have some problems in terms of  
how their rules work even.  They can't even have a rule that needs to  
have some pattern matched in the REQUEST_FILENAME (their terminology)  
and another pattern matched in the RESPONSE_BODY for the rule to  
trigger.  But who am I to say, maybe they consider that their  
signature matches are more flexible if the rules aren't too strict.


More information about the Bro mailing list