[Bro] mod_security and bro

Robin Sommer robin at icir.org
Mon Nov 20 16:01:57 PST 2006

On Mon, Nov 20, 2006 at 11:50 -0800, Christian Kreibich wrote:

> Having a Broccoli-enabled version of that module would certainly be
> sweet. Currently I'm not sure whether coding that up (and maintaining it
> for future modsecurity releases) or supporting their signatures in Bro
> (similar to snort2bro) is the way to go.

Hmmm... On the one hand, the idea of feeding Bro-derived data into
modsecurity for analysis is kind of intriguing. On the other, I
think I'd prefer to keep the detection mechanism inside Bro as
otherwise this might get tricky to use/setup/maintain (what happens
with alerts? Are they going to be fed back to Bro?). 

A converter like snort2bro is an option though I'm not sure whether
that is really worth the effort. There don't seem to be so many sigs
at this point (I also haved looked only at the core patterns), so
perhaps they can be just manually coded into a Bro script?


Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list