[Bro] mod_security and bro
Seth Hall
seth at net.ohio-state.edu
Mon Nov 20 10:45:29 PST 2006
Hi, since the bro workshop, I've been thinking about a lot of ways
that bro could be used that it isn't currently being used. I had
talked to Brian about how bro could go about detecting http
application level attacks like cross site scripting and sql injection
and we sort of came to the agreement that bro doesn't really work at
this level currently.
Over the weekend I realized that mod_security (http://
www.modsecurity.org/) does what I'm thinking of in terms of detecting
web application attack signatures. My question is, does it seem
reasonable to strip the apache specific code from mod_security and
instrument it with broccoli to receive http events? It's sort of
just an extension on the sensitive_URIs variable, but it could at
least be code that is maintained externally for detecting this
specific subset of attacks.
.Seth
More information about the Bro
mailing list