[Bro] mod_security and bro
Seth Hall
seth at net.ohio-state.edu
Mon Nov 20 12:10:28 PST 2006
On Nov 20, 2006, at 2:50 PM, Christian Kreibich wrote:
> On Mon, 2006-11-20 at 13:45 -0500, Seth Hall wrote:
>> Over the weekend I realized that mod_security (http://
>> www.modsecurity.org/) does what I'm thinking of in terms of detecting
>> web application attack signatures. My question is, does it seem
>> reasonable to strip the apache specific code from mod_security and
>> instrument it with broccoli to receive http events? It's sort of
>> just an extension on the sensitive_URIs variable, but it could at
>> least be code that is maintained externally for detecting this
>> specific subset of attacks.
>
> mhmm -- I've only looked at their core signature set, but my
> impression
> was that it's largely a set of regex signatures, with some additional
> operations to check whether numerical values are in a certain range,
> etc. Is that roughly correct?
>
> Having a Broccoli-enabled version of that module would certainly be
> sweet. Currently I'm not sure whether coding that up (and
> maintaining it
> for future modsecurity releases) or supporting their signatures in Bro
> (similar to snort2bro) is the way to go.
Ah, good point. I guess I hadn't spent enough time looking around at
the rules for mod_security. I just went and looked a little longer
at the rules and it seems that they have some problems in terms of
how their rules work even. They can't even have a rule that needs to
have some pattern matched in the REQUEST_FILENAME (their terminology)
and another pattern matched in the RESPONSE_BODY for the rule to
trigger. But who am I to say, maybe they consider that their
signature matches are more flexible if the rules aren't too strict.
.Seth
More information about the Bro
mailing list