Re: Apache module: mod_security

["Bill Burge" <bill () burge com>]

After a cursory glance, other than removing a some abstraction and making configuration a little more staight forward; 
I'm not sure how this differs from what can be done with mod_rewrite.

I didn't see anything in the attributes list that I can't reveiw and take action on with rewrite rules.  With 
mod_rewrite, I can perform other options than blocking and logging.  I can send them to a page of my choice (and a few 
stinkers come to mind! ;-).  I can route their traffic back to themself.  I can redirect/proxy  them off to a honeypot, 
etc.

While this might be a good first step in the right direction (I spend a lot of time carving apache into a webbased 
application level gateways); I'd like to see a lot more than a simpler conf language and a gui (actually you can keep 
the gui).

1)  how about using snort rules natively
2)  how about data collection on the source of the connection
3)  how about notifications
4)  how about fat free donuts that don't taste like sawdust (oops!  I gott get more sleep! :-)

The author's web site mentions some dissatisfaction with mod-rewrite but, other than payload examination, doesn't go 
into specifics.  I'd like to hear more.  The site is a little sparse of specifics.

I hope this keeps going, and more people get involved.  I'll probably be pulling this down and looking at it for our 
environment.  Even if I don't put it into production, it bears watching...

Bill Burge
Info Sec Officer
places, stuff....

*********** REPLY SEPARATOR  ***********

On 12/10/2002 at 9:31 AM Dave Aitel wrote:

> That's really cool! I think one of the salient features of it you didn't
> highlight was that it can filter on the BODY arguments! With a GUI for
> tuning, this would provide nearly all the features of an "application"
> firewall!
>
> -dave
>
>
> On Tue, 10 Dec 2002 13:37:33 +0000
> Ivan Ristic <ivanr () webkreator com> wrote:
>
> > Hi,
> >
> > I have written this Apache 1.x module that will most likely
> > be of interest to you. In essence it is an intrusion detection
> > and prevention software for Apache. It filters incoming requests
> > based on various criteria and either denies access or simply logs
> > violations.
> >
> > The homepage of the module is:
> > http://www.webkreator.com/mod_security/
> >
> > For those who know Apache well, have a look at configuration
> > directive examples here:
> > http://www.webkreator.com/download/mod_security/example-httpd.conf
> >
> > The module is stable and works quite nice in all my tests. I
> > need input from people in order to gather requirements for
> > future versions. Regression tests are scheduled for the next
> > release, and so is a full list of attacks against which the
> > module is effective.
> >
> > As an additional bonus, the module can also perform full
> > audit logging so it can very useful for compromise forensics.
> >
> > Somewhere at the back of my mind I have plans for Java and
> > IIS versions of the same thing (I have to get to learn more
> > about the CodeSeeker project first, to make sure there is
> > no duplicated effort).
> >
> > --
> > Ivan Ristic, http://www.webkreator.com