WebApp Sec mailing list archives

Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack

From: Ivan Ristic <ivanr () webkreator com>
Date: Fri, 04 Feb 2005 19:55:18 +0000

Ofer Shezaf wrote:


Unfortunately application layer signatures are much more complex than
network layer signatures and no public database of them is available,
thus making tools like mod_security or Guardian difficult to use.


  That depends on what you want to do with a tool. I have always
  viewed ModSecurity as a tool that enables people to do something
  specific they *need* to do (for example, add transparent anti-virus
  support to any application that supports upload). However, and I
  do agree with you there, if you want to look at ModSecurity as a
  web intrusion detection/prevention tool then the lack of good
  rules is a real problem.

  For this reason the next release of ModSecurity will contain a
  hand-crafted collection of rules to address various problems
  out-of-the-box. But that's not why I wrote this email. The
  problem of good rules is wider, wider than a single product,
  and applies to open source *and* commercial products.

  A year ago I created a rule database web site for ModSecurity
  (it's still available here http://www.modsecurity.org/db/rules/).
  My intention was to populate the database with useful rules. But
  shortly after I completed the web site I came to the conclusion
  that public effort and good will should not be wasted on rules that
  work with one product only, even if the product is my own.

  I decided we needed a single rule definition format, something
  that would be supported by commercial and open source applications
  equally. This is how the portable web application firewall format
  came to life:

      http://www.modsecurity.org/projects/wasprotect/

  The rule web application will be converted to support the new
  format, and extended to allow people to subscribe to the rule
  database and update their protection devices automatically. I hope
  the commercial vendors will adopt the portable rule format, together
  with other open source products.

--
Ivan Ristic (http://www.modsecurity.org)

Current thread:

[tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 02)
- <Possible follow-ups>
- RE: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ofer Shezaf (Feb 04)
  - Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 04)
  - Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 04)
    - Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 06)