WebApp Sec mailing list archives
Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack
From: Ivan Ristic <ivanr () webkreator com>
Date: Fri, 04 Feb 2005 19:55:18 +0000
Ofer Shezaf wrote:
Unfortunately application layer signatures are much more complex than network layer signatures and no public database of them is available, thus making tools like mod_security or Guardian difficult to use.
That depends on what you want to do with a tool. I have always viewed ModSecurity as a tool that enables people to do something specific they *need* to do (for example, add transparent anti-virus support to any application that supports upload). However, and I do agree with you there, if you want to look at ModSecurity as a web intrusion detection/prevention tool then the lack of good rules is a real problem. For this reason the next release of ModSecurity will contain a hand-crafted collection of rules to address various problems out-of-the-box. But that's not why I wrote this email. The problem of good rules is wider, wider than a single product, and applies to open source *and* commercial products. A year ago I created a rule database web site for ModSecurity (it's still available here http://www.modsecurity.org/db/rules/). My intention was to populate the database with useful rules. But shortly after I completed the web site I came to the conclusion that public effort and good will should not be wasted on rules that work with one product only, even if the product is my own. I decided we needed a single rule definition format, something that would be supported by commercial and open source applications equally. This is how the portable web application firewall format came to life: http://www.modsecurity.org/projects/wasprotect/ The rule web application will be converted to support the new format, and extended to allow people to subscribe to the rule database and update their protection devices automatically. I hope the commercial vendors will adopt the portable rule format, together with other open source products. -- Ivan Ristic (http://www.modsecurity.org)
Current thread:
- [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 02)
- <Possible follow-ups>
- RE: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ofer Shezaf (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Kanatoko (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 04)
- Re: [tool] Guardian () JUMPERZ NET : Detecting session hijack Ivan Ristic (Feb 06)