WebApp Sec mailing list archives
Re: Apache mode_security
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Sun, 04 Dec 2005 22:12:05 +0100
Sorry for my late in reply - busy week :) - but here i am. Il giorno lun, 28-11-2005 alle 12:55 +0000, Ivan Ristic ha scritto:
Agreed. I will be adding explicit support for positive security to ModSecurity in the next release. I have published my thoughts here http://www.modsecurity.org/blog/archives/2005/11/positive_securi.html so that we can discuss the issue.
I've read it, and i'm glad positive security will be the next main feature for your mod_security. I think this will be an important milestone. The paper is very interesting, too! In particular probabilistic grammar generation could be a good point for positive security, IMHO. I'll try to go deep into this...
To acquire reliable material for policy generation (and update) is the most difficult part of the problem. I will be looking at the following approaches: 1) designate an IP range as trusted, 2) require administrators to manually review traffic before it is used in policy generation, and 3) use negative security to assign threat score to each request using only requests with low scores for policy generation. A combination of all three is probably the way forward.
Very interesting solution, i think! Integrating Anti Spam techniques for scoring bad inputs is a really good approach, IMHO...and - maybe - bayesian networks are the _real_ choice. But implementing a good model is a hard job especially for neural networks or genetics algorithms... I've downloaded cpan's AI::NaiveBayes1 and Algorithm::NaiveBayes.. and i'll think about some way to go into it with them... If you know about some good library for testing models, please, let me know...
By the way , i wrote a mod_html_proxy based hmac signing for links on the fly named Mod Anti Tamper: Link: www.wisec.it/projects.php?id=3&lang=enThat's very interesting; it's one of the things missing in ModSecurity.
Thanks! It's just an idea i wrote down ..but i tought it could be useful... Regards, Stefano
-- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org
-- ......---oOOo--------oOOo---...... Stefano Di Paola Software Engineer Email: stefano.dipaola_at_wisec.it Email: stefano.dipaola1_at_tin.it Web: www.wisec.it ..................................
Current thread:
- Apache mode_security Serg Belokamen (Nov 16)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 25)
- Re: Apache mode_security Stefano Di Paola (Nov 26)
- Re: Apache mode_security Ivan Ristic (Nov 28)
- Re: Apache mode_security Stefano Di Paola (Dec 04)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- <Possible follow-ups>
- RE: Apache mode_security Erez Schwarz (Nov 16)
- RE: Apache mode_security Serg B. (Nov 16)
- Re: Apache mode_security K K Mookhey (Nov 29)
- RE: Apache mode_security Serg B. (Nov 16)
- RE: Apache mode_security Ofer Shezaf (Nov 30)