Ryan and Brian have it right. I run ModSecurity on an SSL-terminating
reverse proxy in front of my web servers and Snort sits on the HTTP link
betweeen the reverse proxy and the web servers.
I also had Snort in front of some non-SSL web servers only. It didn't do
anywhere near as good a job on web attacks as ModSecurity did so I put
ModSecurity in front of those web servers as well. I kept Snort in front of
and behind ModSecurity for a test. Things ModSecurity stopped simply weren't
seen by Snort.
"Brian Rectanus" <Brian.Rectanus@...> wrote in message
> Florian S. wrote:
>> Hi all,
>> I'd like to use ModSecurity on our servers. But everybody asks me 'why
>> don't using Snort?'. My main argument used to be the SSL issue with
>> Snort. But I found out that there is a plugin for that purpose.
>> I actually think that the two solutions (ModSecurity and Snort) have
>> much in common as 'Intrusion Prevention System'.
>> But what are the differences? Searching on the web only gave some hints,
>> but actually no 'hard facts' I could come up with.
>> Could anybody suggest some real disadvantages of Snort used on a reverse
>> proxy, that ModSecurity doesn't have?
>> Thank you in advance,
> The two compliment each other and I recommend both.
> Snort is designed for packet inspection and does not do much analysis of
> layer 7 and thus sees it as a just a buffer of raw data. ModSecurity
> only sees layer 7 data (HTTP) and does not know anything about packets,
> but instead knows how to parse the layer 7 data into various individual
> fields for analysis as well as decode and translate various encodings on
> a field-by-field basis.
> As a random web example.
> Snort looks in the URI for ".asp" pattern, in the raw content for
> "Transfer-Encoding:" and also in the raw content "chunked". There is no
> real parsing of the data - you have to build that into the rule.
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
> .asp chunked Transfer-Encoding"; flow:to_server,established;
> uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase;
> content:"chunked"; distance:0; nocase; reference:bugtraq,4474;
> reference:bugtraq,4485; reference:cve,2002-0071;
> reference:cve,2002-0079; reference:nessus,10932;
> classtype:web-application-attack; sid:1618; rev:16;)
> ModSecurity is similar, but looks in the individual parsed fields.
> Here, two rules are chained together (AND).
> SecRule REQUEST_FILENAME "@endsWith .asp" \
> .asp chunked Transfer-Encoding'" \
> SecRule REQUEST_HEADERS:Transfer-Encoding "@streq chunked" \
> ModSecurity can also parse individual arguments Inames and values) in
> GET and POST requests as well as see the body as a raw buffer. It would
> be difficult to do this with snort.
> Brian Rectanus
> Breach Security
> mod-security-users mailing list
> Commercial ModSecurity Appliances, Rule Sets and Support: