Can you elaborate what you are observing, web application will any number of parameters (not jut s.s# which has certain format), which could be explotied. How you record these observations, for later use ?
 
What happens to performance if you have too many rules.

Ivan Ristic <ivan.ristic@gmail.com> wrote:
On 5/25/06, kiran k wrote:
>
> Ok, with positive security there are no rules and it is based on usage
> pattern, anomalies would be flagged ?

Yes, there are rules.


> How you determine this behavioural model.

By observing the real-life traffic.


> It is counter-intuitive to acquire
> scanning tool to write the policies.

The scanning tools cannot provide you with the real-life data. They
can possibly enumerate the scripts and the parameters but not the data
types.


> How do you write positive security
> using the rules you mentioned manually. Can you show examples in the
> downloads ?

I don't have any examples handy but the idea is to write a group of
rules for each individual resource. These rules would examine every
parameter, how many parameters there are with the same name, are there
any extra parameters, for every parameter check the content, the
length, etc. You can see that this can quickly turn into a very
tedious job.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid7521&bid$8729&dat1642
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users


Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.