From: yersinia []
Sent: Thursday, March 26, 2009 12:00 PM
To: Walt Williams
Subject: Re: [mod-security-users] Snort vs. ModSecurity


On Thu, Mar 26, 2009 at 4:24 PM, Walt Williams <> wrote:

Snort may or may not detect application layer attacks over ssl, but it
can't do anything to prevent them.  ModSecurity can be configured to
do both.

Snort could be configured also to block attack - eg. as an IPS.

[Ryan Barnett] Put quite plainly, Snort is not the right tool for the job for webappsec.  This doesn’t mean that it can’t look at Layer 7 data, but that it will not be as accurate.  Here is one example from a past Blog post -  The underlying issue is Impedance Mismatch where the protection device may interpret data differently than the destination web app.


Snort will have a higher rate of false positives and false negatives.  It may do ok for some basic filtering, however it won’t be able to handle advanced logic such as correlating multiple requests (brute force, etc…), comparing inbound with outbound data, anomaly scoring, Anti-virus scanning, consistently logging request bodies, etc…