Re: [mod-security-users] Snort vs. ModSecurity
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-03-26 16:01:03
|
Florian S. wrote: > Hi all, > > I'd like to use ModSecurity on our servers. But everybody asks me 'why > don't using Snort?'. My main argument used to be the SSL issue with > Snort. But I found out that there is a plugin for that purpose. > I actually think that the two solutions (ModSecurity and Snort) have > much in common as 'Intrusion Prevention System'. > But what are the differences? Searching on the web only gave some hints, > but actually no 'hard facts' I could come up with. > Could anybody suggest some real disadvantages of Snort used on a reverse > proxy, that ModSecurity doesn't have? > > Thank you in advance, > Florian Florian, The two compliment each other and I recommend both. Snort is designed for packet inspection and does not do much analysis of layer 7 and thus sees it as a just a buffer of raw data. ModSecurity only sees layer 7 data (HTTP) and does not know anything about packets, but instead knows how to parse the layer 7 data into various individual fields for analysis as well as decode and translate various encodings on a field-by-field basis. As a random web example. Snort looks in the URI for ".asp" pattern, in the raw content for "Transfer-Encoding:" and also in the raw content "chunked". There is no real parsing of the data - you have to build that into the rule. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;) ModSecurity is similar, but looks in the individual parsed fields. Here, two rules are chained together (AND). SecRule REQUEST_FILENAME "@endsWith .asp" \ "chain,t:none,t:lowercase,phase:1,deny,tag:bugtraq/4474,tag:bugtraq/4485,tag:cve/2002-0071,tag:cve/2002-0079,tag:nessus/10932,tag:web-application-attack,id:1618,rev:16,msg:'WEB-IIS .asp chunked Transfer-Encoding'" \ SecRule REQUEST_HEADERS:Transfer-Encoding "@streq chunked" \ "t:none,t:lowercase" ModSecurity can also parse individual arguments Inames and values) in GET and POST requests as well as see the body as a raw buffer. It would be difficult to do this with snort. -B -- Brian Rectanus Breach Security |