Re: [mod-security-users] web app discovery
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] web app discovery
|
From: Ivan R. <iva...@gm...> - 2006-05-26 19:21:13
|
On 5/26/06, Alexx Alexx <zm...@ya...> wrote: > Ivan, I'd like to try to implement ideas mentioned in > the link you provided above ( I read this paper and > some others from the same authors by this topic ) in > some way, perhaps using your module. > Do your further plans include support for this kind of > positive security model ( I mean anomaly-based?). I do plan to offer an anomaly based model but it isn't going to be statistical. I'll probably go with a heuristics-based approach becasue that can be manually tweaked (unlike the statistical approach). At least one thing is certain: I will add a couple of more features to ModSecurity to support the positive model. The rest is going to be implemented as an add-on to the Console. FYI, in spite of my plans, I'd be happy to promote your implementation on modsecurity.org. > And how do you think - what will be the best choice > for store theese rules ( based on trafic in trainig > mode )? Raw format, structers, xml anything else? > In my opinion, format for store is rather important, > because we should store rules for ALL applications on > our server ( rules for every application differ ) and > it could cause lot's of data to store, am I right? Not necessarily. For my approach I will either store the info in the database or in the XML file. But I am not going to extend ModSecurity to support access the database or read XML. The new ModSecuruty Rule Language is rich enough so I'm going to convert whatever intermediatery data I have into native ModSecurity rules. --=20 Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
