Re: [mod-security-users] web app discovery
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] web app discovery
|
From: Alexx A. <zm...@ya...> - 2006-05-28 15:49:14
|
--- Ivan Ristic <iva...@gm...> wrote: > On 5/26/06, Alexx Alexx <zm...@ya...> wrote: > > Ivan, I'd like to try to implement ideas mentioned > in > > the link you provided above ( I read this paper > and > > some others from the same authors by this topic ) > in > > some way, perhaps using your module. > > Do your further plans include support for this > kind of > > positive security model ( I mean anomaly-based?). > > I do plan to offer an anomaly based model but it > isn't going to be > statistical. I'll probably go with a > heuristics-based approach becasue > that can be manually tweaked (unlike the statistical > approach). Could you explain what do you mean by "heuristics-based approach", perhaps you could give some simple examples? And why do you think, that staticstical approach can't be tweaked manually? This approach depends on thresholds that can be manually adjustable, or I didn't catch you thought? > At least one thing is certain: I will add a couple > of more features to ModSecurity to support the positive model. The rest is going to be > implemented as an add-on to the Console. > > FYI, in spite of my plans, I'd be happy to promote > your implementation on modsecurity.org. Thanks a lot, but at first it should be implemented %) > > > And how do you think - what will be the best > choice for store theese rules ( based on trafic in > trainig mode )? > Not necessarily. For my approach I will either store > the info in the database or in the XML file. But I am not going to extend ModSecurity > to support access the database or read XML. The new > ModSecuruty Rule Language is rich enough so I'm going to convert whatever intermediatery data I have into native ModSecurity rules. "Native ModSecurity rules" - do you mean this project? http://www.modsecurity.org/projects/ppr/index.html Do you mean, that you'll generate a rule in native format on-the-fly and use it in processing? Or all rules will be generated during trainng phase and then stored in one "rules-file" that will be used during processing ( or loaded in memory )? > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > ---------------- Best regards, Alexander __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
