Re: [mod-security-users] web app discovery

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 5/28/06, Alexx Alexx <zm...@ya...> wrote:
>
> Could you explain what do you mean by
> "heuristics-based approach", perhaps you could give
> some simple examples?

Identify application resources (scripts, images, etc). For each
resource: lock down request methods, encodings, identify parameters.
For each parameter: determine cardinality (optional, mandatory, more
than one - up to how many), type (e.g. file or field), length, content
(e.g. use regular expression), etc...

> And why do you think, that staticstical approach can't
> be tweaked manually? This approach depends on
> thresholds that can be manually adjustable, or I
> didn't catch you thought?

You are right, it can be tweaked but it's more difficult to understand
by a typical user. I believe the approach I briefly described above is
easier to use in real life.

> > FYI, in spite of my plans, I'd be happy to promote
> > your implementation on modsecurity.org.
>
> Thanks a lot, but at first it should be implemented %)

I have to say things like that so that people are clear that my having
commercial plans does not mean I will be trying to prevent other
people from doing the same thing...

> Do you mean, that you'll generate a rule in native
> format on-the-fly and use it in processing?
> Or all rules will be generated during trainng phase
> and then stored in one "rules-file" that will be used
> during processing ( or loaded in memory )?

ModSecurity itself will not have any logic related to positive
security. It will send the audit logs to the Console. Console will
learn about the application, create native ModSecurity rules and feed
them back to the sensor.

BTW, I will want to avoid having a training phase. I belive continual
learning is better.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall