Re: [mod-security-users] Release of remo 0.1.3

[Christian F. <chr...@ti...>]

On Thu, Mar 15, 2007 at 01:19:37PM +0000, Ivan Ristic wrote:
> >practice. But for a start, I have been quite pleased.
> 
> Have you consider automating the process, for example creation of the
> rule set using the recorded traffic (audit logs)?

I have laid out the next development targets as follows:
 * Add default parameter value domain.
   This means you do not longer need to define an individual regular 
   expression for every parameter yourself (like \d{0,5}, or [\w\d]{0,16}). 
   Instead you just select "short integer" or "mid-size string (no spaces)" etc. 
   This will simplify the rule writing.
 * Import mode allowing to use access-logs or audit-logs as a base for rule writing.
   Common and combined access logs lack headers, cookies and post parameters of course.
 * Going Beta.

After this phase, I plan to return to the import mode and develop a proxy
mode / learning mode. Possibly also taking advantage of ModSecurity and mod_spread.

The idea is to recieve a request into remo in the very moment it is executed.
This is what the wide white area on the left of the gui is good for.
(-> http://remo.netnea.com/images/remo-screenshot-20070221-svn138.png)
During the import, the new request will be compared to the ruleset in the 
works. If it is covered by the whitelist ruleset, it would get a green color. 
A red color in the opposite case. Next step is to take the red request and 
drag it over to the rule area (on the right side in the gui), where it is 
interpreted as a new request and filled with reasonable (?) default values 
based on the request as seen in the import/sniffer mode.

Well, the development is not quite there yet, but that is the path I plan to take.

I have one or two feature requests for Mod. Should I post them to the
list or to you in a private message?

regs,

Christian

-- 
Everyone is a prisoner of his own experiences. 
No one can eliminate prejudices - just recognize them.
--- Edward R. Murrow