Re: [mod-security-users] Release of remo 0.1.3
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Release of remo 0.1.3
|
From: Ivan R. <iva...@gm...> - 2007-03-15 14:10:03
|
On 3/15/07, Christian Folini <chr...@ti...> wrote:
> On Thu, Mar 15, 2007 at 01:19:37PM +0000, Ivan Ristic wrote:
> > >practice. But for a start, I have been quite pleased.
> >
> > Have you consider automating the process, for example creation of the
> > rule set using the recorded traffic (audit logs)?
>
> I have laid out the next development targets as follows:
> * Add default parameter value domain.
> This means you do not longer need to define an individual regular
> expression for every parameter yourself (like \d{0,5}, or [\w\d]{0,16}).
> Instead you just select "short integer" or "mid-size string (no spaces)" etc.
> This will simplify the rule writing.
> * Import mode allowing to use access-logs or audit-logs as a base for rule writing.
> Common and combined access logs lack headers, cookies and post parameters of course.
> * Going Beta.
>
> After this phase, I plan to return to the import mode and develop a proxy
> mode / learning mode. Possibly also taking advantage of ModSecurity and mod_spread.
>
> The idea is to recieve a request into remo in the very moment it is executed.
FYI future versions of ModSecurity will probably include the piece we
are now using to transport audit log entries from sensors into the
central management console. To receive audit alerts you only need a
web server that can process PUT requests.
> This is what the wide white area on the left of the gui is good for.
> (-> http://remo.netnea.com/images/remo-screenshot-20070221-svn138.png)
> During the import, the new request will be compared to the ruleset in the
> works. If it is covered by the whitelist ruleset, it would get a green color.
> A red color in the opposite case. Next step is to take the red request and
> drag it over to the rule area (on the right side in the gui), where it is
> interpreted as a new request and filled with reasonable (?) default values
> based on the request as seen in the import/sniffer mode.
>
> Well, the development is not quite there yet, but that is the path I plan to take.
Sounds good.
> I have one or two feature requests for Mod. Should I post them to the
> list or to you in a private message?
The list please.
>
> regs,
>
> Christian
>
> --
> Everyone is a prisoner of his own experiences.
> No one can eliminate prejudices - just recognize them.
> --- Edward R. Murrow
>
--
Ivan Ristic
|
){kind=link}