![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
Re: Apache module: mod_security
From: Ivan Ristic <ivanr () webkreator com>
Date: Tue, 10 Dec 2002 16:35:18 +0000
Bill Burge wrote:
After a cursory glance, other than removing a some abstraction
> and making configuration a little more straight forward; I'm not > sure how this differs from what can be done with mod_rewrite. One major feature: it filters POST payloads, too. There is no point of having any kind of web application firewall if you allow attackers to attack you via POST. The other major feature (at least to me) is the full (POST included) audit log. And (I am trying really hard now :), it can also filter individual parameters. For example, if you have something like: script.php?title=value1&content=value2 with a rule SecFilterSelective ARGS|!ARG_content "<( |\n)+>" You can allow HTML to come through variable "content" but not through "title".
I didn't see anything in the attributes list that I can't review
> and take action on with rewrite rules. Well, I copied the variable names from mod_rewrite 0:)
While this might be a good first step in the right direction
> I spend a lot of time carving apache into a web based application
level gateways); I'd like to see a lot more than a simpler conf
> language and a gui (actually you can keep the gui). Keep 'em coming! You comments are most welcome, that is exactly what I need at the moment.
1) how about using snort rules natively
I used Snort for Web filtering before starting work on mod_security. Its rules are mostly IP-specific, and not suitable for mod_security which works on the HTTP level.
2) how about data collection on the source of the connection
Are you referring to the audit log (request headers and other information)? It does that. You also asked about mod_rewrite. These two modules seem similar (especially in these early times) but are fundamentally different. In order to do what I'm doing with mod_security at the moment, I would have to take mod_rewrite apart. Those changes would never be allowed back into the module and then, it would be the same anyway.
3) how about notifications
Alerts & custom redirects are the first on my list. -- Ivan Ristic, http://www.webkreator.com/
Current thread:
- Apache module: mod_security Ivan Ristic (Dec 10)
- Re: Apache module: mod_security Dave Aitel (Dec 10)
- Re: Apache module: mod_security Bill Burge (Dec 10)
- Re: Apache module: mod_security Ivan Ristic (Dec 10)
- Re: Apache module: mod_security Ivan Ristic (Dec 10)
- Re: Apache module: mod_security Bill Burge (Dec 10)
- Re: Apache module: mod_security Klaus Doerrscheidt (Dec 10)
- Re: Apache module: mod_security Gabe Lawrence (Dec 10)
- <Possible follow-ups>
- Re: Apache module: mod_security zeno (Dec 10)
- Re: Apache module: mod_security Dave Aitel (Dec 10)