Re: Apache module: mod_security

[Ivan Ristic <ivanr () webkreator com>]

Bill Burge wrote:
> After a cursory glance, other than removing a some abstraction
> and making configuration a little more straight forward; I'm not
> sure how this differs from what can be done with mod_rewrite.

  One major feature: it filters POST payloads, too. There is no
  point of having any kind of web application firewall if you
  allow attackers to attack you via POST.

  The other major feature (at least to me) is the full (POST
  included) audit log.

  And (I am trying really hard now :), it can also filter
  individual parameters. For example, if you have something
  like:

  script.php?title=value1&content=value2

  with a rule

  SecFilterSelective ARGS|!ARG_content "<( |\n)+>"

  You can allow HTML to come through variable "content" but
  not through "title".


> I didn't see anything in the attributes list that I can't review
> and take action on with rewrite rules.

  Well, I copied the variable names from mod_rewrite 0:)


> While this might be a good first step in the right direction
> I spend a lot of time carving apache into a web based application
> level gateways); I'd like to see a lot more than a simpler conf
> language and a gui (actually you can keep the gui).

  Keep 'em coming! You comments are most welcome, that is
  exactly what I need at the moment.


> 1) how about using snort rules natively

  I used Snort for Web filtering before starting work
  on mod_security. Its rules are mostly IP-specific, and
  not suitable for mod_security which works on the HTTP
  level.


> 2)  how about data collection on the source of the connection

  Are you referring to the audit log (request headers and
  other information)? It does that.

  You also asked about mod_rewrite. These two modules seem
  similar (especially in these early times) but are fundamentally
  different. In order to do what I'm doing with mod_security
  at the moment, I would have to take mod_rewrite apart. Those
  changes would never be allowed back into the module and then,
  it would be the same anyway.


> 3)  how about notifications

  Alerts & custom redirects are the first on my list.

--
Ivan Ristic, http://www.webkreator.com/