[Oisf-users] libinjection
Kevin Ross
kevross33 at googlemail.com
Thu Jul 4 19:31:40 UTC 2013
Yup it does. If it was integrated where Suricata is basically passing off
the requests and responses to modsecurity then the benefits would be great.
We would have much better detection of inbound web attacks and all the
benefits of modsecurity as it is developed would be of benefit if Suricata
could get the web traffic to it. Another interesting thing with modsecurity
is bayesian analysis
http://blog.spiderlabs.com/2012/09/web-application-defense-bayesian-attack-analysis.html
Also it would be of benefit because there is a lot of people who can't
directly mess with the servers to do modsecurity and reverse proxying isn't
an option either. Being able to have it inline or out of line would be
cool. Out of line is also great for tuning and stuff and I know it works;
Trustwave's web defend can be deployed out of line which is good to get
things right until you are comfortable enough to go inline (and it is a
great WAF if anyone is looking at the options).
People could maybe even use the auditconsole with it for viewing alerts
from modsecurity
http://www.jwall.org/web/audit/console/screenshots/index.jsp.
Regards,
Kevin
On 4 July 2013 10:10, Victor Julien <lists at inliniac.net> wrote:
> On 07/04/2013 09:26 AM, Kevin Ross wrote:
> > Well that is dissapointing. Perhaps the solution is having Suricata or
> > BRO being able to pass traffic into modsecurity with the ability to
> > define which websites (HTTP and HTTPS with certs) is passed in?
> > Hopefully getting the benefits of modsecurity without having to worry
> > about fully intergrating individual detections such as libinjection and
> > other new or experimental things directly into Suricata/Bro.
>
> ModSecurity actually also uses libinjection :)
>
> Cheers,
> Victor
>
> > On 3 July 2013 18:54, Seth Hall <seth at icir.org <mailto:seth at icir.org>>
> > wrote:
> >
> >
> > On Jul 2, 2013, at 2:18 AM, Peter Manev <petermanev at gmail.com
> > <mailto:petermanev at gmail.com>> wrote:
> >
> > > Yes it is considered -
> > > https://redmine.openinfosecfoundation.org/issues/547
> >
> >
> > For the record, I just spent a few minutes and integrated this into
> > Bro and ran it on some real world traffic and this isn't good.
> > There are a lot of false positives. It's probably another one of
> > those things that tends to work fine if you run it on your own
> > server, but when you're watching general internet traffic it starts
> > showing some flaws.
> >
> > .Seth
> >
> > --
> > Seth Hall
> > International Computer Science Institute
> > (Bro) because everyone has a network
> > http://www.bro.org/
> >
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> > List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > OISF: http://www.openinfosecfoundation.org/
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130704/b0f1ff03/attachment-0002.html>
More information about the Oisf-users
mailing list