[Oisf-users] libinjection

Breno Silva breno.silva at gmail.com
Thu Jul 4 19:36:28 UTC 2013 

Hello guys,

We (ModSecurity Team) are working daily with Nick to improve Libinjection
and it is fully integrated with ModSecurity. Would be very cool to see
suricata integrated to ModSecurity for possible better http traffic
inspection. ModSecurity has now a standalone module (API) for external code
integration.

If you guys are interested, let's talk about how we can move forward.

Thanks

Breno


On Thu, Jul 4, 2013 at 4:31 PM, Kevin Ross <kevross33 at googlemail.com> wrote:

> Yup it does. If it was integrated where Suricata is basically passing off
> the requests and responses to modsecurity then the benefits would be great.
> We would have much better detection of inbound web attacks and all the
> benefits of modsecurity as it is developed would be of benefit if Suricata
> could get the web traffic to it. Another interesting thing with modsecurity
> is bayesian analysis
> http://blog.spiderlabs.com/2012/09/web-application-defense-bayesian-attack-analysis.html
>
> Also it would be of benefit because there is a lot of people who can't
> directly mess with the servers to do modsecurity and reverse proxying isn't
> an option either. Being able to have it inline or out of line would be
> cool. Out of line is also great for tuning and stuff and I know it works;
> Trustwave's web defend can be deployed out of line which is good to get
> things right until you are comfortable enough to go inline (and it is a
> great WAF if anyone is looking at the options).
>
> People could maybe even use the auditconsole with it for viewing alerts
> from modsecurity
> http://www.jwall.org/web/audit/console/screenshots/index.jsp.
>
> Regards,
> Kevin
>
>
> On 4 July 2013 10:10, Victor Julien <lists at inliniac.net> wrote:
>
>> On 07/04/2013 09:26 AM, Kevin Ross wrote:
>> > Well that is dissapointing. Perhaps the solution is having Suricata or
>> > BRO being able to pass traffic into modsecurity with the ability to
>> > define which websites (HTTP and HTTPS with certs) is passed in?
>> > Hopefully getting the benefits of modsecurity without having to worry
>> > about fully intergrating individual detections such as libinjection and
>> > other new or experimental things directly into Suricata/Bro.
>>
>> ModSecurity actually also uses libinjection :)
>>
>> Cheers,
>> Victor
>>
>> > On 3 July 2013 18:54, Seth Hall <seth at icir.org <mailto:seth at icir.org>>
>> > wrote:
>> >
>> >
>> >     On Jul 2, 2013, at 2:18 AM, Peter Manev <petermanev at gmail.com
>> >     <mailto:petermanev at gmail.com>> wrote:
>> >
>> >     > Yes it is considered -
>> >     > https://redmine.openinfosecfoundation.org/issues/547
>> >
>> >
>> >     For the record, I just spent a few minutes and integrated this into
>> >     Bro and ran it on some real world traffic and this isn't good.
>> >      There are a lot of false positives.  It's probably another one of
>> >     those things that tends to work fine if you run it on your own
>> >     server, but when you're watching general internet traffic it starts
>> >     showing some flaws.
>> >
>> >       .Seth
>> >
>> >     --
>> >     Seth Hall
>> >     International Computer Science Institute
>> >     (Bro) because everyone has a network
>> >     http://www.bro.org/
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> http://suricata-ids.org/support/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>> >
>>
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130704/d63a3bec/attachment-0002.html>

More information about the Oisf-users mailing list