On Mar 19, 2009, at 11:15 AM, Ravi Chunduru wrote:
There should be some solution like web application firewalls do - deep packet inspection and protocol parsing.
That's exactly how Bro works and I've been occasionally examining various open source web application firewalls to see if I could use their techniques from an IDS context but I haven't had time yet to actually write anything beyond my script that uses a regex to catch GET based SQL injections[1]. A couple of extra nifty tricks about Bro in the context of HTTP analysis are that you can detect a number of protocols, including HTTP on any port (Dynamic Port Detection or DPD[2]). The other is that is that when Bro encounters gzipped body contents in a session, it will transparently unzip the body and pass along the uncompressed content so that your analysis scripts never even need to know about the compression.
1. http://github.com/sethhall/bro_scripts/blob/91a6a16e96ffbc563ec392d545fe688fee7bfee0/http-ext.bro 2. http://bro-ids.org/wiki/index.php/DynamicProtocolDetection .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721
