I'm working on a set of security modules for websites. I have been calling it an Intrusion Detection System though its purpose is really intrusion prevention. It is to detect attempts at username and password guessing as well as probing for various CGI and while I'm at it I can, since I'm trapping 4?? status codes, pick up stuff like CodeRed worm.
The system analyzes web transactions one at a time and puts them in a database. The source of the transactions could be a mod_perl module which is a LogHandler or it can be tail'ing the server log. So, what namespace? Other than the mod_perl module its not Apache-specific. Call it an IDS? I guess. It doesn't cover all sorts of abuse such as password trading -- it could probably be extend to that but that's not part of my current scope. WWW::IDS::* ? take a toplevel space in the even that I or others do other sorts of IDS: IDS::WWW Call it APS (Attack Prevention System)? WWW::APS::* ? (BTW, it deters attackers by putting in a reject route; future versions will use the BGP perl module to share this info, also if I get the IPTABLES module to work that'd be good and if I get ambitious there's Cisco access lists). Intrusion Prevention? WWW::IPS::* ?
