From Victor Julien:
One thing we've been thinking about is something like Snort's flowbits, but then way extended. Having a way to capture data from the packets/stream, setting and calculating with counters, etc all per packet, flow/stream, host, network and globally. And then provide the rule language to compare each and everyone of those with each other, do translations etc. ModSecurity?
has features like this and they are very useful.
For example in ModSecurity?
you can match on the password on HTTP basic auth by capturing the string containing the username and password from the HTTP header, splitting it, decoding it's base64. All from the rules language.
Interest exists from the Mod Security guys to cooperate. Perhaps an api to push http requests to a parallel mod sec instance for a yes/no/modify answer?
- 17 Oct 2008