Global Flowbits

From Victor Julien: One thing we've been thinking about is something like Snort's flowbits, but then way extended. Having a way to capture data from the packets/stream, setting and calculating with counters, etc all per packet, flow/stream, host, network and globally. And then provide the rule language to compare each and everyone of those with each other, do translations etc. ModSecurity? has features like this and they are very useful.

For example in ModSecurity? you can match on the password on HTTP basic auth by capturing the string containing the username and password from the HTTP header, splitting it, decoding it's base64. All from the rules language.


Interest exists from the Mod Security guys to cooperate. Perhaps an api to push http requests to a parallel mod sec instance for a yes/no/modify answer?

-- MattJonkman - 17 Oct 2008

Topic revision: r1 - 2008-10-17 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats