mod_security and bro

Hi, since the bro workshop, I've been thinking about a lot of ways that bro could be used that it isn't currently being used. I had talked to Brian about how bro could go about detecting http application level attacks like cross site scripting and sql injection and we sort of came to the agreement that bro doesn't really work at this level currently.

Over the weekend I realized that mod_security (http://www.modsecurity.org/) does what I'm thinking of in terms of detecting web application attack signatures. My question is, does it seem reasonable to strip the apache specific code from mod_security and instrument it with broccoli to receive http events? It's sort of just an extension on the sensitive_URIs variable, but it could at least be code that is maintained externally for detecting this specific subset of attacks.

   .Seth

Perhaps this would be interesting for you:
http://www.inliniac.net/blog/?p=46

That's pretty interesting, but it's sort of the opposite direction of what I'm interested in. That's aggregating alerts from multiple apache servers into a single analyst's console, and that could be an interesting integration point for Bro, but I'm thinking of having Bro watch the raw traffic over the network and doing all of the mod_security analysis at that point.

I'd like to be able to get alerts as if all of the hosts here were running mod_security (even though few likely are).

Thanks for the link.

   .Seth

Hi Seth,

Hi, since the bro workshop, I've been thinking about a lot of ways
that bro could be used that it isn't currently being used. I had
talked to Brian about how bro could go about detecting http
application level attacks like cross site scripting and sql injection
and we sort of came to the agreement that bro doesn't really work at
this level currently.

Over the weekend I realized that mod_security (http://
www.modsecurity.org/) does what I'm thinking of in terms of detecting
web application attack signatures. My question is, does it seem
reasonable to strip the apache specific code from mod_security and
instrument it with broccoli to receive http events? It's sort of
just an extension on the sensitive_URIs variable, but it could at
least be code that is maintained externally for detecting this
specific subset of attacks.

mhmm -- I've only looked at their core signature set, but my impression
was that it's largely a set of regex signatures, with some additional
operations to check whether numerical values are in a certain range,
etc. Is that roughly correct?

Having a Broccoli-enabled version of that module would certainly be
sweet. Currently I'm not sure whether coding that up (and maintaining it
for future modsecurity releases) or supporting their signatures in Bro
(similar to snort2bro) is the way to go.

Cheers,
Christian.

Ah, good point. I guess I hadn't spent enough time looking around at the rules for mod_security. I just went and looked a little longer at the rules and it seems that they have some problems in terms of how their rules work even. They can't even have a rule that needs to have some pattern matched in the REQUEST_FILENAME (their terminology) and another pattern matched in the RESPONSE_BODY for the rule to trigger. But who am I to say, maybe they consider that their signature matches are more flexible if the rules aren't too strict.

   .Seth

Hmmm... On the one hand, the idea of feeding Bro-derived data into
modsecurity for analysis is kind of intriguing. On the other, I
think I'd prefer to keep the detection mechanism inside Bro as
otherwise this might get tricky to use/setup/maintain (what happens
with alerts? Are they going to be fed back to Bro?).

A converter like snort2bro is an option though I'm not sure whether
that is really worth the effort. There don't seem to be so many sigs
at this point (I also haved looked only at the core patterns), so
perhaps they can be just manually coded into a Bro script?

Robin

think I'd prefer to keep the detection mechanism inside Bro as
otherwise this might get tricky to use/setup/maintain (what happens
with alerts? Are they going to be fed back to Bro?).

*Yes*, please let's strive for this whenever possible. It makes a major
difference in the long run, when we (very often) find that the standalone
detector isn't by itself actionable, but could be if combined with additional
information/policy analysis - which Bro is much better at doing than in
an ad hoc basis inside the standalone detector.

    Vern