New Apache Module For Web Intrusion Detection

ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."

Null evasion vs. anti null evasion

[MarkusQ]

new null-byte attack anti-evasion code

Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?

-- MarkusQ

Re:This sounds like a great idea.

[GreenHell]

I use 1.6, haven't upgraded to 1.7 yet.

I enjoy it. Among other things, it lets me block people using empty user agents and empty host header fields, which tend to mainly be people trying to perform a variety of exploits on my server.

Re:This sounds like a great idea.

[bill_mcgonigle]

For those who don't have mod_security, a good thing to put in your httpd.conf is:

ServerTokens ProductOnly

so your HTTP response looks like:

HTTP/1.1 200 OK
Date: Mon, 20 Oct 2003 17:23:13 GMT
Server: Apache

instead of:

HTTP/1.1 200 OK
Date: Mon, 20 Oct 2003 17:23:13 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.27 PHP/4.0.5pl1 mod_ssl/2.8.2 OpenSSL/0.9.8

That's just way too much information to tell the world.

Re:This sounds like a great idea.

[Mr_Perl]

And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.

Or, for the rest of us who know how to configure apache...

Options -Indexes

in apache.conf (or wherever apache -V says the conf is)