New Apache Module For Web Intrusion Detection

ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."

Re:This sounds like a great idea.

[digitalsushi]

I am using 1.7RC1. I'm using it for just one feature -- SecServerSignature. Lets you change the reported server type. I changed mine to Microsoft-IIS/2.0. In my built in status handler that shows me all the hits as they're being served live, I almost always have one request in there that is trying to send a buffer overflow to default.ida. That behavior changed the same day I flipped my reported server type over. Always amazes me how little time it takes!

Re:This sounds like a great idea.

But couldn't you also do this with .htaccess? Anyway, the module sounds interesting... have to check it out!

Tels

is this a better form of intrusion detection...

[bluethundr]

than snort? easier to setup?

Re:This sounds like a great idea.

[WebProwler]

Whilst at it, you can also include this: ServerSignature Off This line tells Apache not to display server version and virtual host name in server-generated pages. And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.