New Apache Module For Web Intrusion Detection

ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."

Re:This sounds like a great idea.

[digitalsushi]

I am using 1.7RC1. I'm using it for just one feature -- SecServerSignature. Lets you change the reported server type. I changed mine to Microsoft-IIS/2.0. In my built in status handler that shows me all the hits as they're being served live, I almost always have one request in there that is trying to send a buffer overflow to default.ida. That behavior changed the same day I flipped my reported server type over. Always amazes me how little time it takes!

Re:This sounds like a great idea.

[bill_mcgonigle]

For those who don't have mod_security, a good thing to put in your httpd.conf is:

ServerTokens ProductOnly

so your HTTP response looks like:

HTTP/1.1 200 OK
Date: Mon, 20 Oct 2003 17:23:13 GMT
Server: Apache

instead of:

HTTP/1.1 200 OK
Date: Mon, 20 Oct 2003 17:23:13 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.27 PHP/4.0.5pl1 mod_ssl/2.8.2 OpenSSL/0.9.8

That's just way too much information to tell the world.