tag:blogger.com,1999:blog-13756280.post2995663780613633374..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Ryan Barnett enters the BlogosphereJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-13756280.post-55334442335828799782006-12-08T18:13:00.000-08:002006-12-08T18:13:00.000-08:00i liked what ryan did in the that book by combinin...i liked what ryan did in the that book by combining snort signatures with mod-security. in appendix C, he put the line "include conf/snortmodsec-rules.txt" in his example httpd.conf file under the mod-security section.<br /><br />this, plus what you see on gotroot.com can really make mod-security into a powerful WA-IPS. every operator should enjoy the idea behind just-in-time patching. it's layered defense-in-depth and can't be relied upon in the face of strange encodings or active evasion (e.g. VoMM), but it's better than nothing for a lot of places weak on web application security.<br /><br />i especially enjoyed the web proxy honeypot chapter. personally, i believe that time should be spent protecting priority threats, not specific vulnerabilities (although patching is good). honeypots are often a an easier path to identify actual threats while IDS and IPS usually spot vulnerabilities only.<br /><br />albeit an average anti-IDS/IPS proponent, I still often do find uses for snort sigatures. take http://honeyc.sf.net as an example. using http://honeyc.sourceforge.net/signatureReferences.php snort signatures provided by honeyc, in addition to some taken from the http://bleedingsnort.com/bleeding-sid-msg-map.txt bleeding snort project (SID's 2001075 to 2001115 at least), and some custom signatures could allow for fast and widespread scanning using low-interaction honeyclients.<br /><br />however, this creates a lot of false-positives so it needs to be re-evaluated and validated with high-interaction honeyclients. that's where http://capture-hpc.sf.net (recently released by http://www.mcs.vuw.ac.nz/~cseifert/blog/index.php) Chris Seifert comes in as well as his methodology as described in www.mcs.vuw.ac.nz/~cseifert/blog/images/client_honeypots_-_dsrg_meeting.ppt <br /><br />his blog is also at http://www.mcs.vuw.ac.nz/~cseifert/blog/index.phpAnonymousnoreply@blogger.com