https://inliniac.net/blog/tag/modsecurity/ Recent content in Modsecurity on Inliniac Hugo en Wed, 30 Sep 2009 18:30:37 +0000 https://inliniac.net/blog/2009/09/30/oisf-engine-development-update2/ Wed, 30 Sep 2009 18:30:37 +0000 https://inliniac.net/blog/2009/09/30/oisf-engine-development-update2/ <p>Another quick update on the development of the OISF engine. Overall development is going great. Basics like signature keywords, stream reassembly, ip defragmentation are nearing completion. Unified1 + barnyard was already working for quite some time, but now we also have unified2 compatible output. I&rsquo;ve tested this to work with barnyard2 and Sguil which works nicely.</p> <p>We have the first versions of our new YAML based configuration format checked in, a brand new logging API, midstream pickup support in our Stream engine, native PFRING support and many other additions.</p> https://inliniac.net/blog/2009/07/21/dc-meeting/ Tue, 21 Jul 2009 16:33:27 +0000 https://inliniac.net/blog/2009/07/21/dc-meeting/ <p>So I just got back from Washington D.C. where we had our first public meeting for the <a href="http://www.openinfosecfoundation.org/">OISF</a>. I think it went very well as there were more people than expected. The attendees came from all parts from the industry &amp; government. Overall reception was very positive and we&rsquo;ve gotten many offers for help in development &amp; testing.</p> <p>Around the public meetings we had private meetings with a number of companies and I&rsquo;m very happy that three of them commited to the project already:</p> https://inliniac.net/blog/2007/08/22/using-modsec2sguil-for-http-transaction-logging-revisited/ Wed, 22 Aug 2007 20:05:34 +0000 https://inliniac.net/blog/2007/08/22/using-modsec2sguil-for-http-transaction-logging-revisited/ <p>Recently I wrote about the idea to log all HTTP transactions into Sguil using my Modsec2sguil agent. I&rsquo;ve implemented this in the current <a href="http://www.inliniac.net/modsec2sguil/">0.8-dev5</a> release and it works very well. All events go into Sguil smoothly and I&rsquo;ve not experienced slowdowns on the webserver. I&rsquo;ve been running it for almost a week now, like to share the first experiences here.</p> <p>I find it to be quite useful. When receiving an alert, it is perhaps more interesting to see what else was done from that ipaddress than to see what was blocked (unless you are suspecting a false positive of course). One area I find to be useful is when I&rsquo;m creating rules against comment spam on this blog. By seeing all properties of a spam message I can create better rules. For example on broken user-agents or weird codes inserted into the comment field of Wordpress.</p>