17 Aug 13:54
Re: Performance tip
Alex V. <alex-security <at> ssji.net>
2006-08-17 11:54:31 GMT
2006-08-17 11:54:31 GMT
I'm absolutely not a regexp expert, but I'm wondering if it could not be
possible to write the regexp like this (or something similar):
SecFilterSelective VAR (
KEYWORD1| # Comment explaining this match
KEYWORD2| # Comment explaining this match
KEYWORD3| # Comment explaining this match
KEYWORD4| # Comment explaining this match
KEYWORD5| # Comment explaining this match
KEYWORD6 # Comment explaining this match
)
This way, it could possibly lead to something readable, comprehensive and
optimized.
To sum up, the problem is : Is it possible to put into the regexp some
comments ? And if not, maybe someone could try (I'll try to do it if I've
some times) to develop a script to convert a file with such rules well
commented to a file for use in modsec... Then, people just have to read
and edit this commented file and then launch the script => No more problem
with readability.
Cheers,
Alex
On Jeu 17 août 2006 13:26, Ryan Barnett a écrit :
> Interesting. I have been wondering the same thing with regards to overall
> performance (clean regular expressions + number of total signatures). A
> few
> road blocks that I see preventing more people from trying to consolidate
> their sigs like this are -
>
> 1) Readibility - sometimes is becomes hard to read the regexp string (and
> it
> associated meaning) when you combine many different rules into on. For
> instance, those users who use the snort2modsec.pl script usually like to
> see
> the Snort message info for the vuln to clearly understand what this sigs
> is
> looking for.
>
> 2) Signature IDs - this may cause problems with tracking signatures that
> trigger. Example - I have associated unique sig IDs with every filter
> rule. This way, when I read the mod_security-message info the gets sent
> to
> me in email when a rule triggers, I can quick do a search for the sig ID
> in
> my rule conf file for the rule that triggered.
>
> Then again, I am sure that there is some middle ground here where
> easy/simple rules could be combined together to help reduce the overhead.
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> On 8/17/06, Ivan Ristic <ivan.ristic <at> gmail.com> wrote:
>>
>> I thought you might find this interesting:
>> http://www.modsecurity.org/blog/archives/2006/08/modsecurity_per.html
>>
>> --
>> Ivan Ristic, Technical Director
>> Thinking Stone, http://www.thinkingstone.com
>> ModSecurity: Open source Web Application Firewall
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services,
>> security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
RSS Feed