On Thu, 2 Jun 2005, ArkanoiD wrote:

> becuase it is too hard to convert history to a formal description. doing it
> not smart enough will lead to necessarity of adding new patterns daily or
> even hourly ;-)

Too hard? Nonsense. If you say you have an assessment of normal patterns,
a two week interval would should you enough you would need to go by to get
some form of template going. Adding the remaining anomolies would be
child's play. New patterns daily or even hourly? My guess is you would
want to be more specific in your question. Is this web traffic only, does
it include say VOIP traffic, messenger(s) traffic, DHCP traffic, tunnels.

For httpd based injection I use mod_security, and I also use
mod_dosevasive which work just fine. Need a sample mod_security conf you
could see all the nifty little annoying rules I added to this machine:


Good luck there are crapload. And you're on your own viewing redirected
URL's... (You've been warned).

mod_security for httpd works wonders. As for the firewall level, IDS
level, I'm sure if you took the time you could get it working by taking a
snapshot. Anything else sounds like an excuse to avoid going the obvious

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+
J. Oquendo
GPG Key ID 0x97B43D89

To conquer the enemy without resorting to war is the most
desirable. The highest form of generalship is to conquer
the enemy by strategy." - Sun Tzu
firewall-wizards mailing list