Again, it is reasonable approach when protecting server, but does not work
at all when protecting client. At least the ruleset your refer to.

On Thu, Jun 02, 2005 at 04:01:22PM -0400, J. Oquendo wrote:
>
> On Thu, 2 Jun 2005, ArkanoiD wrote:
>
> > becuase it is too hard to convert history to a formal description. doing it
> > not smart enough will lead to necessarity of adding new patterns daily or
> > even hourly ;-)

>
> Too hard? Nonsense. If you say you have an assessment of normal patterns,
> a two week interval would should you enough you would need to go by to get
> some form of template going. Adding the remaining anomolies would be
> child's play. New patterns daily or even hourly? My guess is you would
> want to be more specific in your question. Is this web traffic only, does
> it include say VOIP traffic, messenger(s) traffic, DHCP traffic, tunnels.
>
> For httpd based injection I use mod_security, and I also use
> mod_dosevasive which work just fine. Need a sample mod_security conf you
> could see all the nifty little annoying rules I added to this machine:
>
> www.infiltrated.net/modsecrules
>
> Good luck there are crapload. And you're on your own viewing redirected
> URL's... (You've been warned).
>
> mod_security for httpd works wonders. As for the firewall level, IDS
> level, I'm sure if you took the time you could get it working by taking a
> snapshot. Anything else sounds like an excuse to avoid going the obvious
> route.
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+
> J. Oquendo
> GPG Key ID 0x97B43D89
> http://pgp.mit.edu:11371/pks/lookup?...rch=0x97B43D89
>
> To conquer the enemy without resorting to war is the most
> desirable. The highest form of generalship is to conquer
> the enemy by strategy." - Sun Tzu
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
>


_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards