Monday, October 08, 2007

Updated Modsecurity rules by converting Snort rules

Using the tool shown here, I was able to convert the latest snort rules into Modsecurity rules!

Previous to this, I'd created my own (crude) rules that blocked most of the traffic I had concerns about, but I wanted something more. I converted the latest Snort rules to Modsecurity rules, ending up with 852 new Modsecurity rules (12 of which I created).

This is already paying off. I'm seeing a good bit of rejected or warning-type (but passing) traffic. Also, the web rejections are actually triggering Snort alerts (attack responses), which is great, as it gives me more data to investigate when perusing my Snort logs.

I also had issues with maybe 7 of the converted rules. I've yet to look at why they wouldn't work without Apache erroring out, but I've disabled them. I'll take a look at them sometime soon.


No comments: