Overview

I use Snort to analyse IP traffic and I also used it for additional Web security. Snort is an Intrusion Detection System and works on the IP level. Since all HTTP traffic ultimately travels as IP, Snort can be used for HTTP as well. It even comes with a set of rules to intercept and alert on a variety of different attacks. However, I felt that it didn't support my requirements for filtering, and I decided to play a little and see whether I could do something different. I considered the following approaches:

• Snort plugin; can be done but it would not be able to detect and intercept HTTPS attacks. Besides, Snort people will probably continue to enhance the way they handle HTTP.

• Standalone proxy & http firewall; possible and nice to have as a product but I did not have that much time on my hands.

• Mod_rewrite; working as part of the Apache web server, mod_rewrite is a good choice as it comes after the SSL layer. However, it could not do all the things I wanted it to (mostly POST scanning).

• Custom Apache module; possible, fairly quick and easy.

A quick search showed that there already exist several Apache modules with similar intentions (see the page Related Apache modules). But none of them did what I needed, the biggest problem being the failure to analyse POST payloads.