NYCPHP Meetup

[Hans Zaunere]

Jon Baer wrote:

> i wanted to ask a quick question ...
> 
> does anyone here use an ids (like snort/dragon/etc) to lock down their web
> apps + track anomalies?

Not here.  I've used the packages for the common case, general network integrity, but not specific to the web application.  Strictly log analysis and alerts in the app logic for that.

> it does not seem like a common scenerio but after writing a bunch of
> signatures based on mysql error codes it seems like there are no papers on
> it or any advise on the approach ...
> 
> a typical example would be as such tracking down bad login attempts over
> time or bad variable string formatting or submission of a selection not in a
> preformed array, etc.

There was an apache mod posted around these parts that did request verification, although I can't put my finger on it now.  Having an IDS be so deeply knowledgeable about an app, however, may be tricky and costly (in regards to performance and maintenance).

H