Has anyone used/using this module ? What are your thoughts about it. Seems to me that what it provides is pretty important if you are concerned about preventing the possiblity of HTTP intrusion.

# Request filtering; incoming requests are analysed as they come in, and before they get handled by the web server or other modules.

# Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.

# Understanding of the HTTP protocol; since the engine understands HTTP, it performs very specific and fine granulated filtering.

# POST payload analysis; the engine will intercept the contents transmitted using the POST method, too.

# Audit logging; full details of every request (including POST) can be logged for later analysis.

# HTTPS filtering; since the engine is embedded in the web server, it gets access to request data after decryption takes place.


http://www.modsecurity.org/projects/modsecurity/apache/index.html

Never used it. Seems like it could add a lot of overhead to the web server though.

Maybe . Maybe not . How would you test the performance hit that this module might cause?

The Apache benchmarking tool?
http://httpd.apache.org/docs-2.0/programs/ab.html

You'd have to put a little brain sweat into building a test around the tool, though.

Yea i'm not really interested in testing the performance of the tool itself, but benchmarking how much resources it takes to run it is much simpler :)

http://www.thinkingstone.com/talks/Challenges_of_Web_Intrusion_Detection.swf