This document summarizes a talk on web intrusion detection using ModSecurity. The talk discusses the state of web security and intrusion detection, introduces ModSecurity as an open source web application firewall, and discusses how to detect and prevent application attacks. The talk overview includes discussing the problems with web security, different approaches to web intrusion detection including network-based, log-based and web application firewalls, and features of ModSecurity like audit logging and rule-based detection of attacks. The document provides examples of simple and advanced ModSecurity rules.
2. Aim of This Talk
Discuss the state of Web Intrusion Detection
Introduce ModSecurity
Introduce an open source web application
firewall, consisting of Apache and ModSecurity
Discuss what can be done to detect
and prevent application attacks
Web Intrusion Detection with ModSecurity 2 / 50
3. Who Am I?
Developer / architect / administrator, spent a great deal
of time looking at web security issues from different
points of view.
Author of ModSecurity, an open source web firewall /
IDS.
Author of Apache Security, published by O’Reilly in
March 2005.
Founder of Thinking Stone, a web security company.
Web Intrusion Detection with ModSecurity 3 / 50
4. Talk Overview
1. What is the problem?
2. Web intrusion detection approaches
3. Web application firewalls
4. ModSecurity
5. Application-based IDS
Web Intrusion Detection with ModSecurity 4 / 50
5. 1. What Is the
Problem?
Web Intrusion Detection with ModSecurity 5 / 50
6. What is the Problem? (1)
The world is going Web, companies must open
their systems to their customers and partners.
Port 80 is used for everything now.
Web applications, web services.
Classic firewall architectures do not help any
more.
Web Intrusion Detection with ModSecurity 6 / 50
7. Firewalls Do Not Work
Firewall
Application
Database
Web Web
Server
Client Server Application
HTTP Traffic Port 80
Web Intrusion Detection with ModSecurity 7 / 50
8. What is the problem? (2)
Web development is a mess.
Web applications are not secure.
Web application security field is getting there,
but it’s still young.
Web servers do not provide the correct tools
(e.g. auditing).
The awareness is rising but we have a long way
to go.
Web Intrusion Detection with ModSecurity 8 / 50
9. In the Ideal World
Security thought out at the beginning of the project
and throughout.
Security requirements exist, security policy is defined.
Threat modelling is used to discover threats.
Developers trained in application security, a security
specialist is on board.
Code reviews are performed.
Web Intrusion Detection with ModSecurity 9 / 50
10. Back In the Real World
Applications are insecure.
Trivial vulnerabilities demonstrate serious lack of
understanding of the web programming model.
Users want features; security is an afterthought.
Anyone with a browser can break in.
Web Intrusion Detection with ModSecurity 10 / 50
11. Where We Stand (1)
Doing it right from the start is better: developers should
design and develop secure software.
But: it is not possible nor feasible to achieve 100%
security. Even getting close is difficult.
But: you have to use third-party products which are of
unknown quality.
But: you have to live with the existing systems.
Web Intrusion Detection with ModSecurity 11 / 50
12. Where We Stand (2)
The application security community will work to
increase awareness and educate developers.
You can do this within your organisation.
It will take a while.
In the meantime, do anything you can to
increase security.
Web Intrusion Detection with ModSecurity 12 / 50
13. What Can You Do? (1)
By all means, if you can improve the software –
do it!
But it is more likely that you will have to attempt
to increase security from the outside.
It is not easy.
You’ll have to put insecure applications into
secure environments.
Web Intrusion Detection with ModSecurity 13 / 50
14. What Can You Do? (2)
Use threat modelling for deployment to
determine the threats.
Then correct architectural issues that can be
corrected.
Use network design tools to increase security by
limiting exposure.
Web Intrusion Detection with ModSecurity 14 / 50
15. What Can You Do? (3)
At this point many organizations stop, and prefer
to keep their fingers crossed: “It will not
happen to us”.
Intrusions are always possible, it is the
probability you need to worry about.
It depends on your circumstances – are you a
high-profile, high-risk case?
Web Intrusion Detection with ModSecurity 15 / 50
16. What Can You Do? (4)
Monitoring: know what happened.
Detection: know when you are being attacked.
Prevention: stop attacks before they succeed.
Assessment: discover problems before the
attackers do.
Web Intrusion Detection with ModSecurity 16 / 50
17. 2. Web Intrusion
Detection Approaches
Web Intrusion Detection with ModSecurity 17 / 50
18. What is Intrusion Detection?
Intrusion Detection is a method of detecting
attacks by monitoring traffic or system events.
Most people mean N(etwork) IDS when they say
IDS.
But there is also Host-based IDS, and other
hybrid approaches.
Web Intrusion Detection with ModSecurity 18 / 50
19. NIDS Applied to Web
Traffic can be overwhelming.
Encryption (SSL) makes data invisible.
Compression makes data hard to see.
Designed to work at the TCP/IP level, not as
effective for HTTP.
Evasion is a problem.
Bottom line: NIDS is not suitable for application-
level protection.
Web Intrusion Detection with ModSecurity 19 / 50
20. Evolution of NIDS
Deep-inspection Firewalls: vendors are building
HTTP extensions and making improvements.
Application Firewall (a.k.a Application Gateway)
is born.
Web Application Firewall (WAF) is a reverse
proxy with additional security-related features.
Web Intrusion Detection with ModSecurity 20 / 50
21. Batch Web Intrusion Detection
Collect logs at a single location:
Manual collection (cron + scp)
Syslog
Spread toolkit (mod_log_spread)
Run a script periodically to check the logs.
Prevention not possible.
Can go back in time!
Web Intrusion Detection with ModSecurity 21 / 50
22. Log-based IDS in Real-time
Collect logs at a single location using some real time
method (syslog, mod_log_spread).
Tail and analyse the central log file in real-time.
SEC (Simple Event Correlator,
http://kodu.neti.ee/~risto/sec/) may be of help.
Prevention still not possible.
Web Intrusion Detection with ModSecurity 22 / 50
23. 3. Web Application
Firewalls
Web Intrusion Detection with ModSecurity 23 / 50
24. Web Application Firewalls
They understand HTTP very well.
Can be applied selectively to parts of the traffic.
They work after traffic is decrypted, or can
otherwise terminate SSL.
Prevention is possible.
Web Intrusion Detection with ModSecurity 24 / 50
25. Web IDS Strategies (1)
Network-based:
Protects any web server
Works with many servers at once
Web server-based:
Closer to the application
Limited by the web server API
Web Intrusion Detection with ModSecurity 25 / 50
26. Web IDS Strategies (2)
Simple defence:
Supports a limited number of pre-defined defences
Rule-based:
Uses rules to look for known vulnerabilities
Or rules to look for classes of attack
Rely on rule databases
Anomaly-based:
Attempts to figure out what normal operation means
Web Intrusion Detection with ModSecurity 26 / 50
27. Web IDS Strategies (3)
Negative security model:
Deny what might be dangerous.
Do you always know what is dangerous?
Positive security model:
Allow what is known to be safe.
Positive security model is better.
Web Intrusion Detection with ModSecurity 27 / 50
28. Features (1)
Audit logging.
Defend from specific attacks.
Defend from general attacks.
Defend from brute-force attacks.
Web Intrusion Detection with ModSecurity 28 / 50
29. Features (2)
Enforce client-side validation. (Excellent idea!)
Introduce per-session restrictions.
Learn how application works over time, then
create a white list.
Web Intrusion Detection with ModSecurity 29 / 50
30. Evasion Issues
Most IDS systems are watching for patterns and
attackers know that.
There are many ways to obfuscate attack
content to prevent detection and still make it
work.
“DROP/**/TABLE xyz” is a valid SQL query in
MySQL.
Web Intrusion Detection with ModSecurity 30 / 50
31. Evasion Techniques
Mixed case: DeleTe From
Whitespace: DELETE FROM
Self-referencing filenames: /etc/./passwd
Directory backreferences: /etc/xyz/../passwd
Double slashes: /etc//passwd
Escaping: /etc/passwd
…and many others
Web Intrusion Detection with ModSecurity 31 / 50
32. Impedance mismatch
Web application firewalls parse HTTP independently
from the application – that’s where the protection comes
from
But often the way parsing is done is slightly different
Examples:
PHP will ignore spaces at the beginning of variable names
It will also convert all subsequent spaces to underscores
Under some circumstances PHP treats cookies as requests
parameters
Such problems make it more difficult for web application
firewalls to work out of the box
Customisation is necessary
Web Intrusion Detection with ModSecurity 32 / 50
33. OSS vs. Commercial (1)
Commercial:
There are many mature offerings.
Appliance black-boxes.
Can be added to network easily.
Very expensive.
Web Intrusion Detection with ModSecurity 33 / 50
34. OSS vs. Commercial (2)
Open Source:
Do not have all the features of commercial offerings,
but have the ones that are really important.
No nice GUIs yet - you have to get your hands dirty,
understand how it works, and know the components
well.
Web Intrusion Detection with ModSecurity 34 / 50
35. 4. ModSecurity
4. Mod_security
Web Intrusion Detection with ModSecurity 35 / 50
36. ModSecurity
Open source: http://www.modsecurity.org.
GPL and commercial licensing.
Free and commercial support available.
3500 downloads per month in a quiet season;
growing steadily.
Apache version (1.x and 2.x).
Java version (Servlet Filter) at some point in the
future.
Web Intrusion Detection with ModSecurity 36 / 50
37. Embed Into Web Server
Inexpensive and easy to use since no changes
to the network design are required.
But works only for one web server.
No practical impact on performance.
Web Intrusion Detection with ModSecurity 37 / 50
38. Apache-based Web Application Firewall
It is a reverse proxy.
Easy to install and configure.
Created out of default and third-party modules:
mod_proxy
mod_proxy_html
mod_security
Web Intrusion Detection with ModSecurity 38 / 50
39. ModSecurity Features (1)
Audit logging.
Provides access to any part of the request
(request body included) and the response.
Flexible regular expression-based rule engine.
Rules can be combined.
External logic can be invoked.
Supports unlimited number of different policies
(per virtual host, folder, even a single file).
Web Intrusion Detection with ModSecurity 39 / 50
40. ModSecurity Features (2)
Supports file upload interception and real-time
validation (e.g. anti-virus integration).
Anti-evasion built in.
Encoding validation built in.
Buffer overflow protection.
A variety of things to do upon attack detection.
Web Intrusion Detection with ModSecurity 40 / 50
42. Another Example
Well-known problem in many PHP applications:
register_globals.
Prevent with:
SecFilterSelective ARG_authorised "!^$"
SecFilterSelective COOKIE_authorised "!^$"
Web Intrusion Detection with ModSecurity 42 / 50
43. Advanced Rule Example
Prevent the “admin” user from logging from
computers other than his workstation:
SecFilterSelective ARG_username "^admin$" chain
SecFilterSelective REMOTE_ADDR "!^192.168.0.99$"
Web Intrusion Detection with ModSecurity 43 / 50
44. Beware of False Positives!
Some people do this:
SecFilter bin/
But that prevents this:
http://www.xyz.com/cgi-bin/innocent.cgi
You do not have to use it in
prevention mode!
Use detection mode only, until you are sure the
rules are correct.
Web Intrusion Detection with ModSecurity 44 / 50
45. 5. Application-based
intrusion detection
Web Intrusion Detection with ModSecurity 45 / 50
46. Application IDS (1)
Use the application as an IDS.
Applications view data in context.
The closer IDS gets to application logic – the better.
Each software error is a potential attack.
Log events to the application event log.
At the very least use the response codes (500 – error,
403 – permission problem).
Web Intrusion Detection with ModSecurity 46 / 50
47. Application IDS (2)
In Java, create a security Servlet Filter.
In .Net, create a HttpModule.
In PHP, use auto_prepend to execute security
code before the application begins processing.
PHP5 (and PHP4 with the Hardened-PHP patch
applied) has a special hook that allows an
extension to access the parameters before script
is started.
Web Intrusion Detection with ModSecurity 47 / 50
48. Application IDS (3)
It is easy and fast to change libraries.
For example, change the database abstraction
library to detect SQL comments and multiple
queries in a single call.
Web Intrusion Detection with ModSecurity 48 / 50
49. Questions?
Thank you!
Download this presentation from
http://www.thinkingstone.com/talks/
Web Intrusion Detection with ModSecurity 49 / 50