Ivan Ristic <ivanr@webkreator.

com>
Web Intrusion Detection
with ModSecurity
2 / 50 Web Intrusion Detection with ModSecurity
Aim of This Talk

Discuss the state of Web Intrusion Detection

Introduce ModSecurity

Introduce an open source web appication

firewa! consistin" of #pache and ModSecurity

Discuss what can be done to detect

and prevent appication attacks
/ 50 Web Intrusion Detection with ModSecurity
Who Am I!

Deveoper $ architect $ administrator! spent a "reat dea

of time ookin" at web security issues from different
points of view.

#uthor of ModSecurity! an open source web firewa $

IDS.

#uthor of A"ache Security! pubished by %&Reiy in

March '(().

*ounder of Thinkin# Stone! a web security company.

$ / 50 Web Intrusion Detection with ModSecurity
Talk %&er&iew
'( What is the "roblem!
2( Web intrusion detection a""roaches
( Web a""lication firewalls
$( ModSecurity
5( A""lication)based IDS
5 / 50 Web Intrusion Detection with ModSecurity
1. What Is the
Problem?
* / 50 Web Intrusion Detection with ModSecurity
What is the +roblem! ,'-

+he word is "oin" Web! companies must open

their systems to their customers and partners.

,ort -( is used for everythin" now.

Web appications! web services.

.assic firewa architectures do not hep any

more.
. / 50 Web Intrusion Detection with ModSecurity
/irewalls Do 0ot Work
Firewall
Port 80
HTTP Traffic
Web
Client
Web
Server
Application
Application
Database
Server
1 / 50 Web Intrusion Detection with ModSecurity
What is the "roblem! ,2-

Web deveopment is a mess.

Web appications are not secure.

Web appication security fied is "ettin" there!

but it&s sti youn".

Web servers do not provide the correct toos

/e.". auditin"0.

+he awareness is risin" but we have a on" way

to "o.
2 / 50 Web Intrusion Detection with ModSecurity
In the Ideal World

Security thou"ht out at the be#innin# of the pro1ect

and throu#hout.

Security re2uirements e3ist! security "olicy is defined.

Threat modellin# is used to discover threats.

De&elo"ers trained in appication security! a security

s"ecialist is on board.

3ode re&iews are performed.

'0 / 50 Web Intrusion Detection with ModSecurity
4ack In the 5eal World

#ppications are insecure.

+rivia vunerabiities demonstrate serious ack of

understandin" of the web pro"rammin" mode.

4sers want features5 security is an afterthou"ht.

#nyone with a browser can break in.

'' / 50 Web Intrusion Detection with ModSecurity
Where We Stand ,'-

Doin" it ri"ht from the start is better6 deveopers shoud

desi"n and deveop secure software.

7ut6 it is not possibe nor feasibe to achieve 8((9

security. :ven "ettin" cose is difficut.

7ut6 you have to use third;party products which are of

unknown 2uaity.

7ut6 you have to ive with the e3istin" systems.

'2 / 50 Web Intrusion Detection with ModSecurity
Where We Stand ,2-

+he appication security community wi work to

increase awareness and educate deveopers.

<ou can do this within your or"anisation.

It wi take a whie.

In the meantime! do anythin" you can to

increase security.
' / 50 Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,'-

7y a means! if you can improve the software =

do it>

7ut it is more ikey that you wi have to attempt

to increase security from the outside.

It is not easy.

<ou& have to put insecure appications into

secure environments.
'$ / 50 Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,2-

4se threat modein" for depoyment to

determine the threats.

+hen correct architectura issues that can be

corrected.

4se network desi"n toos to increase security by

imitin" e3posure.
'5 / 50 Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,-

#t this point many or"ani?ations stop! and prefer

to keep their fin"ers crossed6 @It will not
ha""en to usA.

Intrusions are always "ossible! it is the

"robability you need to worry about.

It depends on your circumstances = are you a

hi"h;profie! hi"h;risk caseB
'* / 50 Web Intrusion Detection with ModSecurity
What 3an 6ou Do! ,$-

Monitorin#6 know what happened.

Detection6 know when you are bein" attacked.

+re&ention6 stop attacks before they succeed.

Assessment6 discover probems before the

attackers do.
'. / 50 Web Intrusion Detection with ModSecurity
2. Web Intrusion
Detection Approaches
'1 / 50 Web Intrusion Detection with ModSecurity
What is Intrusion Detection!

Intrusion Detection is a method of detectin"

attacks by monitorin" traffic or system events.

Most peope mean C/etwork0 IDS when they say

IDS.

7ut there is aso Dost;based IDS! and other

hybrid approaches.
'2 / 50 Web Intrusion Detection with ModSecurity
0IDS A""lied to Web

+raffic can be overwhemin".

:ncryption /SSE0 makes data invisibe.

.ompression makes data hard to see.

Desi"ned to work at the +.,$I, eve! not as

effective for D++,.

:vasion is a probem.

7ottom ine6 CIDS is not suitabe for appication;

eve protection.
20 / 50 Web Intrusion Detection with ModSecurity
7&olution of 0IDS

Deep;inspection *irewas6 vendors are buidin"

D++, e3tensions and makin" improvements.

#ppication *irewa /a.k.a #ppication Fateway0

is born.

Web A""lication /irewall /W#*0 is a reverse

pro3y with additiona security;reated features.
2' / 50 Web Intrusion Detection with ModSecurity
4atch Web Intrusion Detection

.oect o"s at a sin"e ocation6

Manua coection /cron G sc"0

Syso"

Spread tookit /mod8lo#8s"read0

Run a script periodicay to check the o"s.

,revention not possibe.

3an #o back in time9

22 / 50 Web Intrusion Detection with ModSecurity
:o#)based IDS in 5eal)time

.oect o"s at a sin"e ocation usin" some rea time

method /syslo#! mod8lo#8s"read0.

+ai and anayse the centra o" fie in rea;time.

S73 /Simpe :vent .orreator!

http6$$kodu.neti.ee$Hristo$sec$0 may be of hep.

,revention sti not possibe.

2 / 50 Web Intrusion Detection with ModSecurity
3. Web Application
Firewalls
2$ / 50 Web Intrusion Detection with ModSecurity
Web A""lication /irewalls

+hey understand D++, very we.

.an be appied seectivey to parts of the traffic.

+hey work after traffic is decrypted! or can

otherwise terminate SSE.

,revention is possibe.
25 / 50 Web Intrusion Detection with ModSecurity
Web IDS Strate#ies ,'-

Cetwork;based6

,rotects any web server

Works with many servers at once

Web server;based6

.oser to the appication

Eimited by the web server #,I

2* / 50 Web Intrusion Detection with ModSecurity
Web IDS Strate#ies ,2-

Simpe defence6

Supports a imited number of pre;defined defences

Rue;based6

4ses rues to ook for known vunerabiities

%r rues to ook for casses of attack

Rey on rue databases

#nomay;based6

#ttempts to fi"ure out what norma operation means

2. / 50 Web Intrusion Detection with ModSecurity
Web IDS Strate#ies ,-

Ce"ative security mode6

Deny what mi"ht be dan"erous.

Do you aways know what is dan"erousB

,ositive security mode6

#ow what is known to be safe.

+ositi&e security model is better(

21 / 50 Web Intrusion Detection with ModSecurity
/eatures ,'-

#udit o""in".

Defend from specific attacks.

Defend from "enera attacks.

Defend from brute;force attacks.

22 / 50 Web Intrusion Detection with ModSecurity
/eatures ,2-

:nforce cient;side vaidation. /:3ceent idea>0

Introduce per;session restrictions.

Eearn how appication works over time! then

create a white ist.
0 / 50 Web Intrusion Detection with ModSecurity
7&asion Issues

Most IDS systems are watchin" for patterns and

attackers know that.

+here are many ways to obfuscate attack

content to prevent detection and sti make it
work.

@D5%+/;;/TA4:7 <y=A is a vaid SIE 2uery in

MySIE.
' / 50 Web Intrusion Detection with ModSecurity
7&asion Techni>ues

Mi3ed case6 DeleTe /rom

Whitespace6 D7:7T7 /5%M

Sef;referencin" fienames6 /etc/(/"asswd

Directory backreferences6 /etc/<y=/((/"asswd

Doube sashes6 /etc//"asswd

:scapin"6 /etc/"assw?d

Jand many others

2 / 50 Web Intrusion Detection with ModSecurity
Im"edance mismatch

Web appication firewas parse D++, independenty

from the appication = that&s where the protection comes
from

7ut often the way parsin" is done is sli#htly different

:3ampes6

,D, wi i"nore spaces at the be"innin" of variabe names

It wi aso convert a subse2uent spaces to underscores

4nder some circumstances ,D, treats cookies as re2uests

parameters

Such probems make it more difficut for web appication

firewas to work out of the bo3

.ustomisation is necessary
/ 50 Web Intrusion Detection with ModSecurity
%SS &s( 3ommercial ,'-

.ommercia6

+here are many mature offerin"s.

#ppiance back;bo3es.

.an be added to network easiy.

Kery e3pensive.
$ / 50 Web Intrusion Detection with ModSecurity
%SS &s( 3ommercial ,2-

%pen Source6

Do not have a the features of commercia offerin"s!

but have the ones that are reay important.

Co nice F4Is yet ; you have to "et your hands dirty!

understand how it works! and know the components
we.
5 / 50 Web Intrusion Detection with ModSecurity
. !o"#securit$
. !o"Securit$
* / 50 Web Intrusion Detection with ModSecurity
ModSecurity

%pen source6 htt"@//www(modsecurity(or#.

F,E and commercia icensin".

*ree and commercia support avaiabe.

L)(( downoads per month in a 2uiet season5

"rowin" steadiy.

#pache version /8.3 and '.30.

Mava version /Servet *iter0 at some point in the

future.
. / 50 Web Intrusion Detection with ModSecurity
7mbed Into Web Ser&er

Ine3pensive and easy to use since no chan"es

to the network desi"n are re2uired.

7ut works ony for one web server.

Co practica impact on performance.

1 / 50 Web Intrusion Detection with ModSecurity
A"ache)based Web A""lication /irewall

It is a reverse pro3y.

:asy to insta and confi"ure.

.reated out of defaut and third;party modues6

modNpro3y

modNpro3yNhtm

modNsecurity
2 / 50 Web Intrusion Detection with ModSecurity
ModSecurity /eatures ,'-

#udit o""in".

,rovides access to any part of the re2uest

/re2uest body incuded0 and the response.

*e3ibe re"uar e3pression;based rue en"ine.

Rues can be combined.

:3terna o"ic can be invoked.

Supports unimited number of different poicies

/per virtua host! foder! even a sin"e fie0.
$0 / 50 Web Intrusion Detection with ModSecurity
ModSecurity /eatures ,2-

Supports fie upoad interception and rea;time

vaidation /e.". anti;virus inte"ration0.

#nti;evasion buit in.

:ncodin" vaidation buit in.

7uffer overfow protection.

# variety of thin"s to do upon attack detection.

$' / 50 Web Intrusion Detection with ModSecurity
Sim"le 5ule 7<am"les

,revent MavaScript in1ection6

Sec/ilter ABscri"tA

,revent SIE in1ection6

Sec/ilter AD7:7T7CC@s"ace@DDE/5%MA
$2 / 50 Web Intrusion Detection with ModSecurity
Another 7<am"le

We;known probem in many ,D, appications6

re#ister8#lobals.

,revent with6
Sec/ilterSelecti&e A5F8authorised A9GHA
Sec/ilterSelecti&e 3%%II78authorised A9GHA
$ / 50 Web Intrusion Detection with ModSecurity
Ad&anced 5ule 7<am"le

,revent the @adminA user from o""in" from

computers other than his workstation6
Sec/ilterSelecti&e A5F8username AGadminHA chain
Sec/ilterSelecti&e 57M%T78ADD5 A9G'22('*1(0(22HA
$$ / 50 Web Intrusion Detection with ModSecurity
4eware of /alse +ositi&es9

Some peope do this6

Sec/ilter bin/

7ut that prevents this6

htt"@//www(<y=(com/c#i)bin/innocent(c#i

6ou do not ha&e to use it in

"re&ention mode9

4se detection mode ony! unti you are sure the

rues are correct.
$5 / 50 Web Intrusion Detection with ModSecurity
%. Application&base"
intrusion "etection
$* / 50 Web Intrusion Detection with ModSecurity
A""lication IDS ,'-

4se the appication as an IDS.

#ppications view data in conte3t.

+he coser IDS "ets to appication o"ic = the better.

:ach software error is a potentia attack.

Eo" events to the appication event o".

#t the very east use the response codes /500 = error!

$0 = permission probem0.
$. / 50 Web Intrusion Detection with ModSecurity
A""lication IDS ,2-

In Mava! create a security Ser&let /ilter.

In .Cet! create a Jtt"Module.

In ,D,! use auto8"re"end to e3ecute security

code before the appication be"ins processin".

,D,) /and ,D,O with the Dardened;,D, patch

appied0 has a specia hook that aows an
e3tension to access the parameters before script
is started.
$1 / 50 Web Intrusion Detection with ModSecurity
A""lication IDS ,-

It is easy and fast to chan"e ibraries.

*or e3ampe! chan"e the database abstraction

ibrary to detect SIE comments and mutipe
2ueries in a sin"e ca.
$2 / 50 Web Intrusion Detection with ModSecurity
Thank you9
Downoad this presentation from
htt"@//www(thinkin#stone(com/talks/
'uestions?