Your SlideShare is downloading. ×
0
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Using IPS for Web Protection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Using IPS for Web Protection

2,269

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,269
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Using IPS for Web Protection Alejandro Sánchez Acosta asanchez@s21sec.com   S21SEC
  • 2. Agenda● Web Protection● Intrusion Detection Systems (IDS)● Active and response IDS.● IPS as Web Protection● Advanced Signatures● Demo● Conclusions
  • 3. Web Protection● Common risks – (XSS, SQL Injection, Command Execution)● Solutions – Application Firewall  – IDS/IPS
  • 4. Intrusion Detection Systems (IDS)● Functions: – Capture events – Pattern matching – Detection – Logging● Kind of IDS – HIDS, NIDS and LIDS
  • 5. Intrusion Prevention Systems (IPS)● Prevention systems.● IDS evolution● Network and application layer.
  • 6. Firewall extensions● Iptables – String matching – Patch­o­matic – Difficult configuration – Solutions based in iptables and IDS.● snort2c, snort2iptables, snort2pf, etc.
  • 7. ModSecurity– Developed by Ivan Ristick.– Easy configuration– Can work as reverse proxy using ModProxy.– Works in Application layer.
  • 8. Snort● Developed by Martin Roesch.● Operation modes  – Sniffer, packet logger, NIDS and IPS.● Output – Binary tcpdump, ASCII, Mysql/Postgresql.
  • 9. Snort as IPS● Preprocessors – HTTPInspect, Stream4 reassembly.● Web rules configuration● Response protection – (Snort Inline, Snort Divert Mode, Flexresponse)
  • 10. Web configuration rules● Community rules – Web­misc, web­cgi, web­dos, web­client, sql­ injection, etc.● Snort rules – Custom web snort.org rules.● Bleeding Snort
  • 11. Cross Site Scripting ● Existing snort signatures: <script>alert(document.cookie)</script> attack:alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting attempt"; flow:to_server,established;  content:"<SCRIPT>"; nocase; classtype:web­application­attack; sid:1497;  rev:6;) <img src=javascript> attack:alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting HTML Image tag set to javascript  attempt"; flow:to_server,established; content:"img src=javascript";  nocase; classtype:web­application­attack; sid:1667; rev:5;)
  • 12. Easy evasion● Can be trivially evaded using: – <a href="javascript#[code]">  – <div onmouseover="[code]">  – <img src="javascript:[code]">  – <xml src="javascript:[code]">● Solution: Using complex rules
  • 13. Advanced signatures● Enter PCRE – Perl Compatible Regular Expressions● Greater flexibility● One signature can catch multiple attacks● Lower learning curve for Unix admins – regex is  part of daily life● Regular expressions work with: – Snort IDS – Apache’s mod_security.
  • 14. Regular expressions samples● XSS: – /((%3D)|(=))[^n]*((%3C)|<)[^n]+((%3E)|>) ● SQL Injection: – /(%27)|()|(­­)|(%23)● Redirection: site=[^(www.fistconference.org)]● Command Execution: /(system|exec)/● Null byte poison: %00● Overflows: /[w]+=[^=]{500,+}&/
  • 15. Snort Inline● Drop – The drop rule tells iptables to drop the packet and log  it via usual snort ● Sdrop – The sdrop rule tells iptables to drop the packet.  Nothing is logged.● Reject  – The reject rule type tells iptables to drop the packet;  log it via usual snort means; and answer source host.
  • 16. Replace contents● Replacement: Another option replaces portions of the payload (disabling the  effectiveness of the attack) but allowing the connection to  continue:alert tcp $HOME_NET any -> $EXTERNAL_NET 80(msg:"IIS Exploit";flags: A+;content:"/bin/sh";replace:"/ben/sh";)
  • 17. Divert Mode● FreeBSD Inline implementation – Use divert sockets and libnet – Integrated in Snort.● Part of snort­inline project – Reset, drop, sdrop and replace.
  • 18. FlexResponse● Portable implementation● Doesnt support replacement● Rule modification: var RESP_TCP resp:rst_snd; var RESP_TCP_URG resp:rst_all; var RESP_UDP resp:icmp_port,icmp_host;
  • 19. Conclusion● IDS – Snort: can work as IPS in big environments. – ModSecurity is good if you dont want network  changes.● Response mode – Flexresponse is portable – Inline works only in GNU/Linux – Divert works only in FreeBSD.
  • 20. Demo● ModSecurity ● Snort web rules using FlexResponse
  • 21. More information● Get Snort – www.snort.org – www.modsecurity.org
  • 22. Questions?

×