Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
@ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27 An Introduction to ModSecurity and the OWASP Core Rule Set...
Baseline / 1st Line of Defense Safety Belts
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Boring Bio ● Christian Folini / ChrFolini ● Securit...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Plan for Today ● What is a WAF? ● What is ModSecuri...
Web Application Firewalls Complex • Overwhelming • Rarely Functional
ModSecurity Embedded • Rule oriented • Granular Control
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Include in server config (depending on path): Inclu...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Research based on 4.5M Burp requests. CRS3 Default ...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level 1: Minimal number of false positives...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Request Rules REQUEST-910...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Response Rules RESPONSE-9...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level Example: Protocol Enforcement Rules ...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Stricter Siblings Example: Byte Range Enforcement P...
Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Sampling Mode Easing into CRS adoption / limit the ...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 False Positives False Positives are expected from P...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Apache / ModSecurity / CRS Tutorials https://www.ne...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Summary ModSecurity & CRS3 • 1st Line of Defense ag...
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Questions and Answers, Contact Contact: christian.f...
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
Upcoming SlideShare
Loading in …5
×

of

Folini Extended Introduction to ModSecurity and CRS3 Slide 1 Folini Extended Introduction to ModSecurity and CRS3 Slide 2 Folini Extended Introduction to ModSecurity and CRS3 Slide 3 Folini Extended Introduction to ModSecurity and CRS3 Slide 4 Folini Extended Introduction to ModSecurity and CRS3 Slide 5 Folini Extended Introduction to ModSecurity and CRS3 Slide 6 Folini Extended Introduction to ModSecurity and CRS3 Slide 7 Folini Extended Introduction to ModSecurity and CRS3 Slide 8 Folini Extended Introduction to ModSecurity and CRS3 Slide 9 Folini Extended Introduction to ModSecurity and CRS3 Slide 10 Folini Extended Introduction to ModSecurity and CRS3 Slide 11 Folini Extended Introduction to ModSecurity and CRS3 Slide 12 Folini Extended Introduction to ModSecurity and CRS3 Slide 13 Folini Extended Introduction to ModSecurity and CRS3 Slide 14 Folini Extended Introduction to ModSecurity and CRS3 Slide 15 Folini Extended Introduction to ModSecurity and CRS3 Slide 16 Folini Extended Introduction to ModSecurity and CRS3 Slide 17 Folini Extended Introduction to ModSecurity and CRS3 Slide 18 Folini Extended Introduction to ModSecurity and CRS3 Slide 19 Folini Extended Introduction to ModSecurity and CRS3 Slide 20 Folini Extended Introduction to ModSecurity and CRS3 Slide 21 Folini Extended Introduction to ModSecurity and CRS3 Slide 22 Folini Extended Introduction to ModSecurity and CRS3 Slide 23 Folini Extended Introduction to ModSecurity and CRS3 Slide 24 Folini Extended Introduction to ModSecurity and CRS3 Slide 25 Folini Extended Introduction to ModSecurity and CRS3 Slide 26 Folini Extended Introduction to ModSecurity and CRS3 Slide 27
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.
Technology
Nov. 27, 2019
973 views

2 Likes

Share

Download to read offline

Folini Extended Introduction to ModSecurity and CRS3

Download to read offline

Technology
Nov. 27, 2019
973 views

This is a longer slide deck abou WAFs / ModSecurity and CRS I developed for the British Computer Society, presented in London at 2019-11-27.

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(3.5/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(2/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4.5/5)
Free
Wizard:: The Life and Times of Nikolas Tesla Marc Seifer
(2.5/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Crypto Trading, Digital Assets, NFT) Antony Lewis
(3.5/5)
Free
On War: With linked Table of Contents Carl von Clausewitz
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Test Gods: Virgin Galactic and the Making of a Modern Astronaut Nicholas Schmidle
(5/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4.5/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4.5/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(2.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free
A World Without Work: Technology, Automation, and How We Should Respond Daniel Susskind
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4/5)
Free

Folini Extended Introduction to ModSecurity and CRS3

  1. 1. @ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27 An Introduction to ModSecurity and the OWASP Core Rule Set (BCS DevSecOps SG) Christian Folini / @ChrFolini
  2. 2. Baseline / 1st Line of Defense Safety Belts
  3. 3. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead
  4. 4. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives
  5. 5. Web Application Firewalls Complex • Overwhelming • Rarely Functional
  6. 6. ModSecurity Embedded • Rule oriented • Granular Control
  7. 7. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)
  8. 8. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%
  9. 9. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels
  10. 10. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf
  11. 11. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf
  12. 12. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules
  13. 13. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &
  14. 14. Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
  15. 15. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%
  16. 16. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  17. 17. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  18. 18. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  19. 19. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  20. 20. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  21. 21. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  22. 22. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)
  23. 23. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/
  24. 24. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org
  25. 25. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini

  • sbewley

    Nov. 24, 2020

  • JavanRasokat

    Jul. 21, 2020

This is a longer slide deck abou WAFs / ModSecurity and CRS I developed for the British Computer Society, presented in London at 2019-11-27.

Views

Total views

973

On Slideshare

0

From embeds

0

Number of embeds

9

Actions

Downloads

12

Shares

0

Comments

0

Likes

2

×