Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP ModSecurity Core Rules Paranoia Mode

Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels

  • Login to see the comments

OWASP ModSecurity Core Rules Paranoia Mode

  1. 1. Christian Folini (@ChrFolini) Core Rules Paranoia Mode Zurich, June 10, 2016
  2. 2. WAF SETUPS Naïve • Overwhelmed • Functional
  3. 3. MODSEC Embedded • Rule-Oriented • Granular Control
  4. 4. RULE CONCEPTS Whitelisting • Blacklisting • Positive • Negative
  5. 5. xkcd: #327
  6. 6. Anomaly Scoring Adjustable Limit • False Positives
  7. 7. OWASP ModSecurity Core Rule Set Paranoia Mode : Basic Idea • Assign Rules According to False Positive Rate • Add Strict Siblings to Existing Rules • Introduce Paranoia Levels 1-4
  8. 8. Restricted SQL Chars CRS 2.2.9 : Rule ID 981173 ARGS_NAMES|ARGS|XML:/* "([~!@#$%^&*()-+={}[]|:;"'´’‘`<>].*?){5,}"
  9. 9. Restricted SQL Chars CRS 3.0.0dev : Rule ID 942430pp Paranoia Level 1: no limit Paranoia Level 2: limit 12 ID 942430 Paranoia Level 3: limit 6 ID 942431 Paranoia Level 4: limit 2 ID 942432
  10. 10. Hex Encodings : 0x[0-9a-f] Plan for CRS 3.0.0dev (Rule ID 942450) Paranoia 1: REQUEST_COOKIES_NAMES Paranoia 2: REQUEST_COOKIES
  11. 11. PHP Function Names in CRS 3.0.0dev by Walter Hop
  12. 12. Settings Matrix HIGH LOW LOW HIGH Anomaly Limit Paranoia Level Easing in Standard SITE Are you nuts? High Security
  13. 13. Photo Sources (all licensed via Creative Commons or in the public domain) • Discovery: (by Florian F. / Flowtography) • Watch: (by Bill Adler) • Bamboozled: Hopefully public domain • xkcd: Little Bobby Tables: (by Randall Munroe) • Star Wars Limbo: (by JD Hancock) Christian Folini / @ChrFolini • • •
  14. 14. ModSecurity Course The Key to ModSecurity and the OWASP ModSecurity Core Rules with Christian Folini (@ChrFolini) London 22-23 Sep 2016 (Local trainings available on request: