Splunk and AuditD, Mod_Security WAF

1. Black Magic
Of Web Attacks Detection

2. Tsutomu Shimomura

3. Zachman framework
What
How
Why
When
Who
Where

4. Zachman framework
What
How
Why
When
Who
Where

5. WHY

6. WHY
1. Prepare to be hacked
2. Hack Yourself First
3. Get practical skill, work during night and stress
4. Know how it looks like in our Logs
5. Research how you can See more
6. Research how to put a <<“Canary”>>
7. Think about response

7. Clients :’(
• Clients that have vulnerable Apps and want to have at least
temporary patch
• For SQLi
• XSS
• File Upload
• RCE
• WAF is not a panacea. It’s possible to bypass WAF
• Investigate web attacks in the worth case scenario

8. HOW

9. Analyzing logs vs. full traffic
Problem:
Log files contain only a partial set of the full traffic
going over the network.
Depending on the application which writes
the logs, this can be a full audit trail or just some data.

10. Inputs
1. Layer 3/4 Firewall
2. Web attacks -> Web server LOGs (access log,
error log)
3. Application layer firewall / WAF
4. Advanced Log analysis / SIEM

12. mod_forensics
• The purpose of mod_forensics (available since Versions 1.3.31
and 2.0.50) is to reveal the requests that make the server crash

13. Mod_security
• mod_security is a web application firewall module I developed
for the Apache web server. It is available under the open source
GPL license, with commercial support and commercial licensing
as an option. I originally designed it as a means to obtain a
proper audit log, but it grew to include other security features.

15. Attack detection
1. Anomaly based Detection
2. Rule based Detection (static rules)
1. Positive Security Model
2. Negative Security Model

17. XSS
• Simple attacks contain HTML tags like <h1> or <script>
Recognise :
• ((%3C)<|
• ((%2F)|/)*
• [az09%]+
• ((%3E)|>)
<imgsrc=&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#
39&#88&#83&#83&#39&#41>image 3</a># javascript:alert('XSS')
HTML Tags
javascript, vbscript, expression, applet, meta, xml, blink, link, style, script, embed, object, iframe, frame,
frameset, ilayer, layer, bgsound, title, base
Javascript event handlers (excerpt):onabort, onactivate, onafterprint, onafterupdate, onsubmit, onunload, ...

18. Injection Flaws
Code injection can be any type of code like SQL, LDAP, XPath,
XSLT, HTML, XML and OS command injection. Regexp to
search:
/(')|(%27)|()|(#)|(%23)/ix
/((%27)|('))(select|union|insert|update|delete|replace|

19. Insecure Direct Object Reference
../
/(.|(%|%25)2E)(.|(%|%25)2E)(/|(%|%25)2F||(%|%25)5C)/i
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
" 200 566 "" ""

20. HOW
1. Make sure logging is configured and takes place on all web
servers.
2. Optionally reconfigure logging to log more information than
that configured by default.
3. Collect all logs to a central location.
4. Implement scripts to examine the logs regularly, in real time or
in batch mode (e.g., daily).

21. WHAT

36. Conclusion
1. Detection of web attacks is really HARD, so try harder
2. Often its about Forensics and looking for root-cause, IP, URL,
anomalies, pattern and behavior
3. Detection is impossible within DEFAULT Configurations
4. Additional tools/appliances/modules required to have visibility
5. With Docker you can’t extract logs easily. Attacker can’t
escalate privileges but he can dump data
6. Splunk/ELM is great for quick incident investigation as it’s
Free and allows quickly search for IoC

37. Thank you
nt@underdefense.com