SlideShare a Scribd company logo

Apache mod security 3.1

Hai Dinh Tuan
Hai Dinh Tuan
1 of 38
Apache Mod Security HAI, DINH VINAHOST
Agenda 1. Regular Expression 2. Rules Usage 3. Default Action 4. Chained Actions 5. Persistent Collection and examples 6. Transformation Function 7. Validate Contents
Regular Expression
Regular Expression Usage Use to match mass strings of text, such as particular characters, words, or patterns of characters
Regular Expression Usage Email Address Matching b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b IP Addresses Matching b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)b Testing Tools: Regexpal.com, regular-expressions.info
Rules Usage
Rules Usage  Use “|” as “OR” logical expression SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUE ST_HEADERS: Referer "@validateByteRange 1-255“ "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1“  Use “!” as “NOT” logical expression
Rules Usage  Use Regular Expression to make a Rule SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content- Length header„  Use “:” to pick a variable from a Collection SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
Default Actions
Default Actions Use to set a Use “Default” Default “Default Behavior” SetDefaultAction Actions is of Apache Mod directive to add into phase:2, Security. If anything configuration file log, has not been auditlog, defined happen, pass Apache will apply Default Actions
Rules Usage SetDefaultAction phase:2,log,auditlog,pass. SecRule REQUEST_URI "abc" SecRule REQUEST_URI "abc" phase:2,log,auditlog,pass SecRule REQUEST_URI "abc" nolog SecRule REQUEST_URI "abc" phase:2,auditlog,pass
Chained Actions
Chained Actions  Group Rules together  Similar to “AND” logical expression in programming language  Add “chain” action in every rule, except the last one  Example: SecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog,deny,status:406" SecRule REQUEST_METHOD "GET" "t:none“
Persistent Collections
Persistent Collections TX Collection only exist in a transaction. After the data has been transfer Why completely, variables will be remove Persistent Collection? Persistent Collection can keep a record of variables through several transactions.
Persistent 1. Monitor user behavior based on IP Address Collections 2. Monitor Sessions 3. User behavior monitoring 4. Prevent Session Hijacking Attack 5. Detect Denial of Service (DoS) Attack 6. Detect Brute Force Attack
Persistent Collections IP SESSION USER Created by using Created by using Created by using initcol directive setsid directive setid directive Hold client address Hold session Hold user variables variables variables
Persistent Collections  Define date directory first using SecDataDir directive  For example: SecDataDir /etc/httpd/modsec_data
Persistent Collections Limit Request Rate example: SecAction initcol:ip=%{REMOTE_ADDR},pass,auditlog SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,auditlog" SecRule IP:COUNTER "@gt 60" "phase:2,pause:300,deny,status:403,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog"
Transformation Functions
Transformation functions  Mod Security match exactly strings and variables  Transformation function will transform different string formats into a single string
Transformation functions By default, there are:  lowercase  replaceNull  compressWhitespace
Validate Contents
Validate Contents Check the validation of HTTP Requests @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate Contents Validate Byte Range @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate Byte Range Allow number only in Content field of Request Header SecRule REQUEST_HEADERS:Content "@validateByteRange 48-57“ "phase:4,deny,log,status:403“
Validate Contents Validate XML files by DTD (Document Type Definition) @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate DTD  A Document Type Definition (DTD) is a set of markup declarations that define a document type for an SGML-family markup language (SGML, XML, HTML).  It‟s define what components should be included and their format
Validate Contents Validate XML files by Schema @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate Schema DTD supports only PCDATA and CDATA format. Schema supports detailed descriptions about data in XML files. For example: string, normalizedString, integer, positiveInteger
Validate Contents Validate URL Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate URL Encoding RFC 1738 only allow ASCII in a URL HTML: supports ISO-8859-1 (ISO-Latin) HTML4: Supports Unicode characters
Validate Contents Validate UTF-8 Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate UTF-8 Encoding UTF-8 is used on almost every webservers to encode strings and compatible with ASCII SecRule ARGS "@validateUtf8Encoding"
Demonstrations
Steps
Thanks for joining with me!
Apache mod security 3.1

Recommended

Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 

Recommended

Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBMongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4MongoDB
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp VaultCodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp VaultCodiLime
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Web_service_testing_finall
Web_service_testing_finallWeb_service_testing_finall
Web_service_testing_finallManjyot Singh
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing VaultRamit Surana
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in ScaleAlexey Sintsov
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 

More Related Content

What's hot

Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4MongoDB
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security PolicyAustin Gil
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp VaultCodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp VaultCodiLime
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Web_service_testing_finall
Web_service_testing_finallWeb_service_testing_finall
Web_service_testing_finallManjyot Singh
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...David Timothy Strauss
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELKTripwire
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Ontico
 

What's hot (20)

Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp VaultCodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
CodiLime Tech Talk - Michał Pawluk: Our deployment of HashiCorp Vault
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
Web_service_testing_finall
Web_service_testing_finallWeb_service_testing_finall
Web_service_testing_finall
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
 

Viewers also liked

Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityXavier Perseguers
 

Viewers also liked (8)

WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Mod Security
Mod SecurityMod Security
Mod Security
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 

Similar to Apache mod security 3.1

Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)ukdpe
 
Sumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced AnalyticsSumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced AnalyticsSumo Logic
 
AWS October Webinar Series - Getting Started with AWS IoT
AWS October Webinar Series - Getting Started with AWS IoTAWS October Webinar Series - Getting Started with AWS IoT
AWS October Webinar Series - Getting Started with AWS IoTAmazon Web Services
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...PROIDEA
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Michal Balinski
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guideAdy Liu
 
ADO.NET Data Services
ADO.NET Data ServicesADO.NET Data Services
ADO.NET Data Servicesukdpe
 
Developer power tools
Developer power toolsDeveloper power tools
Developer power toolsNick Harrison
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능Hyperledger Korea User Group
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Automated testing web services - part 1
Automated testing web services - part 1Automated testing web services - part 1
Automated testing web services - part 1Aleh Struneuski
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsCisco DevNet
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New InfrastructureAmazon Web Services
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6WSO2
 
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database ProfessionalsIntroducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database ProfessionalsLucas Jellema
 

Similar to Apache mod security 3.1 (20)

Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)
 
RIA and Ajax
RIA and AjaxRIA and Ajax
RIA and Ajax
 
Sumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced AnalyticsSumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced Analytics
 
AWS October Webinar Series - Getting Started with AWS IoT
AWS October Webinar Series - Getting Started with AWS IoTAWS October Webinar Series - Getting Started with AWS IoT
AWS October Webinar Series - Getting Started with AWS IoT
 
ERRest and Dojo
ERRest and DojoERRest and Dojo
ERRest and Dojo
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guide
 
ADO.NET Data Services
ADO.NET Data ServicesADO.NET Data Services
ADO.NET Data Services
 
Developer power tools
Developer power toolsDeveloper power tools
Developer power tools
 
Practical OData
Practical ODataPractical OData
Practical OData
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Automated testing web services - part 1
Automated testing web services - part 1Automated testing web services - part 1
Automated testing web services - part 1
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
 
Web Services
Web ServicesWeb Services
Web Services
 
Web Services
Web ServicesWeb Services
Web Services
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
 
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database ProfessionalsIntroducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
 

More from Hai Dinh Tuan

Equal Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCoreEqual Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCoreHai Dinh Tuan
 
Traffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksTraffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksHai Dinh Tuan
 
Inicio - Uncover Your Passion
Inicio - Uncover Your PassionInicio - Uncover Your Passion
Inicio - Uncover Your PassionHai Dinh Tuan
 
Ultra Wideband Technology
Ultra Wideband TechnologyUltra Wideband Technology
Ultra Wideband TechnologyHai Dinh Tuan
 
Effective presentation
Effective presentationEffective presentation
Effective presentationHai Dinh Tuan
 
Apache http server 2
Apache http server 2Apache http server 2
Apache http server 2Hai Dinh Tuan
 
Ossec – host based intrusion detection system
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection systemHai Dinh Tuan
 

More from Hai Dinh Tuan (9)

Equal Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCoreEqual Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCore
 
Traffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksTraffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined Networks
 
Inicio - Uncover Your Passion
Inicio - Uncover Your PassionInicio - Uncover Your Passion
Inicio - Uncover Your Passion
 
Ultra Wideband Technology
Ultra Wideband TechnologyUltra Wideband Technology
Ultra Wideband Technology
 
Effective presentation
Effective presentationEffective presentation
Effective presentation
 
Apache http server
Apache http serverApache http server
Apache http server
 
Apache http server 2
Apache http server 2Apache http server 2
Apache http server 2
 
Resource space
Resource spaceResource space
Resource space
 
Ossec – host based intrusion detection system
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection system
 

Apache mod security 3.1

  • 1. Apache Mod Security HAI, DINH VINAHOST
  • 2. Agenda 1. Regular Expression 2. Rules Usage 3. Default Action 4. Chained Actions 5. Persistent Collection and examples 6. Transformation Function 7. Validate Contents
  • 4. Regular Expression Usage Use to match mass strings of text, such as particular characters, words, or patterns of characters
  • 5. Regular Expression Usage Email Address Matching b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b IP Addresses Matching b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)b Testing Tools: Regexpal.com, regular-expressions.info
  • 7. Rules Usage  Use “|” as “OR” logical expression SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUE ST_HEADERS: Referer "@validateByteRange 1-255“ "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1“  Use “!” as “NOT” logical expression
  • 8. Rules Usage  Use Regular Expression to make a Rule SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content- Length header„  Use “:” to pick a variable from a Collection SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
  • 10. Default Actions Use to set a Use “Default” Default “Default Behavior” SetDefaultAction Actions is of Apache Mod directive to add into phase:2, Security. If anything configuration file log, has not been auditlog, defined happen, pass Apache will apply Default Actions
  • 11. Rules Usage SetDefaultAction phase:2,log,auditlog,pass. SecRule REQUEST_URI "abc" SecRule REQUEST_URI "abc" phase:2,log,auditlog,pass SecRule REQUEST_URI "abc" nolog SecRule REQUEST_URI "abc" phase:2,auditlog,pass
  • 13. Chained Actions  Group Rules together  Similar to “AND” logical expression in programming language  Add “chain” action in every rule, except the last one  Example: SecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog,deny,status:406" SecRule REQUEST_METHOD "GET" "t:none“
  • 15. Persistent Collections TX Collection only exist in a transaction. After the data has been transfer Why completely, variables will be remove Persistent Collection? Persistent Collection can keep a record of variables through several transactions.
  • 16. Persistent 1. Monitor user behavior based on IP Address Collections 2. Monitor Sessions 3. User behavior monitoring 4. Prevent Session Hijacking Attack 5. Detect Denial of Service (DoS) Attack 6. Detect Brute Force Attack
  • 17. Persistent Collections IP SESSION USER Created by using Created by using Created by using initcol directive setsid directive setid directive Hold client address Hold session Hold user variables variables variables
  • 18. Persistent Collections  Define date directory first using SecDataDir directive  For example: SecDataDir /etc/httpd/modsec_data
  • 19. Persistent Collections Limit Request Rate example: SecAction initcol:ip=%{REMOTE_ADDR},pass,auditlog SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,auditlog" SecRule IP:COUNTER "@gt 60" "phase:2,pause:300,deny,status:403,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog"
  • 21. Transformation functions  Mod Security match exactly strings and variables  Transformation function will transform different string formats into a single string
  • 22. Transformation functions By default, there are:  lowercase  replaceNull  compressWhitespace
  • 24. Validate Contents Check the validation of HTTP Requests @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 25. Validate Contents Validate Byte Range @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 26. Validate Byte Range Allow number only in Content field of Request Header SecRule REQUEST_HEADERS:Content "@validateByteRange 48-57“ "phase:4,deny,log,status:403“
  • 27. Validate Contents Validate XML files by DTD (Document Type Definition) @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 28. Validate DTD  A Document Type Definition (DTD) is a set of markup declarations that define a document type for an SGML-family markup language (SGML, XML, HTML).  It‟s define what components should be included and their format
  • 29. Validate Contents Validate XML files by Schema @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 30. Validate Schema DTD supports only PCDATA and CDATA format. Schema supports detailed descriptions about data in XML files. For example: string, normalizedString, integer, positiveInteger
  • 31. Validate Contents Validate URL Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 32. Validate URL Encoding RFC 1738 only allow ASCII in a URL HTML: supports ISO-8859-1 (ISO-Latin) HTML4: Supports Unicode characters
  • 33. Validate Contents Validate UTF-8 Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 34. Validate UTF-8 Encoding UTF-8 is used on almost every webservers to encode strings and compatible with ASCII SecRule ARGS "@validateUtf8Encoding"
  • 36. Steps

Editor's Notes

  1. Testbằngtrang regexpal.com
  2. Disruptive Actions: allow, block, deny, drop, pass, proxy, redirectSecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog"SecRule REQUEST_METHOD "GET" "t:none, deny,status:406“
  3. Mởlại file config, phần TX collectionTế Segoe UI vẫncóthểsửdungjchotiếngviêtk
  4. Demotrựctiếp