Using IPS for Web Protection

2,644 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,644
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Using IPS for Web Protection

  1. 1. Using IPS for Web Protection Alejandro Sánchez Acosta asanchez@s21sec.com   S21SEC
  2. 2. Agenda● Web Protection● Intrusion Detection Systems (IDS)● Active and response IDS.● IPS as Web Protection● Advanced Signatures● Demo● Conclusions
  3. 3. Web Protection● Common risks – (XSS, SQL Injection, Command Execution)● Solutions – Application Firewall  – IDS/IPS
  4. 4. Intrusion Detection Systems (IDS)● Functions: – Capture events – Pattern matching – Detection – Logging● Kind of IDS – HIDS, NIDS and LIDS
  5. 5. Intrusion Prevention Systems (IPS)● Prevention systems.● IDS evolution● Network and application layer.
  6. 6. Firewall extensions● Iptables – String matching – Patch­o­matic – Difficult configuration – Solutions based in iptables and IDS.● snort2c, snort2iptables, snort2pf, etc.
  7. 7. ModSecurity– Developed by Ivan Ristick.– Easy configuration– Can work as reverse proxy using ModProxy.– Works in Application layer.
  8. 8. Snort● Developed by Martin Roesch.● Operation modes  – Sniffer, packet logger, NIDS and IPS.● Output – Binary tcpdump, ASCII, Mysql/Postgresql.
  9. 9. Snort as IPS● Preprocessors – HTTPInspect, Stream4 reassembly.● Web rules configuration● Response protection – (Snort Inline, Snort Divert Mode, Flexresponse)
  10. 10. Web configuration rules● Community rules – Web­misc, web­cgi, web­dos, web­client, sql­ injection, etc.● Snort rules – Custom web snort.org rules.● Bleeding Snort
  11. 11. Cross Site Scripting ● Existing snort signatures: <script>alert(document.cookie)</script> attack:alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting attempt"; flow:to_server,established;  content:"<SCRIPT>"; nocase; classtype:web­application­attack; sid:1497;  rev:6;) <img src=javascript> attack:alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting HTML Image tag set to javascript  attempt"; flow:to_server,established; content:"img src=javascript";  nocase; classtype:web­application­attack; sid:1667; rev:5;)
  12. 12. Easy evasion● Can be trivially evaded using: – <a href="javascript#[code]">  – <div onmouseover="[code]">  – <img src="javascript:[code]">  – <xml src="javascript:[code]">● Solution: Using complex rules
  13. 13. Advanced signatures● Enter PCRE – Perl Compatible Regular Expressions● Greater flexibility● One signature can catch multiple attacks● Lower learning curve for Unix admins – regex is  part of daily life● Regular expressions work with: – Snort IDS – Apache’s mod_security.
  14. 14. Regular expressions samples● XSS: – /((%3D)|(=))[^n]*((%3C)|<)[^n]+((%3E)|>) ● SQL Injection: – /(%27)|()|(­­)|(%23)● Redirection: site=[^(www.fistconference.org)]● Command Execution: /(system|exec)/● Null byte poison: %00● Overflows: /[w]+=[^=]{500,+}&/
  15. 15. Snort Inline● Drop – The drop rule tells iptables to drop the packet and log  it via usual snort ● Sdrop – The sdrop rule tells iptables to drop the packet.  Nothing is logged.● Reject  – The reject rule type tells iptables to drop the packet;  log it via usual snort means; and answer source host.
  16. 16. Replace contents● Replacement: Another option replaces portions of the payload (disabling the  effectiveness of the attack) but allowing the connection to  continue:alert tcp $HOME_NET any -> $EXTERNAL_NET 80(msg:"IIS Exploit";flags: A+;content:"/bin/sh";replace:"/ben/sh";)
  17. 17. Divert Mode● FreeBSD Inline implementation – Use divert sockets and libnet – Integrated in Snort.● Part of snort­inline project – Reset, drop, sdrop and replace.
  18. 18. FlexResponse● Portable implementation● Doesnt support replacement● Rule modification: var RESP_TCP resp:rst_snd; var RESP_TCP_URG resp:rst_all; var RESP_UDP resp:icmp_port,icmp_host;
  19. 19. Conclusion● IDS – Snort: can work as IPS in big environments. – ModSecurity is good if you dont want network  changes.● Response mode – Flexresponse is portable – Inline works only in GNU/Linux – Divert works only in FreeBSD.
  20. 20. Demo● ModSecurity ● Snort web rules using FlexResponse
  21. 21. More information● Get Snort – www.snort.org – www.modsecurity.org
  22. 22. Questions?

×