SlideShare ist ein Scribd-Unternehmen logo

Web Intrusion Detection with ModSecurity: An Introduction to Application-Level Protection

Abhishek Singh
Abhishek Singh

This document summarizes a talk on web intrusion detection using ModSecurity. The talk discusses the state of web security and intrusion detection, introduces ModSecurity as an open source web application firewall, and discusses how to detect and prevent application attacks. The talk overview includes discussing the problems with web security, different approaches to web intrusion detection including network-based, log-based and web application firewalls, and features of ModSecurity like audit logging and rule-based detection of attacks. The document provides examples of simple and advanced ModSecurity rules.

Technologie
1 von 49
Web Intrusion Detection with ModSecurity Ivan Ristic <ivanr@webkreator.com>
Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application firewall, consisting of Apache and ModSecurity Discuss what can be done to detect and prevent application attacks Web Intrusion Detection with ModSecurity 2 / 50
Who Am I?  Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view.  Author of ModSecurity, an open source web firewall / IDS.  Author of Apache Security, published by O’Reilly in March 2005.  Founder of Thinking Stone, a web security company. Web Intrusion Detection with ModSecurity 3 / 50
Talk Overview 1. What is the problem? 2. Web intrusion detection approaches 3. Web application firewalls 4. ModSecurity 5. Application-based IDS Web Intrusion Detection with ModSecurity 4 / 50
1. What Is the Problem? Web Intrusion Detection with ModSecurity 5 / 50
What is the Problem? (1) The world is going Web, companies must open their systems to their customers and partners. Port 80 is used for everything now. Web applications, web services. Classic firewall architectures do not help any more. Web Intrusion Detection with ModSecurity 6 / 50
Firewalls Do Not Work Firewall Application Database Web Web Server Client Server Application HTTP Traffic Port 80 Web Intrusion Detection with ModSecurity 7 / 50
What is the problem? (2) Web development is a mess. Web applications are not secure. Web application security field is getting there, but it’s still young. Web servers do not provide the correct tools (e.g. auditing). The awareness is rising but we have a long way to go. Web Intrusion Detection with ModSecurity 8 / 50
In the Ideal World  Security thought out at the beginning of the project and throughout.  Security requirements exist, security policy is defined.  Threat modelling is used to discover threats.  Developers trained in application security, a security specialist is on board.  Code reviews are performed. Web Intrusion Detection with ModSecurity 9 / 50
Back In the Real World Applications are insecure. Trivial vulnerabilities demonstrate serious lack of understanding of the web programming model. Users want features; security is an afterthought. Anyone with a browser can break in. Web Intrusion Detection with ModSecurity 10 / 50
Where We Stand (1)  Doing it right from the start is better: developers should design and develop secure software.  But: it is not possible nor feasible to achieve 100% security. Even getting close is difficult.  But: you have to use third-party products which are of unknown quality.  But: you have to live with the existing systems. Web Intrusion Detection with ModSecurity 11 / 50
Where We Stand (2) The application security community will work to increase awareness and educate developers. You can do this within your organisation. It will take a while. In the meantime, do anything you can to increase security. Web Intrusion Detection with ModSecurity 12 / 50
What Can You Do? (1) By all means, if you can improve the software – do it! But it is more likely that you will have to attempt to increase security from the outside. It is not easy. You’ll have to put insecure applications into secure environments. Web Intrusion Detection with ModSecurity 13 / 50
What Can You Do? (2) Use threat modelling for deployment to determine the threats. Then correct architectural issues that can be corrected. Use network design tools to increase security by limiting exposure. Web Intrusion Detection with ModSecurity 14 / 50
What Can You Do? (3) At this point many organizations stop, and prefer to keep their fingers crossed: “It will not happen to us”. Intrusions are always possible, it is the probability you need to worry about. It depends on your circumstances – are you a high-profile, high-risk case? Web Intrusion Detection with ModSecurity 15 / 50
What Can You Do? (4) Monitoring: know what happened. Detection: know when you are being attacked. Prevention: stop attacks before they succeed. Assessment: discover problems before the attackers do. Web Intrusion Detection with ModSecurity 16 / 50
2. Web Intrusion Detection Approaches Web Intrusion Detection with ModSecurity 17 / 50
What is Intrusion Detection? Intrusion Detection is a method of detecting attacks by monitoring traffic or system events. Most people mean N(etwork) IDS when they say IDS. But there is also Host-based IDS, and other hybrid approaches. Web Intrusion Detection with ModSecurity 18 / 50
NIDS Applied to Web Traffic can be overwhelming. Encryption (SSL) makes data invisible. Compression makes data hard to see. Designed to work at the TCP/IP level, not as effective for HTTP. Evasion is a problem. Bottom line: NIDS is not suitable for application- level protection. Web Intrusion Detection with ModSecurity 19 / 50
Evolution of NIDS Deep-inspection Firewalls: vendors are building HTTP extensions and making improvements. Application Firewall (a.k.a Application Gateway) is born. Web Application Firewall (WAF) is a reverse proxy with additional security-related features. Web Intrusion Detection with ModSecurity 20 / 50
Batch Web Intrusion Detection Collect logs at a single location: Manual collection (cron + scp) Syslog Spread toolkit (mod_log_spread) Run a script periodically to check the logs. Prevention not possible. Can go back in time! Web Intrusion Detection with ModSecurity 21 / 50
Log-based IDS in Real-time  Collect logs at a single location using some real time method (syslog, mod_log_spread).  Tail and analyse the central log file in real-time.  SEC (Simple Event Correlator, http://kodu.neti.ee/~risto/sec/) may be of help.  Prevention still not possible. Web Intrusion Detection with ModSecurity 22 / 50
3. Web Application Firewalls Web Intrusion Detection with ModSecurity 23 / 50
Web Application Firewalls They understand HTTP very well. Can be applied selectively to parts of the traffic. They work after traffic is decrypted, or can otherwise terminate SSL. Prevention is possible. Web Intrusion Detection with ModSecurity 24 / 50
Web IDS Strategies (1) Network-based: Protects any web server Works with many servers at once Web server-based: Closer to the application Limited by the web server API Web Intrusion Detection with ModSecurity 25 / 50
Web IDS Strategies (2) Simple defence: Supports a limited number of pre-defined defences Rule-based: Uses rules to look for known vulnerabilities Or rules to look for classes of attack Rely on rule databases Anomaly-based: Attempts to figure out what normal operation means Web Intrusion Detection with ModSecurity 26 / 50
Web IDS Strategies (3) Negative security model: Deny what might be dangerous. Do you always know what is dangerous? Positive security model: Allow what is known to be safe. Positive security model is better. Web Intrusion Detection with ModSecurity 27 / 50
Features (1) Audit logging. Defend from specific attacks. Defend from general attacks. Defend from brute-force attacks. Web Intrusion Detection with ModSecurity 28 / 50
Features (2) Enforce client-side validation. (Excellent idea!) Introduce per-session restrictions. Learn how application works over time, then create a white list. Web Intrusion Detection with ModSecurity 29 / 50
Evasion Issues Most IDS systems are watching for patterns and attackers know that. There are many ways to obfuscate attack content to prevent detection and still make it work. “DROP/**/TABLE xyz” is a valid SQL query in MySQL. Web Intrusion Detection with ModSecurity 30 / 50
Evasion Techniques  Mixed case: DeleTe From  Whitespace: DELETE FROM  Self-referencing filenames: /etc/./passwd  Directory backreferences: /etc/xyz/../passwd  Double slashes: /etc//passwd  Escaping: /etc/passwd  …and many others Web Intrusion Detection with ModSecurity 31 / 50
Impedance mismatch  Web application firewalls parse HTTP independently from the application – that’s where the protection comes from  But often the way parsing is done is slightly different  Examples:  PHP will ignore spaces at the beginning of variable names  It will also convert all subsequent spaces to underscores  Under some circumstances PHP treats cookies as requests parameters  Such problems make it more difficult for web application firewalls to work out of the box  Customisation is necessary Web Intrusion Detection with ModSecurity 32 / 50
OSS vs. Commercial (1) Commercial: There are many mature offerings. Appliance black-boxes. Can be added to network easily. Very expensive. Web Intrusion Detection with ModSecurity 33 / 50
OSS vs. Commercial (2) Open Source: Do not have all the features of commercial offerings, but have the ones that are really important. No nice GUIs yet - you have to get your hands dirty, understand how it works, and know the components well. Web Intrusion Detection with ModSecurity 34 / 50
4. ModSecurity 4. Mod_security Web Intrusion Detection with ModSecurity 35 / 50
ModSecurity Open source: http://www.modsecurity.org. GPL and commercial licensing. Free and commercial support available. 3500 downloads per month in a quiet season; growing steadily. Apache version (1.x and 2.x). Java version (Servlet Filter) at some point in the future. Web Intrusion Detection with ModSecurity 36 / 50
Embed Into Web Server Inexpensive and easy to use since no changes to the network design are required. But works only for one web server. No practical impact on performance. Web Intrusion Detection with ModSecurity 37 / 50
Apache-based Web Application Firewall It is a reverse proxy. Easy to install and configure. Created out of default and third-party modules: mod_proxy mod_proxy_html mod_security Web Intrusion Detection with ModSecurity 38 / 50
ModSecurity Features (1) Audit logging. Provides access to any part of the request (request body included) and the response. Flexible regular expression-based rule engine. Rules can be combined. External logic can be invoked. Supports unlimited number of different policies (per virtual host, folder, even a single file). Web Intrusion Detection with ModSecurity 39 / 50
ModSecurity Features (2) Supports file upload interception and real-time validation (e.g. anti-virus integration). Anti-evasion built in. Encoding validation built in. Buffer overflow protection. A variety of things to do upon attack detection. Web Intrusion Detection with ModSecurity 40 / 50
Simple Rule Examples Prevent JavaScript injection: SecFilter "<script" Prevent SQL injection: SecFilter "DELETE[[:space:]]+FROM" Web Intrusion Detection with ModSecurity 41 / 50
Another Example Well-known problem in many PHP applications: register_globals. Prevent with: SecFilterSelective ARG_authorised "!^$" SecFilterSelective COOKIE_authorised "!^$" Web Intrusion Detection with ModSecurity 42 / 50
Advanced Rule Example Prevent the “admin” user from logging from computers other than his workstation: SecFilterSelective ARG_username "^admin$" chain SecFilterSelective REMOTE_ADDR "!^192.168.0.99$" Web Intrusion Detection with ModSecurity 43 / 50
Beware of False Positives! Some people do this: SecFilter bin/ But that prevents this: http://www.xyz.com/cgi-bin/innocent.cgi You do not have to use it in prevention mode! Use detection mode only, until you are sure the rules are correct. Web Intrusion Detection with ModSecurity 44 / 50
5. Application-based intrusion detection Web Intrusion Detection with ModSecurity 45 / 50
Application IDS (1)  Use the application as an IDS.  Applications view data in context.  The closer IDS gets to application logic – the better.  Each software error is a potential attack.  Log events to the application event log.  At the very least use the response codes (500 – error, 403 – permission problem). Web Intrusion Detection with ModSecurity 46 / 50
Application IDS (2) In Java, create a security Servlet Filter. In .Net, create a HttpModule. In PHP, use auto_prepend to execute security code before the application begins processing. PHP5 (and PHP4 with the Hardened-PHP patch applied) has a special hook that allows an extension to access the parameters before script is started. Web Intrusion Detection with ModSecurity 47 / 50
Application IDS (3) It is easy and fast to change libraries. For example, change the database abstraction library to detect SQL comments and multiple queries in a single call. Web Intrusion Detection with ModSecurity 48 / 50
Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/ Web Intrusion Detection with ModSecurity 49 / 50

Empfohlen

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 

Empfohlen

Web Application Frewall
Web Application FrewallWeb Application Frewall
Web Application FrewallAbhishek Singh
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
WAFEC
WAFECWAFEC
WAFECConferencias FIST
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Sandboxing
SandboxingSandboxing
SandboxingLan & Wan Solutions
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentMarketingArrowECS_CZ
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bSylvain Martinez
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security🏆Ruben Cocheno💭
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveMoti Sagey מוטי שגיא
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Check Point mission statement
Check Point mission statementCheck Point mission statement
Check Point mission statementMoti Sagey מוטי שגיא
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in ScaleAlexey Sintsov
 

Weitere ähnliche Inhalte

Was ist angesagt?

[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentMarketingArrowECS_CZ
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bSylvain Martinez
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security🏆Ruben Cocheno💭
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat Security Conference
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 

Was ist angesagt? (20)

CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast Agent
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Talk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security
 
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
BlueHat v17 || Raising the Bar: New Hardware Primitives for Exploit Mitigations
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce it
 
Check point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitiveCheck point response to Cisco NGFW competitive
Check point response to Cisco NGFW competitive
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
Check Point mission statement
Check Point mission statementCheck Point mission statement
Check Point mission statement
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 

Andere mochten auch

Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1Hai Dinh Tuan
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityXavier Perseguers
 
Secure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFSecure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFNGINX, Inc.
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...Amazon Web Services
 

Andere mochten auch (8)

Apache mod security 3.1
Apache mod security 3.1Apache mod security 3.1
Apache mod security 3.1
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
Secure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAFSecure Your Apps with NGINX Plus and the ModSecurity WAF
Secure Your Apps with NGINX Plus and the ModSecurity WAF
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 

Ähnlich wie Web Intrusion Detection with ModSecurity: An Introduction to Application-Level Protection

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based SecurityJohn Wiley
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners Checkmarx
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 

Ähnlich wie Web Intrusion Detection with ModSecurity: An Introduction to Application-Level Protection (20)

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_Presentation
 
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
 
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 

Mehr von Abhishek Singh

Cobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM DeploymentCobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM DeploymentAbhishek Singh
 
Mapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large ClustersMapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large ClustersAbhishek Singh
 
Web Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMPWeb Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMPAbhishek Singh
 
Happy Independence Day To All Indians
Happy Independence Day To All IndiansHappy Independence Day To All Indians
Happy Independence Day To All IndiansAbhishek Singh
 
Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up Abhishek Singh
 
Xen_and_Rails_deployment
Xen_and_Rails_deploymentXen_and_Rails_deployment
Xen_and_Rails_deploymentAbhishek Singh
 
India's Smallest Car Ever
India's Smallest Car EverIndia's Smallest Car Ever
India's Smallest Car EverAbhishek Singh
 
Make Over Of An Orange
Make Over Of An OrangeMake Over Of An Orange
Make Over Of An OrangeAbhishek Singh
 
Cute Friendship Quotes
Cute Friendship QuotesCute Friendship Quotes
Cute Friendship QuotesAbhishek Singh
 
Series of Cool Pics Part 3
Series of Cool Pics Part 3Series of Cool Pics Part 3
Series of Cool Pics Part 3Abhishek Singh
 
Series of Cool Pictures Part 2
Series of Cool Pictures Part 2Series of Cool Pictures Part 2
Series of Cool Pictures Part 2Abhishek Singh
 
Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1Abhishek Singh
 

Mehr von Abhishek Singh (20)

Cobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM DeploymentCobbler Summit - Automated Xen VM Deployment
Cobbler Summit - Automated Xen VM Deployment
 
Mapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large ClustersMapreduce - Simplified Data Processing on Large Clusters
Mapreduce - Simplified Data Processing on Large Clusters
 
Web Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMPWeb Server Clustering - OSSCAMP
Web Server Clustering - OSSCAMP
 
Happy Independence Day To All Indians
Happy Independence Day To All IndiansHappy Independence Day To All Indians
Happy Independence Day To All Indians
 
Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up Scaling a Rails Application from the Bottom Up
Scaling a Rails Application from the Bottom Up
 
test
testtest
test
 
How to Charm a Woman
How to Charm a WomanHow to Charm a Woman
How to Charm a Woman
 
Xen_and_Rails_deployment
Xen_and_Rails_deploymentXen_and_Rails_deployment
Xen_and_Rails_deployment
 
India's Smallest Car Ever
India's Smallest Car EverIndia's Smallest Car Ever
India's Smallest Car Ever
 
Software BABA
Software BABASoftware BABA
Software BABA
 
Make Over Of An Orange
Make Over Of An OrangeMake Over Of An Orange
Make Over Of An Orange
 
Cute Friendship Quotes
Cute Friendship QuotesCute Friendship Quotes
Cute Friendship Quotes
 
Series of Cool Pics Part 3
Series of Cool Pics Part 3Series of Cool Pics Part 3
Series of Cool Pics Part 3
 
Series of Cool Pictures Part 2
Series of Cool Pictures Part 2Series of Cool Pictures Part 2
Series of Cool Pictures Part 2
 
Name Confusion
Name ConfusionName Confusion
Name Confusion
 
Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1Series Of Cool Picutres Part 1
Series Of Cool Picutres Part 1
 
KUbuntu
KUbuntuKUbuntu
KUbuntu
 
Monit
MonitMonit
Monit
 
Fun
Fun Fun
Fun
 
Namste London
Namste LondonNamste London
Namste London
 

Kürzlich hochgeladen

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Kürzlich hochgeladen (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

Web Intrusion Detection with ModSecurity: An Introduction to Application-Level Protection

  • 1. Web Intrusion Detection with ModSecurity Ivan Ristic <ivanr@webkreator.com>
  • 2. Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application firewall, consisting of Apache and ModSecurity Discuss what can be done to detect and prevent application attacks Web Intrusion Detection with ModSecurity 2 / 50
  • 3. Who Am I?  Developer / architect / administrator, spent a great deal of time looking at web security issues from different points of view.  Author of ModSecurity, an open source web firewall / IDS.  Author of Apache Security, published by O’Reilly in March 2005.  Founder of Thinking Stone, a web security company. Web Intrusion Detection with ModSecurity 3 / 50
  • 4. Talk Overview 1. What is the problem? 2. Web intrusion detection approaches 3. Web application firewalls 4. ModSecurity 5. Application-based IDS Web Intrusion Detection with ModSecurity 4 / 50
  • 5. 1. What Is the Problem? Web Intrusion Detection with ModSecurity 5 / 50
  • 6. What is the Problem? (1) The world is going Web, companies must open their systems to their customers and partners. Port 80 is used for everything now. Web applications, web services. Classic firewall architectures do not help any more. Web Intrusion Detection with ModSecurity 6 / 50
  • 7. Firewalls Do Not Work Firewall Application Database Web Web Server Client Server Application HTTP Traffic Port 80 Web Intrusion Detection with ModSecurity 7 / 50
  • 8. What is the problem? (2) Web development is a mess. Web applications are not secure. Web application security field is getting there, but it’s still young. Web servers do not provide the correct tools (e.g. auditing). The awareness is rising but we have a long way to go. Web Intrusion Detection with ModSecurity 8 / 50
  • 9. In the Ideal World  Security thought out at the beginning of the project and throughout.  Security requirements exist, security policy is defined.  Threat modelling is used to discover threats.  Developers trained in application security, a security specialist is on board.  Code reviews are performed. Web Intrusion Detection with ModSecurity 9 / 50
  • 10. Back In the Real World Applications are insecure. Trivial vulnerabilities demonstrate serious lack of understanding of the web programming model. Users want features; security is an afterthought. Anyone with a browser can break in. Web Intrusion Detection with ModSecurity 10 / 50
  • 11. Where We Stand (1)  Doing it right from the start is better: developers should design and develop secure software.  But: it is not possible nor feasible to achieve 100% security. Even getting close is difficult.  But: you have to use third-party products which are of unknown quality.  But: you have to live with the existing systems. Web Intrusion Detection with ModSecurity 11 / 50
  • 12. Where We Stand (2) The application security community will work to increase awareness and educate developers. You can do this within your organisation. It will take a while. In the meantime, do anything you can to increase security. Web Intrusion Detection with ModSecurity 12 / 50
  • 13. What Can You Do? (1) By all means, if you can improve the software – do it! But it is more likely that you will have to attempt to increase security from the outside. It is not easy. You’ll have to put insecure applications into secure environments. Web Intrusion Detection with ModSecurity 13 / 50
  • 14. What Can You Do? (2) Use threat modelling for deployment to determine the threats. Then correct architectural issues that can be corrected. Use network design tools to increase security by limiting exposure. Web Intrusion Detection with ModSecurity 14 / 50
  • 15. What Can You Do? (3) At this point many organizations stop, and prefer to keep their fingers crossed: “It will not happen to us”. Intrusions are always possible, it is the probability you need to worry about. It depends on your circumstances – are you a high-profile, high-risk case? Web Intrusion Detection with ModSecurity 15 / 50
  • 16. What Can You Do? (4) Monitoring: know what happened. Detection: know when you are being attacked. Prevention: stop attacks before they succeed. Assessment: discover problems before the attackers do. Web Intrusion Detection with ModSecurity 16 / 50
  • 17. 2. Web Intrusion Detection Approaches Web Intrusion Detection with ModSecurity 17 / 50
  • 18. What is Intrusion Detection? Intrusion Detection is a method of detecting attacks by monitoring traffic or system events. Most people mean N(etwork) IDS when they say IDS. But there is also Host-based IDS, and other hybrid approaches. Web Intrusion Detection with ModSecurity 18 / 50
  • 19. NIDS Applied to Web Traffic can be overwhelming. Encryption (SSL) makes data invisible. Compression makes data hard to see. Designed to work at the TCP/IP level, not as effective for HTTP. Evasion is a problem. Bottom line: NIDS is not suitable for application- level protection. Web Intrusion Detection with ModSecurity 19 / 50
  • 20. Evolution of NIDS Deep-inspection Firewalls: vendors are building HTTP extensions and making improvements. Application Firewall (a.k.a Application Gateway) is born. Web Application Firewall (WAF) is a reverse proxy with additional security-related features. Web Intrusion Detection with ModSecurity 20 / 50
  • 21. Batch Web Intrusion Detection Collect logs at a single location: Manual collection (cron + scp) Syslog Spread toolkit (mod_log_spread) Run a script periodically to check the logs. Prevention not possible. Can go back in time! Web Intrusion Detection with ModSecurity 21 / 50
  • 22. Log-based IDS in Real-time  Collect logs at a single location using some real time method (syslog, mod_log_spread).  Tail and analyse the central log file in real-time.  SEC (Simple Event Correlator, http://kodu.neti.ee/~risto/sec/) may be of help.  Prevention still not possible. Web Intrusion Detection with ModSecurity 22 / 50
  • 23. 3. Web Application Firewalls Web Intrusion Detection with ModSecurity 23 / 50
  • 24. Web Application Firewalls They understand HTTP very well. Can be applied selectively to parts of the traffic. They work after traffic is decrypted, or can otherwise terminate SSL. Prevention is possible. Web Intrusion Detection with ModSecurity 24 / 50
  • 25. Web IDS Strategies (1) Network-based: Protects any web server Works with many servers at once Web server-based: Closer to the application Limited by the web server API Web Intrusion Detection with ModSecurity 25 / 50
  • 26. Web IDS Strategies (2) Simple defence: Supports a limited number of pre-defined defences Rule-based: Uses rules to look for known vulnerabilities Or rules to look for classes of attack Rely on rule databases Anomaly-based: Attempts to figure out what normal operation means Web Intrusion Detection with ModSecurity 26 / 50
  • 27. Web IDS Strategies (3) Negative security model: Deny what might be dangerous. Do you always know what is dangerous? Positive security model: Allow what is known to be safe. Positive security model is better. Web Intrusion Detection with ModSecurity 27 / 50
  • 28. Features (1) Audit logging. Defend from specific attacks. Defend from general attacks. Defend from brute-force attacks. Web Intrusion Detection with ModSecurity 28 / 50
  • 29. Features (2) Enforce client-side validation. (Excellent idea!) Introduce per-session restrictions. Learn how application works over time, then create a white list. Web Intrusion Detection with ModSecurity 29 / 50
  • 30. Evasion Issues Most IDS systems are watching for patterns and attackers know that. There are many ways to obfuscate attack content to prevent detection and still make it work. “DROP/**/TABLE xyz” is a valid SQL query in MySQL. Web Intrusion Detection with ModSecurity 30 / 50
  • 31. Evasion Techniques  Mixed case: DeleTe From  Whitespace: DELETE FROM  Self-referencing filenames: /etc/./passwd  Directory backreferences: /etc/xyz/../passwd  Double slashes: /etc//passwd  Escaping: /etc/passwd  …and many others Web Intrusion Detection with ModSecurity 31 / 50
  • 32. Impedance mismatch  Web application firewalls parse HTTP independently from the application – that’s where the protection comes from  But often the way parsing is done is slightly different  Examples:  PHP will ignore spaces at the beginning of variable names  It will also convert all subsequent spaces to underscores  Under some circumstances PHP treats cookies as requests parameters  Such problems make it more difficult for web application firewalls to work out of the box  Customisation is necessary Web Intrusion Detection with ModSecurity 32 / 50
  • 33. OSS vs. Commercial (1) Commercial: There are many mature offerings. Appliance black-boxes. Can be added to network easily. Very expensive. Web Intrusion Detection with ModSecurity 33 / 50
  • 34. OSS vs. Commercial (2) Open Source: Do not have all the features of commercial offerings, but have the ones that are really important. No nice GUIs yet - you have to get your hands dirty, understand how it works, and know the components well. Web Intrusion Detection with ModSecurity 34 / 50
  • 35. 4. ModSecurity 4. Mod_security Web Intrusion Detection with ModSecurity 35 / 50
  • 36. ModSecurity Open source: http://www.modsecurity.org. GPL and commercial licensing. Free and commercial support available. 3500 downloads per month in a quiet season; growing steadily. Apache version (1.x and 2.x). Java version (Servlet Filter) at some point in the future. Web Intrusion Detection with ModSecurity 36 / 50
  • 37. Embed Into Web Server Inexpensive and easy to use since no changes to the network design are required. But works only for one web server. No practical impact on performance. Web Intrusion Detection with ModSecurity 37 / 50
  • 38. Apache-based Web Application Firewall It is a reverse proxy. Easy to install and configure. Created out of default and third-party modules: mod_proxy mod_proxy_html mod_security Web Intrusion Detection with ModSecurity 38 / 50
  • 39. ModSecurity Features (1) Audit logging. Provides access to any part of the request (request body included) and the response. Flexible regular expression-based rule engine. Rules can be combined. External logic can be invoked. Supports unlimited number of different policies (per virtual host, folder, even a single file). Web Intrusion Detection with ModSecurity 39 / 50
  • 40. ModSecurity Features (2) Supports file upload interception and real-time validation (e.g. anti-virus integration). Anti-evasion built in. Encoding validation built in. Buffer overflow protection. A variety of things to do upon attack detection. Web Intrusion Detection with ModSecurity 40 / 50
  • 41. Simple Rule Examples Prevent JavaScript injection: SecFilter "<script" Prevent SQL injection: SecFilter "DELETE[[:space:]]+FROM" Web Intrusion Detection with ModSecurity 41 / 50
  • 42. Another Example Well-known problem in many PHP applications: register_globals. Prevent with: SecFilterSelective ARG_authorised "!^$" SecFilterSelective COOKIE_authorised "!^$" Web Intrusion Detection with ModSecurity 42 / 50
  • 43. Advanced Rule Example Prevent the “admin” user from logging from computers other than his workstation: SecFilterSelective ARG_username "^admin$" chain SecFilterSelective REMOTE_ADDR "!^192.168.0.99$" Web Intrusion Detection with ModSecurity 43 / 50
  • 44. Beware of False Positives! Some people do this: SecFilter bin/ But that prevents this: http://www.xyz.com/cgi-bin/innocent.cgi You do not have to use it in prevention mode! Use detection mode only, until you are sure the rules are correct. Web Intrusion Detection with ModSecurity 44 / 50
  • 45. 5. Application-based intrusion detection Web Intrusion Detection with ModSecurity 45 / 50
  • 46. Application IDS (1)  Use the application as an IDS.  Applications view data in context.  The closer IDS gets to application logic – the better.  Each software error is a potential attack.  Log events to the application event log.  At the very least use the response codes (500 – error, 403 – permission problem). Web Intrusion Detection with ModSecurity 46 / 50
  • 47. Application IDS (2) In Java, create a security Servlet Filter. In .Net, create a HttpModule. In PHP, use auto_prepend to execute security code before the application begins processing. PHP5 (and PHP4 with the Hardened-PHP patch applied) has a special hook that allows an extension to access the parameters before script is started. Web Intrusion Detection with ModSecurity 47 / 50
  • 48. Application IDS (3) It is easy and fast to change libraries. For example, change the database abstraction library to detect SQL comments and multiple queries in a single call. Web Intrusion Detection with ModSecurity 48 / 50
  • 49. Questions? Thank you! Download this presentation from http://www.thinkingstone.com/talks/ Web Intrusion Detection with ModSecurity 49 / 50