SlideShare a Scribd company logo

Apache mod security 3.1

Hai Dinh Tuan
Hai Dinh Tuan

The document provides an overview of Apache Mod Security including regular expressions, rules usage, default actions, chained actions, persistent collections, transformation functions, and content validation. It discusses using regular expressions to match strings and define rules. It explains how to set default actions, chain rules together, and use persistent collections to store variables across transactions. Transformation functions and various validation techniques like validating byte ranges, DTDs, schemas, URL encoding, and UTF-8 encoding are also covered.

1 of 38
Apache Mod Security HAI, DINH VINAHOST
Agenda 1. Regular Expression 2. Rules Usage 3. Default Action 4. Chained Actions 5. Persistent Collection and examples 6. Transformation Function 7. Validate Contents
Regular Expression
Regular Expression Usage Use to match mass strings of text, such as particular characters, words, or patterns of characters
Regular Expression Usage Email Address Matching b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b IP Addresses Matching b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)b Testing Tools: Regexpal.com, regular-expressions.info
Rules Usage
Rules Usage  Use “|” as “OR” logical expression SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUE ST_HEADERS: Referer "@validateByteRange 1-255“ "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1“  Use “!” as “NOT” logical expression
Rules Usage  Use Regular Expression to make a Rule SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content- Length header„  Use “:” to pick a variable from a Collection SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
Default Actions
Default Actions Use to set a Use “Default” Default “Default Behavior” SetDefaultAction Actions is of Apache Mod directive to add into phase:2, Security. If anything configuration file log, has not been auditlog, defined happen, pass Apache will apply Default Actions
Rules Usage SetDefaultAction phase:2,log,auditlog,pass. SecRule REQUEST_URI "abc" SecRule REQUEST_URI "abc" phase:2,log,auditlog,pass SecRule REQUEST_URI "abc" nolog SecRule REQUEST_URI "abc" phase:2,auditlog,pass
Chained Actions
Chained Actions  Group Rules together  Similar to “AND” logical expression in programming language  Add “chain” action in every rule, except the last one  Example: SecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog,deny,status:406" SecRule REQUEST_METHOD "GET" "t:none“
Persistent Collections
Persistent Collections TX Collection only exist in a transaction. After the data has been transfer Why completely, variables will be remove Persistent Collection? Persistent Collection can keep a record of variables through several transactions.
Persistent 1. Monitor user behavior based on IP Address Collections 2. Monitor Sessions 3. User behavior monitoring 4. Prevent Session Hijacking Attack 5. Detect Denial of Service (DoS) Attack 6. Detect Brute Force Attack
Persistent Collections IP SESSION USER Created by using Created by using Created by using initcol directive setsid directive setid directive Hold client address Hold session Hold user variables variables variables
Persistent Collections  Define date directory first using SecDataDir directive  For example: SecDataDir /etc/httpd/modsec_data
Persistent Collections Limit Request Rate example: SecAction initcol:ip=%{REMOTE_ADDR},pass,auditlog SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,auditlog" SecRule IP:COUNTER "@gt 60" "phase:2,pause:300,deny,status:403,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog"
Transformation Functions
Transformation functions  Mod Security match exactly strings and variables  Transformation function will transform different string formats into a single string
Transformation functions By default, there are:  lowercase  replaceNull  compressWhitespace
Validate Contents
Validate Contents Check the validation of HTTP Requests @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate Contents Validate Byte Range @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate Byte Range Allow number only in Content field of Request Header SecRule REQUEST_HEADERS:Content "@validateByteRange 48-57“ "phase:4,deny,log,status:403“
Validate Contents Validate XML files by DTD (Document Type Definition) @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate DTD  A Document Type Definition (DTD) is a set of markup declarations that define a document type for an SGML-family markup language (SGML, XML, HTML).  It‟s define what components should be included and their format
Validate Contents Validate XML files by Schema @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate Schema DTD supports only PCDATA and CDATA format. Schema supports detailed descriptions about data in XML files. For example: string, normalizedString, integer, positiveInteger
Validate Contents Validate URL Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate URL Encoding RFC 1738 only allow ASCII in a URL HTML: supports ISO-8859-1 (ISO-Latin) HTML4: Supports Unicode characters
Validate Contents Validate UTF-8 Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
Validate UTF-8 Encoding UTF-8 is used on almost every webservers to encode strings and compatible with ASCII SecRule ARGS "@validateUtf8Encoding"
Demonstrations
Steps
Thanks for joining with me!
Apache mod security 3.1
Ad

Recommended

Vault 101
Vault 101Vault 101
Vault 101
Hazzim Anaya
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
drewz lin
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Webinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDBWebinar: Securing your data - Mitigating the risks with MongoDB
Webinar: Securing your data - Mitigating the risks with MongoDB
MongoDB
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
MongoDB
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
Denish Patel
 
Web_service_testing_finall
Web_service_testing_finallWeb_service_testing_finall
Web_service_testing_finall
Manjyot Singh
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Ontico
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
Alexey Sintsov
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
Ad

More Related Content

What's hot (20)

Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
MongoDB
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
Denish Patel
 
Web_service_testing_finall
Web_service_testing_finallWeb_service_testing_finall
Web_service_testing_finall
Manjyot Singh
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Ontico
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 
Security Features in MongoDB 2.4
Security Features in MongoDB 2.4Security Features in MongoDB 2.4
Security Features in MongoDB 2.4
MongoDB
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides Edition
Gavin Holt
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
Manjyot Singh
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
Denish Patel
 
Web_service_testing_finall
Web_service_testing_finallWeb_service_testing_finall
Web_service_testing_finall
Manjyot Singh
 
Introducing Vault
Introducing VaultIntroducing Vault
Introducing Vault
Ramit Surana
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
CodeFest
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
David Timothy Strauss
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко...
Ontico
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
MongoDB
 

Viewers also liked (8)

WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
Alexey Sintsov
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
Xavier Perseguers
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
OWASP (Open Web Application Security Project)
 
WAF in Scale
WAF in ScaleWAF in Scale
WAF in Scale
Alexey Sintsov
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
Naoya Nakazawa
 
Mod Security
Mod SecurityMod Security
Mod Security
Abhishek Singh
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
Rahul
 
Protecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And ModsecurityProtecting TYPO3 With Suhosin And Modsecurity
Protecting TYPO3 With Suhosin And Modsecurity
Xavier Perseguers
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
OWASP (Open Web Application Security Project)
 
Ad

Similar to Apache mod security 3.1 (20)

Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)
ukdpe
 
RIA and Ajax
RIA and AjaxRIA and Ajax
RIA and Ajax
Schubert Gomes
 
Sumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced AnalyticsSumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic
 
ERRest and Dojo
ERRest and DojoERRest and Dojo
ERRest and Dojo
WO Community
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
PROIDEA
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
Michal Balinski
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guide
Ady Liu
 
ADO.NET Data Services
ADO.NET Data ServicesADO.NET Data Services
ADO.NET Data Services
ukdpe
 
Developer power tools
Developer power toolsDeveloper power tools
Developer power tools
Nick Harrison
 
Practical OData
Practical ODataPractical OData
Practical OData
Vagif Abilov
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
Hyperledger Korea User Group
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Automated testing web services - part 1
Automated testing web services - part 1Automated testing web services - part 1
Automated testing web services - part 1
Aleh Struneuski
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
Cisco DevNet
 
Web Services
Web ServicesWeb Services
Web Services
Gaurav Tyagi
 
Web Services
Web ServicesWeb Services
Web Services
Gaurav Tyagi
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
WSO2
 
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database ProfessionalsIntroducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
Lucas Jellema
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
Techglyphs
 
Scaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersScaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch Clusters
Sematext Group, Inc.
 
Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)Mike Taulty OData (NxtGen User Group UK)
Mike Taulty OData (NxtGen User Group UK)
ukdpe
 
RIA and Ajax
RIA and AjaxRIA and Ajax
RIA and Ajax
Schubert Gomes
 
Sumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced AnalyticsSumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic "How to" Webinar: Advanced Analytics
Sumo Logic
 
ERRest and Dojo
ERRest and DojoERRest and Dojo
ERRest and Dojo
WO Community
 
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
JDD 2016 - Michał Balinski, Oleksandr Goldobin - Practical Non Blocking Micro...
PROIDEA
 
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
Michal Balinski
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guide
Ady Liu
 
ADO.NET Data Services
ADO.NET Data ServicesADO.NET Data Services
ADO.NET Data Services
ukdpe
 
Developer power tools
Developer power toolsDeveloper power tools
Developer power tools
Nick Harrison
 
Practical OData
Practical ODataPractical OData
Practical OData
Vagif Abilov
 
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
[2019.1] 하이퍼레저 패브릭 v1.3, v1.4 새로운 기능
Hyperledger Korea User Group
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Automated testing web services - part 1
Automated testing web services - part 1Automated testing web services - part 1
Automated testing web services - part 1
Aleh Struneuski
 
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIsDEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
DEVNET-2005 Using the Cisco Open SDN Controller RESTCONF APIs
Cisco DevNet
 
Web Services
Web ServicesWeb Services
Web Services
Gaurav Tyagi
 
Web Services
Web ServicesWeb Services
Web Services
Gaurav Tyagi
 
What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6What’s new in WSO2 Enterprise Integrator 6.6
What’s new in WSO2 Enterprise Integrator 6.6
WSO2
 
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database ProfessionalsIntroducing SOA and Oracle SOA Suite 11g for Database Professionals
Introducing SOA and Oracle SOA Suite 11g for Database Professionals
Lucas Jellema
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
Techglyphs
 
Scaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch ClustersScaling Massive Elasticsearch Clusters
Scaling Massive Elasticsearch Clusters
Sematext Group, Inc.
 
Ad

More from Hai Dinh Tuan (9)

Equal Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCoreEqual Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCore
Hai Dinh Tuan
 
Traffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksTraffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined Networks
Hai Dinh Tuan
 
Inicio - Uncover Your Passion
Inicio - Uncover Your PassionInicio - Uncover Your Passion
Inicio - Uncover Your Passion
Hai Dinh Tuan
 
Ultra Wideband Technology
Ultra Wideband TechnologyUltra Wideband Technology
Ultra Wideband Technology
Hai Dinh Tuan
 
Effective presentation
Effective presentationEffective presentation
Effective presentation
Hai Dinh Tuan
 
Apache http server
Apache http serverApache http server
Apache http server
Hai Dinh Tuan
 
Apache http server 2
Apache http server 2Apache http server 2
Apache http server 2
Hai Dinh Tuan
 
Resource space
Resource spaceResource space
Resource space
Hai Dinh Tuan
 
Ossec – host based intrusion detection system
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection system
Hai Dinh Tuan
 
Equal Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCoreEqual Cost Multipath Routing in FOKUS OpenSDNCore
Equal Cost Multipath Routing in FOKUS OpenSDNCore
Hai Dinh Tuan
 
Traffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined NetworksTraffic Engineering in Software-Defined Networks
Traffic Engineering in Software-Defined Networks
Hai Dinh Tuan
 
Inicio - Uncover Your Passion
Inicio - Uncover Your PassionInicio - Uncover Your Passion
Inicio - Uncover Your Passion
Hai Dinh Tuan
 
Ultra Wideband Technology
Ultra Wideband TechnologyUltra Wideband Technology
Ultra Wideband Technology
Hai Dinh Tuan
 
Effective presentation
Effective presentationEffective presentation
Effective presentation
Hai Dinh Tuan
 
Apache http server
Apache http serverApache http server
Apache http server
Hai Dinh Tuan
 
Apache http server 2
Apache http server 2Apache http server 2
Apache http server 2
Hai Dinh Tuan
 
Resource space
Resource spaceResource space
Resource space
Hai Dinh Tuan
 
Ossec – host based intrusion detection system
Ossec – host based intrusion detection systemOssec – host based intrusion detection system
Ossec – host based intrusion detection system
Hai Dinh Tuan
 

Apache mod security 3.1

  • 1. Apache Mod Security HAI, DINH VINAHOST
  • 2. Agenda 1. Regular Expression 2. Rules Usage 3. Default Action 4. Chained Actions 5. Persistent Collection and examples 6. Transformation Function 7. Validate Contents
  • 4. Regular Expression Usage Use to match mass strings of text, such as particular characters, words, or patterns of characters
  • 5. Regular Expression Usage Email Address Matching b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b IP Addresses Matching b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)b Testing Tools: Regexpal.com, regular-expressions.info
  • 7. Rules Usage  Use “|” as “OR” logical expression SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUE ST_HEADERS: Referer "@validateByteRange 1-255“ "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1“  Use “!” as “NOT” logical expression
  • 8. Rules Usage  Use Regular Expression to make a Rule SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content- Length header„  Use “:” to pick a variable from a Collection SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
  • 10. Default Actions Use to set a Use “Default” Default “Default Behavior” SetDefaultAction Actions is of Apache Mod directive to add into phase:2, Security. If anything configuration file log, has not been auditlog, defined happen, pass Apache will apply Default Actions
  • 11. Rules Usage SetDefaultAction phase:2,log,auditlog,pass. SecRule REQUEST_URI "abc" SecRule REQUEST_URI "abc" phase:2,log,auditlog,pass SecRule REQUEST_URI "abc" nolog SecRule REQUEST_URI "abc" phase:2,auditlog,pass
  • 13. Chained Actions  Group Rules together  Similar to “AND” logical expression in programming language  Add “chain” action in every rule, except the last one  Example: SecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog,deny,status:406" SecRule REQUEST_METHOD "GET" "t:none“
  • 15. Persistent Collections TX Collection only exist in a transaction. After the data has been transfer Why completely, variables will be remove Persistent Collection? Persistent Collection can keep a record of variables through several transactions.
  • 16. Persistent 1. Monitor user behavior based on IP Address Collections 2. Monitor Sessions 3. User behavior monitoring 4. Prevent Session Hijacking Attack 5. Detect Denial of Service (DoS) Attack 6. Detect Brute Force Attack
  • 17. Persistent Collections IP SESSION USER Created by using Created by using Created by using initcol directive setsid directive setid directive Hold client address Hold session Hold user variables variables variables
  • 18. Persistent Collections  Define date directory first using SecDataDir directive  For example: SecDataDir /etc/httpd/modsec_data
  • 19. Persistent Collections Limit Request Rate example: SecAction initcol:ip=%{REMOTE_ADDR},pass,auditlog SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,auditlog" SecRule IP:COUNTER "@gt 60" "phase:2,pause:300,deny,status:403,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog"
  • 21. Transformation functions  Mod Security match exactly strings and variables  Transformation function will transform different string formats into a single string
  • 22. Transformation functions By default, there are:  lowercase  replaceNull  compressWhitespace
  • 24. Validate Contents Check the validation of HTTP Requests @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 25. Validate Contents Validate Byte Range @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 26. Validate Byte Range Allow number only in Content field of Request Header SecRule REQUEST_HEADERS:Content "@validateByteRange 48-57“ "phase:4,deny,log,status:403“
  • 27. Validate Contents Validate XML files by DTD (Document Type Definition) @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 28. Validate DTD  A Document Type Definition (DTD) is a set of markup declarations that define a document type for an SGML-family markup language (SGML, XML, HTML).  It‟s define what components should be included and their format
  • 29. Validate Contents Validate XML files by Schema @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 30. Validate Schema DTD supports only PCDATA and CDATA format. Schema supports detailed descriptions about data in XML files. For example: string, normalizedString, integer, positiveInteger
  • 31. Validate Contents Validate URL Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 32. Validate URL Encoding RFC 1738 only allow ASCII in a URL HTML: supports ISO-8859-1 (ISO-Latin) HTML4: Supports Unicode characters
  • 33. Validate Contents Validate UTF-8 Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
  • 34. Validate UTF-8 Encoding UTF-8 is used on almost every webservers to encode strings and compatible with ASCII SecRule ARGS "@validateUtf8Encoding"
  • 36. Steps

Editor's Notes

  • #5: Testbằngtrang regexpal.com
  • #14: Disruptive Actions: allow, block, deny, drop, pass, proxy, redirectSecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog"SecRule REQUEST_METHOD "GET" "t:none, deny,status:406“
  • #16: Mởlại file config, phần TX collectionTế Segoe UI vẫncóthểsửdungjchotiếngviêtk
  • #20: Demotrựctiếp
  翻译: