SlideShare une entreprise Scribd logo
1  sur  29
Télécharger pour lire hors ligne
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
An Extended Introduction to
ModSecurity and the OWASP
Core Rule Set
(CISO Platform / SACON)
Christian Folini / @ChrFolini
Baseline / 1st
Line of Defense
Safety Belts
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Boring Bio
●
Christian Folini / @ChrFolini
●
Security Engineer at netnea
in Switzerland
●
Author, teacher and speaker
●
OWASP CRS project Co-Lead
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Plan for Today
●
What is a WAF?
●
What is ModSecurity?
●
What is Core Rule Set?
●
Key concepts
●
Rules
●
False Positives
●
Extensive Demo
Web Application Firewalls
Complex • Overwhelming • Rarely Functional
ModSecurity
Embedded • Rule oriented • Granular Control
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Research based on
4.5M Burp requests.
CRS3
Default Install
Redir.:
RFI:
LFI:
XSS:
SQLi:
0%
0%
-100%
-82%
-100%
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Paranoia Level 1: Minimal number of false positives
Baseline protection
Paranoia Level 2: More rules, some false positives
Real data in the service
Paranoia Level 3: Specialized rules, more FPs
Online banking level security
Paranoia Level 4: Crazy rules, many FPs
Nuclear power plant level security
Paranoia Levels
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Important Groups of Rules
Request Rules
REQUEST-910-IP-REPUTATION.conf
REQUEST-911-METHOD-ENFORCEMENT.conf
REQUEST-912-DOS-PROTECTION.conf
REQUEST-913-SCANNER-DETECTION.conf
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
REQUEST-921-PROTOCOL-ATTACK.conf
REQUEST-930-APPLICATION-ATTACK-LFI.conf
REQUEST-931-APPLICATION-ATTACK-RFI.conf
REQUEST-932-APPLICATION-ATTACK-RCE.conf
REQUEST-933-APPLICATION-ATTACK-PHP.conf
REQUEST-941-APPLICATION-ATTACK-XSS.conf
REQUEST-942-APPLICATION-ATTACK-SQLI.conf
REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf
REQUEST-944-APPLICATION-ATTACK-JAVA.conf
REQUEST-949-BLOCKING-EVALUATION.conf
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Important Groups of Rules
Response Rules
RESPONSE-950-DATA-LEAKAGES.conf
RESPONSE-951-DATA-LEAKAGES-SQL.conf
RESPONSE-952-DATA-LEAKAGES-JAVA.conf
RESPONSE-953-DATA-LEAKAGES-PHP.conf
RESPONSE-954-DATA-LEAKAGES-IIS.conf
RESPONSE-959-BLOCKING-EVALUATION.conf
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Paranoia Level
Example: Protocol Enforcement Rules
Paranoia Level 1: 31 Rules
Paranoia Level 2: 7 Rules
Paranoia Level 3: 1 Rules
Paranoia Level 4: 4 Rules
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Stricter Siblings
Example: Byte Range Enforcement
Paranoia Level 1:
Rule 920270: Full ASCII range without null character
Paranoia Level 2:
Rule 920271: Full visible ASCII range, tab, newline
Paranoia Level 3:
Rule 920272: Visible lower ASCII range without %
Paranoia Level 4:
Rule 920273: A-Z a-z 0-9 = - _ . , : &
Anomaly Scoring
Adjustable Limit • Blocking Mode • Iterative Tuning
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Sampling Mode
Easing into CRS adoption / limit the impact
• Define a sampling rate of n
• Only n% of the requests are being funneled into CRS3
• 100% - n% of requests bypass CRS3
• Monitor performance and fix problems
• Slowly raise n in an iterative way until it reaches 100%
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Include in server config (depending on path):
Include /path-to-owasp-crs/crs-setup.conf
Include /path-to-owasp-crs/rules/*.conf
Clone the repository (or download latest release):
$> git clone https://github.com/coreruleset/coreruleset
Copy the example config:
$> cp crs-setup.conf.example crs-setup.conf
Demo Time (Installation)
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
False Positives
False Positives are expected from PL2
• FPs are fought with rule exclusions
• Tutorials at https://www.netnea.com
• Get cheatsheet from Netnea
• Please report FPs at PL1 (github)
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Apache / ModSecurity / CRS Tutorials
https://www.netnea.com/cms/apache-tutorials/
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
ModSecurity / CRS Courses
• Offered at https://netnea.com/courses
• Covering the tutorials in an
online or physical class or
as a self-paced Katacoda
• Next online class:
June 28 / June 29, 2021
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
OWASP ModSecurity Core Rule Set
GOLD sponsor
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Summary ModSecurity & CRS3
• 1st
Line of Defense against web application attacks
• Generic set of blacklisting rules for WAFs
• Blocks 80% of web application attacks in the default
installation (with a minimal number of FPs)
• Granular control over the behaviour down to the
parameter level
More information at https://coreruleset.org
Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
Slides available at https://www.christian-folini.ch
Questions and Answers, Contact
Contact: christian.folini@netnea.com
@ChrFolini

Contenu connexe

Tendances

State of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at LargeState of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at LargeAaron Zauner
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMark Lechtermann
 
015 spins
015 spins015 spins
015 spinsSam Ram
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERSSITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksJoon Young Park
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityCasey Dunham
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateMarc Seeger
 

Tendances (11)

IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
State of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at LargeState of Transport Security in the E-Mail Ecosystem at Large
State of Transport Security in the E-Mail Ecosystem at Large
 
Multi cloud security with cisco cloud services (Taras Kolodchyn)
Multi cloud security with cisco cloud services (Taras Kolodchyn)Multi cloud security with cisco cloud services (Taras Kolodchyn)
Multi cloud security with cisco cloud services (Taras Kolodchyn)
 
Microsoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group PaderbornMicrosoft Connect 2018 .NET User Group Paderborn
Microsoft Connect 2018 .NET User Group Paderborn
 
015 spins
015 spins015 spins
015 spins
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERSSITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
spins
spinsspins
spins
 
Feb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-SecurityFeb-8-2012-Breaking-Wireless-Security
Feb-8-2012-Breaking-Wireless-Security
 
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN UpdateHdM Stuttgart Präsentationstag PPTP VPN WLAN Update
HdM Stuttgart Präsentationstag PPTP VPN WLAN Update
 

Similaire à Extensive Introduction to ModSecurity and the OWASP Core Rule Set

Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetChristian Folini
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Christian Folini
 
Kernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportKernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportAnne Nicolas
 
Cilium: Seattle Kubernetes MeetUp Dec 2017
Cilium: Seattle Kubernetes MeetUp Dec 2017Cilium: Seattle Kubernetes MeetUp Dec 2017
Cilium: Seattle Kubernetes MeetUp Dec 2017Cynthia Thomas
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Docker, Inc.
 
13257474.ppt-it-networking-gdfgdfgdfgdbd
13257474.ppt-it-networking-gdfgdfgdfgdbd13257474.ppt-it-networking-gdfgdfgdfgdbd
13257474.ppt-it-networking-gdfgdfgdfgdbdssuser38ba4b
 
Educating the computer architects of tomorrow's critical systems with RISC-V
Educating the computer architects of tomorrow's critical systems with RISC-VEducating the computer architects of tomorrow's critical systems with RISC-V
Educating the computer architects of tomorrow's critical systems with RISC-VRISC-V International
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdfBRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdfHarryH11
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...wosborne03
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)William Yeh
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
Digital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdf
Digital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdfDigital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdf
Digital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdfMathavan N
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...IO Visor Project
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsSanjeev Rampal
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 

Similaire à Extensive Introduction to ModSecurity and the OWASP Core Rule Set (20)

Introducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule SetIntroducing the OWASP ModSecurity Core Rule Set
Introducing the OWASP ModSecurity Core Rule Set
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
 
Kernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel reportKernel Recipes 2016 - The kernel report
Kernel Recipes 2016 - The kernel report
 
Cilium: Seattle Kubernetes MeetUp Dec 2017
Cilium: Seattle Kubernetes MeetUp Dec 2017Cilium: Seattle Kubernetes MeetUp Dec 2017
Cilium: Seattle Kubernetes MeetUp Dec 2017
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...Enabling Production Grade Containerized Applications through Policy Based Inf...
Enabling Production Grade Containerized Applications through Policy Based Inf...
 
13257474.ppt-it-networking-gdfgdfgdfgdbd
13257474.ppt-it-networking-gdfgdfgdfgdbd13257474.ppt-it-networking-gdfgdfgdfgdbd
13257474.ppt-it-networking-gdfgdfgdfgdbd
 
Educating the computer architects of tomorrow's critical systems with RISC-V
Educating the computer architects of tomorrow's critical systems with RISC-VEducating the computer architects of tomorrow's critical systems with RISC-V
Educating the computer architects of tomorrow's critical systems with RISC-V
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdfBRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
BRKDCN-2670 Day2 operations for Datacenter VxLAN EVPN fabrics.pdf
 
Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...Chapter 9 lab a security policy development and implementation (instructor ve...
Chapter 9 lab a security policy development and implementation (instructor ve...
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Digital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdf
Digital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdfDigital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdf
Digital_Notes___UNIT_5___EC8702___AD_HOC_AND__WIRELESS_SENSOR__NETWORKS.pdf.pdf
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
 
Openstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMsOpenstack Summit: Networking and policies across Containers and VMs
Openstack Summit: Networking and policies across Containers and VMs
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
 
CISCO DCNM.pdf
CISCO DCNM.pdfCISCO DCNM.pdf
CISCO DCNM.pdf
 

Plus de Christian Folini

Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landChristian Folini
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectChristian Folini
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectChristian Folini
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandChristian Folini
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanChristian Folini
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetChristian Folini
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...Christian Folini
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerChristian Folini
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern ServersChristian Folini
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenChristian Folini
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dosChristian Folini
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusChristian Folini
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017Christian Folini
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeChristian Folini
 

Plus de Christian Folini (14)

Crazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's landCrazy incentives and how they drive security into no man's land
Crazy incentives and how they drive security into no man's land
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP ProjectNever Walk Alone - Inspirations from a Growing OWASP Project
Never Walk Alone - Inspirations from a Growing OWASP Project
 
What’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS projectWhat’s new in CRS4? An Update from the OWASP CRS project
What’s new in CRS4? An Update from the OWASP CRS project
 
The Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in SwitzerlandThe Adventurous Tale of Online Voting in Switzerland
The Adventurous Tale of Online Voting in Switzerland
 
EVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein FortsetzungsromanEVoting in der Schweiz - Ein Fortsetzungsroman
EVoting in der Schweiz - Ein Fortsetzungsroman
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetSecuring Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für DatenschützerGedanken zur elektronischen Stimmabgabe für Datenschützer
Gedanken zur elektronischen Stimmabgabe für Datenschützer
 
Medieval Castles and Modern Servers
Medieval Castles and Modern ServersMedieval Castles and Modern Servers
Medieval Castles and Modern Servers
 
E-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der ExpertenE-Voting, die Sicherheit und die Rolle der Experten
E-Voting, die Sicherheit und die Rolle der Experten
 
Black alps 2018-folini-d-dos
Black alps 2018-folini-d-dosBlack alps 2018-folini-d-dos
Black alps 2018-folini-d-dos
 
Optimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX PlusOptimizing ModSecurity on NGINX and NGINX Plus
Optimizing ModSecurity on NGINX and NGINX Plus
 
A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017A General Look at the State of Security - AFCEA 2017
A General Look at the State of Security - AFCEA 2017
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 

Dernier

TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 

Dernier (20)

TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 

Extensive Introduction to ModSecurity and the OWASP Core Rule Set

  • 1. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 An Extended Introduction to ModSecurity and the OWASP Core Rule Set (CISO Platform / SACON) Christian Folini / @ChrFolini
  • 2. Baseline / 1st Line of Defense Safety Belts
  • 3. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Boring Bio ● Christian Folini / @ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead
  • 4. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Key concepts ● Rules ● False Positives ● Extensive Demo
  • 5. Web Application Firewalls Complex • Overwhelming • Rarely Functional
  • 6. ModSecurity Embedded • Rule oriented • Granular Control
  • 9. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%
  • 10. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels
  • 11. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf
  • 12. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf
  • 13. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules
  • 14. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &
  • 15. Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
  • 16. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%
  • 17. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
  • 18. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
  • 19. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
  • 20. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
  • 21. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
  • 22. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021
  • 23. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/coreruleset/coreruleset Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)
  • 24. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)
  • 25. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/
  • 26. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 ModSecurity / CRS Courses • Offered at https://netnea.com/courses • Covering the tutorials in an online or physical class or as a self-paced Katacoda • Next online class: June 28 / June 29, 2021
  • 27. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 OWASP ModSecurity Core Rule Set GOLD sponsor
  • 28. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org
  • 29. Intro to ModSecurity and CRS – CISO Platform/SACON June 2/3, 2021 Slides available at https://www.christian-folini.ch Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini