5. ModSecurity
Ryan C. Barnett
ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known
as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into
HTTP(S) traffic and provides a power rules language and API to implement advanced
protections.
Blackhat Arsenal 2014
Security Bootcamp 2014 5
13. 4 scenarios
If the HTTP response code is 404, the resource doesn’t exist. In this
case, not only do we skip the profiling, but we also remove the resource
key, so we delete the persistent storage. This is achieved by using the
setvar:!resource.KEY action.
If the HTTP response code is either level 4xx or level 5xx, the
application says something is wrong with the transaction, so we won’t
profile it in this case either.
The OWASP ModSecurity Core Rule Set (CRS) can use anomaly scoring.
We can check this transactional anomaly score. If it is anything other
than 0, we should skip profiling.
Finally, we have already seen enough traffic for our profiling model and
are currently in enforcement mode, so we skip profiling.
Security Bootcamp 2014 13
27. Correlation
Did an inbound attack occur?
Did an HTTP response status code error (4xx/5xx level) occur?
Did an application information leakage event occur?
Security Bootcamp 2014 27
28. Correlation
If an inbound attack was detected, and either an outbound application
status codeerror or information leakage event was detected, the overall
event severity is raised to one of the following:
• 0, EMERGENCY, is generated from correlation of anomaly scoring
data where an inbound attack and an outbound leakage exist.
• 1, ALERT, is generated from correlation where an inbound attack and
an outbound application-level error exist.
Security Bootcamp 2014 28
45. NSM
Logstash Elasticsearch Kibana
No code required
Real-time analysis of streaming data
Highly scalable
Open source, community driven
Security Bootcamp 2014 45