Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WAFのルールである OWASP ModSecurity Core Rule Set (CRS...

Avatar for delphinz delphinz
September 21, 2018
Technology
2
1.7k

WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs

Avatar for delphinz

delphinz

September 21, 2018
Tweet

More Decks by delphinz

See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
Avatar for delphinz delphinz
1
1.4k
20200209MINI_INFRA
Avatar for delphinz delphinz
1
370
MINI Hardening Road to Taiwan(2019 HITCON CMT)
Avatar for delphinz delphinz
0
920
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
Avatar for delphinz delphinz
0
140

Other Decks in Technology

See All in Technology
改めてAWS WAFを振り返る~業務で使うためのポイント~
Avatar for モブエンジニア masakiokuda
1
140
mrubyと micro-ROSが繋ぐロボットの世界
Avatar for Katsuhiko Kageyama kishima
3
390
Model Mondays S2E03: SLMs & Reasoning
Avatar for Nitya Narasimhan, PhD nitya
0
240
作曲家がボカロを使うようにPdMはAIを使え
Avatar for Takuya Ito itotaxi
0
400
AWS テクニカルサポートとエンドカスタマーの中間地点から見えるより良いサポートの活用方法
Avatar for kazzpapa3 kazzpapa3
3
620
製造業からパッケージ製品まで、あらゆる領域をカバー!生成AIを利用したテストシナリオ生成 / 20250627 Suguru Ishii
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
160
「良さそう」と「とても良い」の間には 「良さそうだがホンマか」がたくさんある / 2025.07.01 LLM品質Night
Avatar for Shumpei Miyawaki smiyawaki0820
1
450
250627 関西Ruby会議08 前夜祭 RejectKaigi「DJ on Ruby Ver.0.1」
Avatar for Masaya Kudo msykd
PRO
2
390
Liquid Glass革新とSwiftUI/UIKit進化
Avatar for Fumiya Sakai fumiyasac0921
0
300
GeminiとNotebookLMによる金融実務の業務革新
Avatar for abenben abenben
0
250
生成AI時代 文字コードを学ぶ意義を見出せるか?
Avatar for hiroshi ueda hrsued
1
750
KubeCon + CloudNativeCon Japan 2025 Recap by CA
Avatar for YuyaKoda ponkio_o
PRO
0
260

Featured

See All Featured
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
5
240
Building an army of robots
Avatar for Kyle Neath kneath
306
45k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
160
23k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.7k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
5.9k
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.6k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
82
9.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.9k

Transcript

  1. WAFͷϧʔϧͰ͋Δ OWASP ModSecurity Core Rule Set (CRS)Λ ࢖ͬͨՄࢹԽ·Ͱͷۤ࿑࿩ !EFMQIJO[ 08"41$POOFDU!'PMJP

  2. ໊લɿ Masahiro Tabataʢ@delphinzʣ
 
 ࢓ࣄɿγεςϜίϯαϧλϯτ 
 ηΩϡϦςΟ͸ͨ͠ͳΈఔ౓ झຯ͸ओʹङྌ࠾ूɻ
 BBQͰϚάϩͦͯ͠ಲΛ͞͹͖·͢ɻ MINI

    Hardening ӡӦϝϯόʔ(ϑΝγ Ϧςʔγϣϯʣ΍ͬͯ·͢♫ ࣗݾ঺հ ʹ+"84%":Ͱ08"41ͱ .*/*IBSEFOJOHΛએ఻தͷ༷ࢠ

  3. .*/*IBSEFOJOHͰฉ͍ͨ ʢݫ͍͠ʣ͝ҙݟɾཁ๬ ɾΠϚυΩ"QBDIFͱ͔࢖Θͳ͍͠ʔʂ ɾ8"'ͱ͔ೖͬͯͳ͍αʔϏε͋Γ·͔͢ʔʁ

  4. ΑΖ͍͠ ͳΒ͹OHJOY NPETFDVSJUZͩʂ

  5. NPETFDVSJUZʹ$34Λఴ͑ͯ .PETFDVSJUZ w .PE4FDVSJUZ͸Φʔϓϯιʔεͷ8FCΞϓϦέʔγϣϯϑΝΠΞ΢Υʔ ϧ 8"' Ͱɺ"QBDIFɺOHJOYɺ**4ͷϞδϡʔϧͱͯ͠ಈ࡞͢Δɻ
 ։ൃ͸4QJEFS-BCT͕ߦ͍ͬͯΔɻ
 IUUQTHJUIVCDPN4QJEFS-BCT.PE4FDVSJUZ 08"41NPETFDVSJUZ$PSF3VMF4FU

    w 08"41͕ఏڙ͢ΔNPETFDVSJUZ༻ͷ߈ܸΛݕ஌͢Δجຊతͳϧʔϧ ηοτ
 IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"[email protected]@$PSF@3VMF@4FU@1SPKFDU 

  6. OHJOY NPETFDVSJZͷ᠘ w "QBDIFͷ৔߹͸΄ͱΜͲͷMJOVYύοέʔδͰެࣜఏڙ͞ Ε͍ͯΔɻ
 OHJOY͸ιʔε͔ΒͷϏϧυ͕ඞཁʂ w ެࣜͲ͏Γʹ΍ͬͯ΋ઈରʹೖΒͳ͍ʂ  CVJME࣌఺ͷϢʔβʔࢦఆ͕ඞཁ

     ύοέʔδ͕଍Γͳ͍ͱಈ͔ͳ͍ɻ
 ΤϥʔΛు͔ͳ͍ʢٽʣ

  7. ͓Αͦਓྨͷखʹෛ͑ͳ͍ ϩάग़ྗܗࣜ

  8. ՄࢹԽπʔϧΛࢼͯ͠ΈΔ w "VEJU$POTPMF
 NPETFDVSJUZͷϩάΛ؅ཧ͢ΔͨΊʹ࡞ΒΕͨ+BWBΞϓ Ϧέʔγϣϯ
 5PNDBU্ʹల։͞Εͯ8&#ϒϥ΢β͔Βϩάͷऩूɺ อଘɺϑΟϧλϦϯάͳͲͷػೳΛఏڙ͢Δɻ
 IUUQXXXKXBMMPSHXFCBVEJUDPOTPMFJOEFYKTQ

  9. ͜Ε΋"VEJU$POTPMFͷ᠘͔ w +BWB͸ܾΊଧͪɺެࣜͲ͓Γͩͱ͕ೖΓಈ͔ͳ͍ w SPPUҎԼʹ഑ஔ͠ͳ͍ͱϦΞϧλΠϜϩάऔࠐෆՄ w ϦΞϧλΠϜग़ྗʹඞཁͳNMPHDʢNPETFDVSJUZͷϩάग़ ྗπʔϧʣ͸BQBDIF൛ͷΈରԠɺOHJOY͸ඇରԠ w όονܗࣜͷ୅ସπʔϧ

    QFSM ΋OHJOY൛Ͱ͸ಈ͔ͳ͍ w BVEJUDPOTPMF͕ఏڙ͢Δϩάૹ৴πʔϧͰ୅༻
 ʢͨͩ͠ɺҰׅૹ৴Ͱࠩ෼ૹ৴Ͱ͖ͳ͍ʣ

  10. ແࣄʹՄࢹԽʹ੒ޭ͠·ͨ͠ʂ w ͱΓ͋͑ͣ.*/*IBSEFOJOHͰൃੜͨ͠NPETFDVSJZϩά ΛҰׅͰऔΓࠐΜͰΈΔͱ͜Μͳײ͡

  11. ͓·͚ɿ$34࡞ऀͷϫφ w 08"41ެࣜͷ$34ͷઆ໌ʹʮϥΠΞϯɾόʔωοτʯͷه ࡌ͋Γ w ʮϥΠΞϯɾόʔωοτʯͱ͍͑͹%%04ରࡦͷαʔϏεͰ
 ༗໊ͳ1SPMFYJDࣾʢͷͪʹ"LBNBJ͕ങऩʣͷ૑ۀऀ
 ʢৄࡉ͸ॻ੶ʮαΠόʔɾΫϥΠϜʯΛࢀরʣ

  12. ͡Όɺͳ͍ਓͩͬͨʂ

  13. ͓·͚ɿ$34࡞ऀͷϫφ w ޡΓ͸ʮ-ZPOʯਖ਼͘͠͸ʮ3ZBOʯͰͨ͠ɻ
 ϥΠΞϯɾόʔωοτͷ௲Γʹ஫ҙʂ
 ޡɿ ਖ਼ɿ ͪ͜Β͕$34ͷ࡞ऀͰͨ͠ʂ

  14. ݁࿦ɿPTTͷΈͰͷ8"'ೖ໳ ͸ਏ͍ɺֶ͕ͼ͸͋ͬͨ w 8"'ͷ࢓૊ΈΛ஌Δ͜ͱ͕Ͱ͖ͨɻ
 ঎༻8"'Λ࢖͑ͳ͍ਓ͸PTT͔ΒॳΊͯ΋ྑ͍͔΋ɻ w ݕ஌ઐ༻ͷઃఆʹͯ͠΍ΒΕαʔόΛ͍͡ΔͱͲΜͳΞΫηε͕ 8"'ʹҾ͔͔ͬΔ͔ݟΕΔɻ w ଞͷPTT8"'΋࣌ؒ

    ͱϞνϕʔγϣϯ ͕͋Ε͹ࢼͯ͠Έ͍ͨɻ w 7BHSBOU BOTJCMFͰॻ͍ͨͷͰHJUެ։͍ͨ͠ ͔΋  w ਖ਼͍͠࡞ऀ͕Θ͔ͬͨʂ

  15. ͪΐͬͱࠂ஌ .*/*IBSEFOJOH։࠵༧ఆ w ੈքॳʂʁɹςʔϚ͸ʮԾ૝௨՟ࢢ৔ΛकΓ͖Εʂʯ w ౦ژ!:BIPPͰ։࠵ɺͦͷޙෳ਺ճ։࠵༧ఆ
 ౦ژҎ֎Ͱ͸໊ݹ԰ɺେࡕͰͷ։࠵Λௐ੔த
 ଞͷ஍ҬͰͷ։࠵ཁ๬Λ͓଴͓ͪͯ͠Γ·͢ʂ w ࢀՃر๬ͷํ͸$POOQBTTΛνΣοΫ͍ͯͩ͘͠͞ɻ

    IUUQTNJOJIBSEFOJOHDPOOQBTTDPN

  16. "QQFOEJY w 8FC"QQMJDBUJPO'JSFXBMM 8"' ಡຊվగୈ̎൛
 IUUQTXXXJQBHPKQpMFTQEG
 w 08"41.PE4FDVSJUZ$PSF3VMF4FU3ZBO#BSOFUUQQU
 IUUQTXXXPXBTQPSHJOEFYQIQ 'JMF08"[email protected]@$PSF@3VMF@4FU3ZBO@#BSOFUUQQU