Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WAFのルールである OWASP ModSecurity Core Rule Set (CRS...

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for delphinz delphinz
September 21, 2018
Technology
2
1.7k

WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs

Avatar for delphinz

delphinz

September 21, 2018
Tweet

More Decks by delphinz

See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
Avatar for delphinz delphinz
1
1.6k
20200209MINI_INFRA
Avatar for delphinz delphinz
1
400
MINI Hardening Road to Taiwan(2019 HITCON CMT)
Avatar for delphinz delphinz
0
1k
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
Avatar for delphinz delphinz
0
160

Other Decks in Technology

See All in Technology
組織全体で実現する標準監視設計
Avatar for Yuto Obayashi yuobayashi
2
380
ナレッジワークのご紹介(第88回情報処理学会 )
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
0
150
マルチアカウント環境でSecurity Hubの運用!導入の苦労とポイント / JAWS DAYS 2026
Avatar for GENDA genda
0
220
作りっぱなしで終わらせない! 価値を出し続ける AI エージェントのための「信頼性」設計 / Designing Reliability for AI Agents that Deliver Continuous Value
Avatar for Kento Kimura aoto
PRO
2
250
JAWSDAYS2026_A-6_現場SEが語る 回せるセキュリティ運用~設計で可視化、AIで加速する「楽に回る」運用設計のコツ~
Avatar for s-hata shoki_hata
0
2.9k
Abuse report だけじゃない。AWS から緊急連絡が来る状況とは?昨今の攻撃や被害の事例の紹介と備えておきたい考え方について
Avatar for kazzpapa3 kazzpapa3
1
310
メタデータ同期に潜んでいた問題 〜 Cache Stampede 時の Cycle Wait を⾒つけた話
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
150
事例に見るスマートファクトリーへの道筋〜工場データをAI Readyにする実践ステップ〜
Avatar for 濱田孝治 hamadakoji
0
250
S3はフラットである –AWS公式SDKにも存在した、 署名付きURLにおけるパストラバーサル脆弱性– / JAWS DAYS 2026
Avatar for GMO Flatt Security flatt_security
0
1.5k
Security Diaries of an Open Source IAM
Avatar for Alexander Schwartz ahus1
0
210
類似画像検索モデルの開発ノウハウ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
4
1k
AWS DevOps Agent vs SRE俺 / AWS DevOps Agent vs me, the SRE
Avatar for SMS tech sms_tech
3
470

Featured

See All Featured
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
29
4.2k
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
220
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
49
9.9k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
Avatar for Andy Polaine apolaine
0
220
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.3k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
310
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.6k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
39
3.1k
Building Experiences: Design Systems, User Experience, and Full Site Editing
Avatar for Michelle Schulp Hunt marktimemedia
0
440

Transcript

  1. WAFͷϧʔϧͰ͋Δ OWASP ModSecurity Core Rule Set (CRS)Λ ࢖ͬͨՄࢹԽ·Ͱͷۤ࿑࿩ !EFMQIJO[ 08"41$POOFDU!'PMJP

  2. ໊લɿ Masahiro Tabataʢ@delphinzʣ
 
 ࢓ࣄɿγεςϜίϯαϧλϯτ 
 ηΩϡϦςΟ͸ͨ͠ͳΈఔ౓ झຯ͸ओʹङྌ࠾ूɻ
 BBQͰϚάϩͦͯ͠ಲΛ͞͹͖·͢ɻ MINI

    Hardening ӡӦϝϯόʔ(ϑΝγ Ϧςʔγϣϯʣ΍ͬͯ·͢♫ ࣗݾ঺հ ʹ+"84%":Ͱ08"41ͱ .*/*IBSEFOJOHΛએ఻தͷ༷ࢠ

  3. .*/*IBSEFOJOHͰฉ͍ͨ ʢݫ͍͠ʣ͝ҙݟɾཁ๬ ɾΠϚυΩ"QBDIFͱ͔࢖Θͳ͍͠ʔʂ ɾ8"'ͱ͔ೖͬͯͳ͍αʔϏε͋Γ·͔͢ʔʁ

  4. ΑΖ͍͠ ͳΒ͹OHJOY NPETFDVSJUZͩʂ

  5. NPETFDVSJUZʹ$34Λఴ͑ͯ .PETFDVSJUZ w .PE4FDVSJUZ͸Φʔϓϯιʔεͷ8FCΞϓϦέʔγϣϯϑΝΠΞ΢Υʔ ϧ 8"' Ͱɺ"QBDIFɺOHJOYɺ**4ͷϞδϡʔϧͱͯ͠ಈ࡞͢Δɻ
 ։ൃ͸4QJEFS-BCT͕ߦ͍ͬͯΔɻ
 IUUQTHJUIVCDPN4QJEFS-BCT.PE4FDVSJUZ 08"41NPETFDVSJUZ$PSF3VMF4FU

    w 08"41͕ఏڙ͢ΔNPETFDVSJUZ༻ͷ߈ܸΛݕ஌͢Δجຊతͳϧʔϧ ηοτ
 IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"[email protected]@$PSF@3VMF@4FU@1SPKFDU 

  6. OHJOY NPETFDVSJZͷ᠘ w "QBDIFͷ৔߹͸΄ͱΜͲͷMJOVYύοέʔδͰެࣜఏڙ͞ Ε͍ͯΔɻ
 OHJOY͸ιʔε͔ΒͷϏϧυ͕ඞཁʂ w ެࣜͲ͏Γʹ΍ͬͯ΋ઈରʹೖΒͳ͍ʂ  CVJME࣌఺ͷϢʔβʔࢦఆ͕ඞཁ

     ύοέʔδ͕଍Γͳ͍ͱಈ͔ͳ͍ɻ
 ΤϥʔΛు͔ͳ͍ʢٽʣ

  7. ͓Αͦਓྨͷखʹෛ͑ͳ͍ ϩάग़ྗܗࣜ

  8. ՄࢹԽπʔϧΛࢼͯ͠ΈΔ w "VEJU$POTPMF
 NPETFDVSJUZͷϩάΛ؅ཧ͢ΔͨΊʹ࡞ΒΕͨ+BWBΞϓ Ϧέʔγϣϯ
 5PNDBU্ʹల։͞Εͯ8&#ϒϥ΢β͔Βϩάͷऩूɺ อଘɺϑΟϧλϦϯάͳͲͷػೳΛఏڙ͢Δɻ
 IUUQXXXKXBMMPSHXFCBVEJUDPOTPMFJOEFYKTQ

  9. ͜Ε΋"VEJU$POTPMFͷ᠘͔ w +BWB͸ܾΊଧͪɺެࣜͲ͓Γͩͱ͕ೖΓಈ͔ͳ͍ w SPPUҎԼʹ഑ஔ͠ͳ͍ͱϦΞϧλΠϜϩάऔࠐෆՄ w ϦΞϧλΠϜग़ྗʹඞཁͳNMPHDʢNPETFDVSJUZͷϩάग़ ྗπʔϧʣ͸BQBDIF൛ͷΈରԠɺOHJOY͸ඇରԠ w όονܗࣜͷ୅ସπʔϧ

    QFSM ΋OHJOY൛Ͱ͸ಈ͔ͳ͍ w BVEJUDPOTPMF͕ఏڙ͢Δϩάૹ৴πʔϧͰ୅༻
 ʢͨͩ͠ɺҰׅૹ৴Ͱࠩ෼ૹ৴Ͱ͖ͳ͍ʣ

  10. ແࣄʹՄࢹԽʹ੒ޭ͠·ͨ͠ʂ w ͱΓ͋͑ͣ.*/*IBSEFOJOHͰൃੜͨ͠NPETFDVSJZϩά ΛҰׅͰऔΓࠐΜͰΈΔͱ͜Μͳײ͡

  11. ͓·͚ɿ$34࡞ऀͷϫφ w 08"41ެࣜͷ$34ͷઆ໌ʹʮϥΠΞϯɾόʔωοτʯͷه ࡌ͋Γ w ʮϥΠΞϯɾόʔωοτʯͱ͍͑͹%%04ରࡦͷαʔϏεͰ
 ༗໊ͳ1SPMFYJDࣾʢͷͪʹ"LBNBJ͕ങऩʣͷ૑ۀऀ
 ʢৄࡉ͸ॻ੶ʮαΠόʔɾΫϥΠϜʯΛࢀরʣ

  12. ͡Όɺͳ͍ਓͩͬͨʂ

  13. ͓·͚ɿ$34࡞ऀͷϫφ w ޡΓ͸ʮ-ZPOʯਖ਼͘͠͸ʮ3ZBOʯͰͨ͠ɻ
 ϥΠΞϯɾόʔωοτͷ௲Γʹ஫ҙʂ
 ޡɿ ਖ਼ɿ ͪ͜Β͕$34ͷ࡞ऀͰͨ͠ʂ

  14. ݁࿦ɿPTTͷΈͰͷ8"'ೖ໳ ͸ਏ͍ɺֶ͕ͼ͸͋ͬͨ w 8"'ͷ࢓૊ΈΛ஌Δ͜ͱ͕Ͱ͖ͨɻ
 ঎༻8"'Λ࢖͑ͳ͍ਓ͸PTT͔ΒॳΊͯ΋ྑ͍͔΋ɻ w ݕ஌ઐ༻ͷઃఆʹͯ͠΍ΒΕαʔόΛ͍͡ΔͱͲΜͳΞΫηε͕ 8"'ʹҾ͔͔ͬΔ͔ݟΕΔɻ w ଞͷPTT8"'΋࣌ؒ

    ͱϞνϕʔγϣϯ ͕͋Ε͹ࢼͯ͠Έ͍ͨɻ w 7BHSBOU BOTJCMFͰॻ͍ͨͷͰHJUެ։͍ͨ͠ ͔΋  w ਖ਼͍͠࡞ऀ͕Θ͔ͬͨʂ

  15. ͪΐͬͱࠂ஌ .*/*IBSEFOJOH։࠵༧ఆ w ੈքॳʂʁɹςʔϚ͸ʮԾ૝௨՟ࢢ৔ΛकΓ͖Εʂʯ w ౦ژ!:BIPPͰ։࠵ɺͦͷޙෳ਺ճ։࠵༧ఆ
 ౦ژҎ֎Ͱ͸໊ݹ԰ɺେࡕͰͷ։࠵Λௐ੔த
 ଞͷ஍ҬͰͷ։࠵ཁ๬Λ͓଴͓ͪͯ͠Γ·͢ʂ w ࢀՃر๬ͷํ͸$POOQBTTΛνΣοΫ͍ͯͩ͘͠͞ɻ

    IUUQTNJOJIBSEFOJOHDPOOQBTTDPN

  16. "QQFOEJY w 8FC"QQMJDBUJPO'JSFXBMM 8"' ಡຊվగୈ̎൛
 IUUQTXXXJQBHPKQpMFTQEG
 w 08"41.PE4FDVSJUZ$PSF3VMF4FU3ZBO#BSOFUUQQU
 IUUQTXXXPXBTQPSHJOEFYQIQ 'JMF08"[email protected]@$PSF@3VMF@4FU3ZBO@#BSOFUUQQU