Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WAFのルールである OWASP ModSecurity Core Rule Set (CRS...

Avatar for delphinz delphinz
September 21, 2018
Technology
2
1.7k

WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs

Avatar for delphinz

delphinz

September 21, 2018
Tweet

More Decks by delphinz

See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
Avatar for delphinz delphinz
1
1.5k
20200209MINI_INFRA
Avatar for delphinz delphinz
1
390
MINI Hardening Road to Taiwan(2019 HITCON CMT)
Avatar for delphinz delphinz
0
980
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
Avatar for delphinz delphinz
0
160

Other Decks in Technology

See All in Technology
Node vs Deno vs Bun 〜推しランタイムを見つけよう〜
Avatar for すずとも kamekyame
1
160
SES向け、生成AI時代におけるエンジニアリングとセキュリティ
Avatar for LongbowXXX longbowxxx
0
290
Contract One Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
12k
[PR] はじめてのデジタルアイデンティティという本を書きました
Avatar for ritou ritou
0
750
「駆動」って言葉、なんかカッコイイ_Mitz
Avatar for comucal comucal
PRO
0
130
純粋なイミュータブルモデルを設計してからイベントソーシングと組み合わせるDeciderの実践方法の紹介 /Introducing Decider Pattern with Event Sourcing
Avatar for Tomohisa Takaoka tomohisa
1
370
歴史から学ぶ、Goのメモリ管理基礎
Avatar for Takuto Nagami logica0419
10
1.8k
技術選定、下から見るか?横から見るか?
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
0
170
AI駆動開発ライフサイクル(AI-DLC)の始め方
Avatar for ryansbcho79 ryansbcho79
0
290
20251225_たのしい出張報告&IgniteRecap!
Avatar for ponponmikan ponponmikankan
0
110
国井さんにPurview の話を聞く会
Avatar for Kunii, Suguru sophiakunii
1
290
re:Invent2025 セッションレポ ~Spec-driven development with Kiro~
Avatar for NRI Netcom nrinetcom
PRO
2
170

Featured

See All Featured
The SEO identity crisis: Don't let AI make you average
Avatar for Varn varn
0
44
A Soul's Torment
Avatar for Nat Ma seathinner
1
2.1k
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
170
What the history of the web can teach us about the future of AI
Avatar for Ines Montani inesmontani
PRO
0
390
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
132
19k
The browser strikes back
Avatar for Jono Alderson jonoalderson
0
290
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
72
Claude Code のすすめ
Avatar for schroneko schroneko
67
210k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.3k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
10
770
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
33
1.5k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
2.9k

Transcript

  1. WAFͷϧʔϧͰ͋Δ OWASP ModSecurity Core Rule Set (CRS)Λ ࢖ͬͨՄࢹԽ·Ͱͷۤ࿑࿩ !EFMQIJO[ 08"41$POOFDU!'PMJP

  2. ໊લɿ Masahiro Tabataʢ@delphinzʣ
 
 ࢓ࣄɿγεςϜίϯαϧλϯτ 
 ηΩϡϦςΟ͸ͨ͠ͳΈఔ౓ झຯ͸ओʹङྌ࠾ूɻ
 BBQͰϚάϩͦͯ͠ಲΛ͞͹͖·͢ɻ MINI

    Hardening ӡӦϝϯόʔ(ϑΝγ Ϧςʔγϣϯʣ΍ͬͯ·͢♫ ࣗݾ঺հ ʹ+"84%":Ͱ08"41ͱ .*/*IBSEFOJOHΛએ఻தͷ༷ࢠ

  3. .*/*IBSEFOJOHͰฉ͍ͨ ʢݫ͍͠ʣ͝ҙݟɾཁ๬ ɾΠϚυΩ"QBDIFͱ͔࢖Θͳ͍͠ʔʂ ɾ8"'ͱ͔ೖͬͯͳ͍αʔϏε͋Γ·͔͢ʔʁ

  4. ΑΖ͍͠ ͳΒ͹OHJOY NPETFDVSJUZͩʂ

  5. NPETFDVSJUZʹ$34Λఴ͑ͯ .PETFDVSJUZ w .PE4FDVSJUZ͸Φʔϓϯιʔεͷ8FCΞϓϦέʔγϣϯϑΝΠΞ΢Υʔ ϧ 8"' Ͱɺ"QBDIFɺOHJOYɺ**4ͷϞδϡʔϧͱͯ͠ಈ࡞͢Δɻ
 ։ൃ͸4QJEFS-BCT͕ߦ͍ͬͯΔɻ
 IUUQTHJUIVCDPN4QJEFS-BCT.PE4FDVSJUZ 08"41NPETFDVSJUZ$PSF3VMF4FU

    w 08"41͕ఏڙ͢ΔNPETFDVSJUZ༻ͷ߈ܸΛݕ஌͢Δجຊతͳϧʔϧ ηοτ
 IUUQTXXXPXBTQPSHJOEFYQIQ$BUFHPSZ08"[email protected]@$PSF@3VMF@4FU@1SPKFDU 

  6. OHJOY NPETFDVSJZͷ᠘ w "QBDIFͷ৔߹͸΄ͱΜͲͷMJOVYύοέʔδͰެࣜఏڙ͞ Ε͍ͯΔɻ
 OHJOY͸ιʔε͔ΒͷϏϧυ͕ඞཁʂ w ެࣜͲ͏Γʹ΍ͬͯ΋ઈରʹೖΒͳ͍ʂ  CVJME࣌఺ͷϢʔβʔࢦఆ͕ඞཁ

     ύοέʔδ͕଍Γͳ͍ͱಈ͔ͳ͍ɻ
 ΤϥʔΛు͔ͳ͍ʢٽʣ

  7. ͓Αͦਓྨͷखʹෛ͑ͳ͍ ϩάग़ྗܗࣜ

  8. ՄࢹԽπʔϧΛࢼͯ͠ΈΔ w "VEJU$POTPMF
 NPETFDVSJUZͷϩάΛ؅ཧ͢ΔͨΊʹ࡞ΒΕͨ+BWBΞϓ Ϧέʔγϣϯ
 5PNDBU্ʹల։͞Εͯ8&#ϒϥ΢β͔Βϩάͷऩूɺ อଘɺϑΟϧλϦϯάͳͲͷػೳΛఏڙ͢Δɻ
 IUUQXXXKXBMMPSHXFCBVEJUDPOTPMFJOEFYKTQ

  9. ͜Ε΋"VEJU$POTPMFͷ᠘͔ w +BWB͸ܾΊଧͪɺެࣜͲ͓Γͩͱ͕ೖΓಈ͔ͳ͍ w SPPUҎԼʹ഑ஔ͠ͳ͍ͱϦΞϧλΠϜϩάऔࠐෆՄ w ϦΞϧλΠϜग़ྗʹඞཁͳNMPHDʢNPETFDVSJUZͷϩάग़ ྗπʔϧʣ͸BQBDIF൛ͷΈରԠɺOHJOY͸ඇରԠ w όονܗࣜͷ୅ସπʔϧ

    QFSM ΋OHJOY൛Ͱ͸ಈ͔ͳ͍ w BVEJUDPOTPMF͕ఏڙ͢Δϩάૹ৴πʔϧͰ୅༻
 ʢͨͩ͠ɺҰׅૹ৴Ͱࠩ෼ૹ৴Ͱ͖ͳ͍ʣ

  10. ແࣄʹՄࢹԽʹ੒ޭ͠·ͨ͠ʂ w ͱΓ͋͑ͣ.*/*IBSEFOJOHͰൃੜͨ͠NPETFDVSJZϩά ΛҰׅͰऔΓࠐΜͰΈΔͱ͜Μͳײ͡

  11. ͓·͚ɿ$34࡞ऀͷϫφ w 08"41ެࣜͷ$34ͷઆ໌ʹʮϥΠΞϯɾόʔωοτʯͷه ࡌ͋Γ w ʮϥΠΞϯɾόʔωοτʯͱ͍͑͹%%04ରࡦͷαʔϏεͰ
 ༗໊ͳ1SPMFYJDࣾʢͷͪʹ"LBNBJ͕ങऩʣͷ૑ۀऀ
 ʢৄࡉ͸ॻ੶ʮαΠόʔɾΫϥΠϜʯΛࢀরʣ

  12. ͡Όɺͳ͍ਓͩͬͨʂ

  13. ͓·͚ɿ$34࡞ऀͷϫφ w ޡΓ͸ʮ-ZPOʯਖ਼͘͠͸ʮ3ZBOʯͰͨ͠ɻ
 ϥΠΞϯɾόʔωοτͷ௲Γʹ஫ҙʂ
 ޡɿ ਖ਼ɿ ͪ͜Β͕$34ͷ࡞ऀͰͨ͠ʂ

  14. ݁࿦ɿPTTͷΈͰͷ8"'ೖ໳ ͸ਏ͍ɺֶ͕ͼ͸͋ͬͨ w 8"'ͷ࢓૊ΈΛ஌Δ͜ͱ͕Ͱ͖ͨɻ
 ঎༻8"'Λ࢖͑ͳ͍ਓ͸PTT͔ΒॳΊͯ΋ྑ͍͔΋ɻ w ݕ஌ઐ༻ͷઃఆʹͯ͠΍ΒΕαʔόΛ͍͡ΔͱͲΜͳΞΫηε͕ 8"'ʹҾ͔͔ͬΔ͔ݟΕΔɻ w ଞͷPTT8"'΋࣌ؒ

    ͱϞνϕʔγϣϯ ͕͋Ε͹ࢼͯ͠Έ͍ͨɻ w 7BHSBOU BOTJCMFͰॻ͍ͨͷͰHJUެ։͍ͨ͠ ͔΋  w ਖ਼͍͠࡞ऀ͕Θ͔ͬͨʂ

  15. ͪΐͬͱࠂ஌ .*/*IBSEFOJOH։࠵༧ఆ w ੈքॳʂʁɹςʔϚ͸ʮԾ૝௨՟ࢢ৔ΛकΓ͖Εʂʯ w ౦ژ!:BIPPͰ։࠵ɺͦͷޙෳ਺ճ։࠵༧ఆ
 ౦ژҎ֎Ͱ͸໊ݹ԰ɺେࡕͰͷ։࠵Λௐ੔த
 ଞͷ஍ҬͰͷ։࠵ཁ๬Λ͓଴͓ͪͯ͠Γ·͢ʂ w ࢀՃر๬ͷํ͸$POOQBTTΛνΣοΫ͍ͯͩ͘͠͞ɻ

    IUUQTNJOJIBSEFOJOHDPOOQBTTDPN

  16. "QQFOEJY w 8FC"QQMJDBUJPO'JSFXBMM 8"' ಡຊվగୈ̎൛
 IUUQTXXXJQBHPKQpMFTQEG
 w 08"41.PE4FDVSJUZ$PSF3VMF4FU3ZBO#BSOFUUQQU
 IUUQTXXXPXBTQPSHJOEFYQIQ 'JMF08"[email protected]@$PSF@3VMF@4FU3ZBO@#BSOFUUQQU