Modsecurity - NSM - Security Boootcamp 2014

Transcript

1. MODSECURITY ELK If we do not wish to fight we

   can prevent! {

2. ModSecurity Security Bootcamp 2014 2

3. *log Security Bootcamp 2014 3

4. ELK Security Bootcamp 2014 4

5. ModSecurity Ryan C. Barnett ModSecurity is an open source, cross-platform

   web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Blackhat Arsenal 2014 Security Bootcamp 2014 5

6. Surviving D-Day Omaha Beach 1944 Security Bootcamp 2014 6

7. Surviving D-Day Omaha Beach 1944 Security Bootcamp 2014 7 

   Fake tank  Fake aircraft  Fake Napoli (Egypt)  Fake ……

8. HoneyTraps with ModSecurity http://map.honeycloud.net/ Security Bootcamp 2014 8

9. 1.Real-time Application Profiling Security Bootcamp 2014 9

10. Real-time Application Profiling  Request method(s)  Number of parameters

    (minimum/maximum range)  Parameter names  Parameter lengths (minimum/maximum range)  Parameter types  Flag (such as /path/to/foo.php?param)  Digits (such as /path/to/foo.php?param=1234)  Alpha (such as /path/to/foo.php?param=abcd)  Alphanumeric (such as /path/to/foo.php?param=abcd1234)  E-mail (such as /path/to/[email protected])  Path (such as /path/to/foo.php?param=/dir/somefile.txt)  URL (such as /path/to/foo.php?param=http://somehost/dir/file.txt)  SafeText (such as /path/to/foo.php?param=some_data-12) Security Bootcamp 2014 10

11. Real-time Application Profiling ModSecurity Reference Manual1 • Lua API support

    • SecRuleScript directive • initcol action • RESOURCE persistent storage • OWASP ModSecurity Core Rule Set2 • modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf • modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf • modsecurity_crs_40_appsensor_detection_point_3.0_end.conf • appsensor_request_exception_profile.lua Security Bootcamp 2014 11

12. Real-time Application Profiling Security Bootcamp 2014 12

13. Real-time Application Profiling Security Bootcamp 2014 13  enforce_ARGS:author_length_max =

    15  enforce_ARGS:author_length_min = 10  enforce_ARGS:comment_length_max = 54  enforce_ARGS:comment_length_min = 37  enforce_ARGS:comment_post_ID_length_max = 3  enforce_ARGS:comment_post_ID_length_min = 1  enforce_ARGS:email_length_max = 30  enforce_ARGS:email_length_min = 14  enforce_ARGS:submit_length_max = 14  enforce_ARGS:submit_length_min = 14  enforce_ARGS:url_length_max = 35  enforce_ARGS:url_length_min = 26  enforce_args_names = author, email, url, comment, submit,  comment_post_ID  enforce_charclass_digits = ARGS:comment_post_ID

14. Post-Process Profiling Security Bootcamp 2014 14

15. 4 scenarios  If the HTTP response code is 404,

    the resource doesn’t exist. In this case, not only do we skip the profiling, but we also remove the resource key, so we delete the persistent storage. This is achieved by using the setvar:!resource.KEYaction.  If the HTTP response code is either level 4xx or level 5xx, the application says something is wrong with the transaction, so we won’t profile it in this case either.  The OWASP ModSecurityCore Rule Set (CRS) can use anomaly scoring. We can check this transactional anomaly score. If it is anything other than 0, we should skip profiling.  Finally, we have already seen enough traffic for our profiling model and are currently in enforcement mode, so we skip profiling. Security Bootcamp 2014 15

16. 2. Hacker Traps Security Bootcamp 2014 16

17. Hacker Traps  Unused Web Ports  Fake robots.txt Disallow

    Entries  Fake HTML comments  Fake hidden form fields  Fake cookies Security Bootcamp 2014 17

18. Hacker Traps Unused Web Ports Security Bootcamp 2014 18

19. Hacker Traps Fake robots.txt Disallow Entries Security Bootcamp 2014 19

20. Hacker Traps Fake HTML comments Security Bootcamp 2014 20

21. Hacker Traps Fake HTML comments Security Bootcamp 2014 21

22. Hacker Traps Fake hidden form fields Security Bootcamp 2014 22

23. Hacker Traps Fake cookies Security Bootcamp 2014 23

24. Hacker Traps Fake cookies Security Bootcamp 2014 24

25. 3a. Self-Contained vs. Collaborative Detection Security Bootcamp 2014 25

26. Self-Contained vs. Collaborative Detection Self-Contained Collaborative Security Bootcamp 2014 26

27. Anomaly Scoring Threshold Levels Security Bootcamp 2014 27

28. 3b. Inbound/Outbound Correlation Security Bootcamp 2014 28

29. Correlation  Did an inbound attack occur?  Did an

    HTTP response status code error (4xx/5xx level) occur?  Did an application information leakage event occur? Security Bootcamp 2014 29

30. Correlation If an inbound attack was detected, and either an

    outbound application status codeerroror information leakage event was detected, the overall event severity is raised to one of the following:  • 0, EMERGENCY, is generated from correlation of anomaly scoring data where an inbound attack and an outbound leakage exist.  • 1, ALERT, is generated from correlation where an inbound attack and an outbound application-level error exist. Security Bootcamp 2014 30

31. 4. Detecting Malicious Links Security Bootcamp 2014 31

32. Detecting Malicious Links  URI Blacklist RBL6  Google’s Safe

    Browsing API7  ModSecurity  @rbl operator  @gsbLookup operator  @rsub operator  SecGsbLookupDb directive  SecStreamOutBodyInspection directive  SecContentInjection directive  STREAM_OUTPUT_BODY variable Security Bootcamp 2014 32

33. Google Safe Browsing (GS B) API v1 Security Bootcamp 2014

    33

34. ModSecurity’s Data Substitution Operator Security Bootcamp 2014 34

35. 5. Normalizing Unicode Security Bootcamp 2014 35

36. Normalizing Unicode  Best-Fit Mapping  Detecting Use of Full-/Half-Width

    Unicode Security Bootcamp 2014 36

37. Best-Fit Mapping %u3008scr%u0131pt%u3009%u212fval(%uFF07al%u212Frt(%22XSS%22)%u02C8)%u23 29/scr%u0131pt%u232A 〈(0x2329) ~= <(0x3c) 〈(0x3008) ~= <(0x3c)

    ＜(0xff1c) ~= <(0x3c) ʹ(0x2b9) ~= '(0x27) ʼ(0x2bc) ~= '(0x27) ˈ(0x2c8) ~= '(0x27) ′(0x2032) ~= '(0x27) ＇(0xff07) ~= '(0x27) Security Bootcamp 2014 37

38. Unicode Mapping Security Bootcamp 2014 38

39. Unicode Mapping Security Bootcamp 2014 39

40. Full-/Half-Width Unicode Security Bootcamp 2014 40

41. 6. Abnormal Header Ordering Security Bootcamp 2014 41

42. Passive OS fingerprinting Security Bootcamp 2014 42

43. Passive OS fingerprinting Security Bootcamp 2014 43 GET / HTTP/1.0

    Accept: */* Accept-Language: en Referer: http://www.hoic_target_site.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.1; .NET CLR 1.1.4322) If-Modified-Since: Sat, 29 Oct 1994 11:59:59 GMT Host: www.hoic_target_site.com

44. Passive OS fingerprinting Security Bootcamp 2014 44 SecRule REQUEST_HEADERS_NAMES ".*"

    "chain,phase:1,t:none,log,block, msg:'Request Header Anomaly - Host Header Listed Last.', setvar:'tx.header_order=%{tx.header_order}, %{matched_var}'" SecRule TX:HEADER_ORDER "@endsWith , Host"

45. 7. Detecting Page Title Changes Lua API • appsensor_response_profile.lua •

    appsensor_response_enforce.lua Security Bootcamp 2014 45

46. Detecting Page Title Changes Security Bootcamp 2014 46

47. 8. Web Client Device Fingerprinting Security Bootcamp 2014 47

48. Web Client Device Fingerprinting Security Bootcamp 2014 48 • Current

    screen size • Time zones • Browser plug-ins • Language settings

49. Web Client Device Fingerprinting Security Bootcamp 2014 49

50. 9. Slowing Down Automated Attack Tools Security Bootcamp 2014 50

51. Slowing Down Automated Attack Tools Security Bootcamp 2014 51

52. NSM Logstash Elasticsearch Kibana No code required Real-time analysis of

    streaming data Highly scalable Open source, community driven Security Bootcamp 2014 52

53. Kibana Dashboard Security Bootcamp 2014 53

54. NSM Security Bootcamp 2014 54 Logstash is a free tool

    for managing events and logs. It has three primary components, an Input module for collecting logs from various sources ElasticSearch is this awesome distributable, RESTful, free Lucene powered search engine/server. Unlike SOLR, ES is very simple to use and maintain and similar to SOLR, indexing is near realtime. Kibana is a presentation layer that sits on top of Elasticsearch to analyze and make sense of logs that logstash throws into Elastic search; Kibana is a highly scalable interface for Logstash and ElasticSearch that allows you to efficiently search, graph, analyze and otherwise make sense of a mountain of logs.

55. Flow Security Bootcamp 2014 55

56. PCRE vs Grok Security Bootcamp 2014 56

57. Ref Security Bootcamp 2014 57

58. Web Application Defender's Cookbook Battling Hackers and Protecting Users Ryan

    Barnett Security Bootcamp 2014 58

59. Elasticsearch Logstash Kibana www.elasticsearch.org/overview/ Security Bootcamp 2014 59

60. “ ” Thank you! Question, huh? Security Bootcamp 2014 60