Apache mod security 3.1
1 like1,401 views
The document provides an overview of Apache Mod Security including regular expressions, rules usage, default actions, chained actions, persistent collections, transformation functions, and content validation. It discusses using regular expressions to match strings and define rules. It explains how to set default actions, chain rules together, and use persistent collections to store variables across transactions. Transformation functions and various validation techniques like validating byte ranges, DTDs, schemas, URL encoding, and UTF-8 encoding are also covered.
![Regular Expression Usage
Email Address Matching
b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b
IP Addresses Matching
b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-
9]|[01]?[0-9][0-9]?)b
Testing Tools: Regexpal.com, regular-expressions.info](https://image.slidesharecdn.com/apachemodsecurity-3-1-130223214155-phpapp02/85/Apache-mod-security-3-1-5-320.jpg)
Apache mod security 3.1
- 1. Apache Mod Security HAI, DINH VINAHOST
- 2. Agenda 1. Regular Expression 2. Rules Usage 3. Default Action 4. Chained Actions 5. Persistent Collection and examples 6. Transformation Function 7. Validate Contents
- 4. Regular Expression Usage Use to match mass strings of text, such as particular characters, words, or patterns of characters
- 5. Regular Expression Usage Email Address Matching b[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4}b IP Addresses Matching b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0- 9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)b Testing Tools: Regexpal.com, regular-expressions.info
- 6. Rules Usage
- 7. Rules Usage Use “|” as “OR” logical expression SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUE ST_HEADERS: Referer "@validateByteRange 1-255“ "log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1“ Use “!” as “NOT” logical expression
- 8. Rules Usage Use Regular Expression to make a Rule SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content- Length header„ Use “:” to pick a variable from a Collection SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
- 10. Default Actions Use to set a Use “Default” Default “Default Behavior” SetDefaultAction Actions is of Apache Mod directive to add into phase:2, Security. If anything configuration file log, has not been auditlog, defined happen, pass Apache will apply Default Actions
- 11. Rules Usage SetDefaultAction phase:2,log,auditlog,pass. SecRule REQUEST_URI "abc" SecRule REQUEST_URI "abc" phase:2,log,auditlog,pass SecRule REQUEST_URI "abc" nolog SecRule REQUEST_URI "abc" phase:2,auditlog,pass
- 12. Chained Actions
- 13. Chained Actions Group Rules together Similar to “AND” logical expression in programming language Add “chain” action in every rule, except the last one Example: SecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog,deny,status:406" SecRule REQUEST_METHOD "GET" "t:none“
- 15. Persistent Collections TX Collection only exist in a transaction. After the data has been transfer Why completely, variables will be remove Persistent Collection? Persistent Collection can keep a record of variables through several transactions.
- 16. Persistent 1. Monitor user behavior based on IP Address Collections 2. Monitor Sessions 3. User behavior monitoring 4. Prevent Session Hijacking Attack 5. Detect Denial of Service (DoS) Attack 6. Detect Brute Force Attack
- 17. Persistent Collections IP SESSION USER Created by using Created by using Created by using initcol directive setsid directive setid directive Hold client address Hold session Hold user variables variables variables
- 18. Persistent Collections Define date directory first using SecDataDir directive For example: SecDataDir /etc/httpd/modsec_data
- 19. Persistent Collections Limit Request Rate example: SecAction initcol:ip=%{REMOTE_ADDR},pass,auditlog SecAction "phase:5,deprecatevar:ip.counter=1/1,pass,auditlog" SecRule IP:COUNTER "@gt 60" "phase:2,pause:300,deny,status:403,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog"
- 21. Transformation functions Mod Security match exactly strings and variables Transformation function will transform different string formats into a single string
- 22. Transformation functions By default, there are: lowercase replaceNull compressWhitespace
- 24. Validate Contents Check the validation of HTTP Requests @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
- 25. Validate Contents Validate Byte Range @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
- 26. Validate Byte Range Allow number only in Content field of Request Header SecRule REQUEST_HEADERS:Content "@validateByteRange 48-57“ "phase:4,deny,log,status:403“
- 27. Validate Contents Validate XML files by DTD (Document Type Definition) @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
- 28. Validate DTD A Document Type Definition (DTD) is a set of markup declarations that define a document type for an SGML-family markup language (SGML, XML, HTML). It‟s define what components should be included and their format
- 29. Validate Contents Validate XML files by Schema @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
- 30. Validate Schema DTD supports only PCDATA and CDATA format. Schema supports detailed descriptions about data in XML files. For example: string, normalizedString, integer, positiveInteger
- 31. Validate Contents Validate URL Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
- 32. Validate URL Encoding RFC 1738 only allow ASCII in a URL HTML: supports ISO-8859-1 (ISO-Latin) HTML4: Supports Unicode characters
- 33. Validate Contents Validate UTF-8 Encoding @validateByteRang @validateDTD @validateSchema @validatUrlEncodin @validateUtf8Encod e g ing Validate Byte Validate XML files Validate XML files Validate URL Validate UTF-8 Range by DTD by Schema Encoding Encoding
- 34. Validate UTF-8 Encoding UTF-8 is used on almost every webservers to encode strings and compatible with ASCII SecRule ARGS "@validateUtf8Encoding"
- 35. Demonstrations
- 36. Steps
- 37. Thanks for joining with me!
Editor's Notes
- #5: Testbằngtrang regexpal.com
- #14: Disruptive Actions: allow, block, deny, drop, pass, proxy, redirectSecRule REQUEST_HEADERS "haidinhtuan" "chain,phase:2,nolog"SecRule REQUEST_METHOD "GET" "t:none, deny,status:406“
- #16: Mởlại file config, phần TX collectionTế Segoe UI vẫncóthểsửdungjchotiếngviêtk
- #20: Demotrựctiếp