Re: [mod-security-users] inclusive filter rule set "default deny all mode"
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rcb...@gm...> - 2006-04-08 14:13:41
|
Joe, The short answer is yes, you can create whitelist/positive (or as the term you used - inclusive ) filters with mod_security by using the inverted rulesets ( http://www.modsecurity.org/documentation/modsecurity-apache/stable/04-rules= .html#N103C4). These rules essentially mean match the regular expression that "doesn't" match this string. For some examples, you can take a look at the free chapter from my book - Preventing Web Attacks with Apache - http://www.informit.com/articles/article.asp?p=3D442984 In this chapter, I give examples of how to mitigate the WASC Web Security Threat Classification with Apache (and mod_security). Many of the examples I present use inverted mod_security filters. Here is one example - Apache Countermeasures for SQL Injection Attacks SQL Injection is best solved through two practices: Input Validation and Stored Procedures with parameterized queries. Input validation is a practic= e that will prevent SQL Injection exploits as well as a multitude of other application attacks. This process should be followed for all applications, not just those that use SQL queries. Using stored procedures for SQL querie= s ensures that the user input is not executed as part of the SQL query. (Note= : Make sure to use parameterized queries to ensure that the stored procedure itself is not vulnerable to SQL Injection.) The following recommendations will help prevent successful SQL Injection attacks. User-Input Sanitization Checking The best way to filter data is with a default-deny regular expression that includes only the type of data the web application expects to receive. Character-Set and Length Restriction Restrict the valid types of characters a user may submit to a web application. Using regular expressions, make the input filters as strict as possible with anchors at the beginning and end. Table 7.1 lists some exampl= e regular expressions and their meaning. *Table 7.1 *Example Regular Expressions and Their Meaning *Purpose of Expression* *Regular Expression* Only allow letters with a length restriction between 1 and 10 characters. /^[a-zA-Z]{1,10}$/ Allow letters and numbers with a length restriction between 1 and 10 characters. /^[a-zA-Z0-9]{1,10}$/ Allow letters, numbers, and some punctuation with a length restriction between 1 and 10 characters. /^[a-zA-Z0-9\.@!]{1,10}$/ The following is an example of using these regular expressions with Mod_Security to protect the ID parameter for the article.asp page from earlier: SecFilterSelective SCRIPT_FILENAME "article.asp" chain SecFilterSelective ARG_ID "!^[a-zA-Z0-9\.@!]{1,10}$" If for some reason you cannot take that approach and must instead use a "deny-what-is-bad" method, then at minimum remove or escape single quotes ('), semicolons (;), dashes, hyphens(-), and parenthesis("()"). Hope this helps. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 4/8/06, joe barbish <joe...@ya...> wrote: > > My Apache server came under attack starting April fools day. I first noticed > my ipfilter inclusive firewall logging outbound packets on the the defaul= t > deny all rule. Checking the http-access.log I saw these requests being > serviced by my server. > > 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:25 > -0400] "\x04\x01" 200 0 "-" "-" > 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 > -0400] "\x05\x01" 200 0 "-" "-" > 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:45 > -0400] "CONNECT 4.79.181.15:25 HTTP/1.1" 200 7014 "-" "-" > 218-166-163-180.dynamic.hinet.net - - [06/Apr/2006:10:11:46 > -0400] "GET http://www.ebay.com/ HTTP/1.1" 200 7014 "-" "Mozilla/4.0 > (compatible; MSIE 5.00; Windows 98)" > > I posted a msg on the freebsd questions list and someone suggest I look a= t > mod_security. At first review I was interested enough to install the freebsd > port of the software. As I read the manual, slowly I began to realize > something was absent. > > The mod_security home page calls mod_security a web application firewall. > > In software firewalls there are 2 different types of filter rule sets. > > The exclusive firewall and the inclusive firewall. > > An exclusive firewall allows all services through except for those matching > a set of rules that block certain services. > > An inclusive firewall does the reverse. It only allows services matching the > rules through and blocks everything else. Inclusive firewalls are much, > much safer than exclusive firewalls. > > Now applying that to the mod_security filter rules I see explained in the > manual and the examples provided at the mod_security home page it becomes > very obvious that all the mod_security filter rules are of the exclusive > type. > > My web application is very vanilla. It uses hmtl and php for a counter of > page hits. It has no upload function, but does have a download function > launched from a link. No url's have any embedded tags. > > So I am interested in writing mod_security filter rules in reverse. > Basically I want to say deny everything except the get requests for the > files.htm or files.php names I see in the HTTP-access log for normal vali= d > usage of my web application. This sure would be a shorter filter include > file than including all the includes necessary to specify all the different > variations of attack request strings. > > Is there any example of how to accomplish building a inclusive mod_security > filter rules file. > > Maybe the next question should be is this even possible? > > And if not, then why not, and can it be changed to take the inclusive > approach as well as the current exclusive approach? > > If mod_security is going to be called a web application firewall then it > needs to be able to do both inclusive and exclusive filter rule > configurations. > > If it's indeed possible to build an inclusive filter rule set, I have a > workbench development website that I can use to be the test vehicle. Woul= d > need the filter rules to specify deny everything and one filter rule for > accepting the get file.html request. > > Thanks for your help > Joe > > > > > > > Joe > > > > > > > > ________________________________ > How low will we go? Check out Yahoo! Messenger's low PC-to-Phone call rates. > > ________________________________ > Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rate= s > starting at 1=A2/min. > > > > |