New Apache Module For Web Intrusion Detection

New Apache Module For Web Intrusion Detection 49

Posted by timothy on Sunday October 19, 2003 @09:19AM from the driven-by-the-forces-of-evil dept.

ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."

New Apache Module For Web Intrusion Detection

This discussion has been archived. No new comments can be posted.

Load All Comments

Search 49 Comments Log In/Create an Account

Comments Filter:

Null evasion vs. anti null evasion (Score:4, Informative)

by MarkusQ ( 450076 ) writes: on Sunday October 19, 2003 @10:57AM (#7253882) Journal

new null-byte attack anti-evasion code
Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?
-- MarkusQ

- Re:Null evasion vs. anti null evasion (Score:2)
  
  by Havokmon ( 89874 ) writes:
  
  new null-byte attack anti-evasion code
  
  Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?
  Beats me.. I'm still stuck on what kind of harm an attack that sends no bytes can do. ;)
- Re:Null evasion vs. anti null evasion (Score:1)
  
  by lizardb0y ( 149142 ) writes:
  
  Try this from the modsecurity website:
  
  Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.
  
  Anti-(parse evasion by using NULL bytes in strings); Now it starts to make sense.
- Re:Apache Problems (Score:1)
  
  by Gunfighter ( 1944 ) writes:
  
  What makes you think it's Apache and not something else like... say... hardware? PHP? Perl?
  - Re:Apache Problems (Score:2)
    
    by kalidasa ( 577403 ) * writes:
    
    YHBT. Run a diff on this versus the "Apple" fanatics troll that always shows up on Apple stories. It's close enough to be a madlib.
- Old trolls never die (Score:2)
  
  by bheerssen ( 534014 ) writes:
  
  They just find a new bridge to hang out under. Looks like this one figured out how to use the search-and-replace feature.
This sounds like a great idea. (Score:2)

by daviddennis ( 10926 ) writes:

To try and pull the subject away from the usual trolls, this sounds like something I really need on my web server.

Has anyone tried it? Any success or failure stories?

D
- Re:This sounds like a great idea. (Score:5, Interesting)
  
  by digitalsushi ( 137809 ) * writes: <slashdot@digitalsushi.com> on Sunday October 19, 2003 @01:34PM (#7254685) Journal
  
  I am using 1.7RC1. I'm using it for just one feature -- SecServerSignature. Lets you change the reported server type. I changed mine to Microsoft-IIS/2.0. In my built in status handler that shows me all the hits as they're being served live, I almost always have one request in there that is trying to send a buffer overflow to default.ida. That behavior changed the same day I flipped my reported server type over. Always amazes me how little time it takes!
  
  - Re:This sounds like a great idea. (Score:5, Informative)
    
    by bill_mcgonigle ( 4333 ) writes: on Monday October 20, 2003 @01:45PM (#7261761) Homepage Journal
    
    For those who don't have mod_security, a good thing to put in your httpd.conf is:
    
    ServerTokens ProductOnly
    
    so your HTTP response looks like:
    
    HTTP/1.1 200 OK Date: Mon, 20 Oct 2003 17:23:13 GMT Server: Apache
    
    instead of:
    
    HTTP/1.1 200 OK Date: Mon, 20 Oct 2003 17:23:13 GMT Server: Apache/1.3.19 (Unix) mod_perl/1.27 PHP/4.0.5pl1 mod_ssl/2.8.2 OpenSSL/0.9.8
    
    That's just way too much information to tell the world.
    
    - Re:This sounds like a great idea. (Score:2, Interesting)
      
      by WebProwler ( 587111 ) writes:
      
      Whilst at it, you can also include this: ServerSignature Off This line tells Apache not to display server version and virtual host name in server-generated pages. And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.
      - Re:This sounds like a great idea. (Score:3, Informative)
        
        by Mr_Perl ( 142164 ) writes:
        
        And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.
        
        Or, for the rest of us who know how to configure apache...
        
        Options -Indexes
        
        in apache.conf (or wherever apache -V says the conf is)
  - Re:This sounds like a great idea. (Score:2)
    
    by realdpk ( 116490 ) writes:
    
    I don't understand. You changed it to IIS/2.0, and now you get those default.ida hits? I've been seeing the default.ida hits for quite a long time on my Apache logs. What changed after you updated the ServerSignature?
    - Re:This sounds like a great idea. (Score:2)
      
      by digitalsushi ( 137809 ) * writes:
      
      the frequency increased tenfold. (ish)
- Re:This sounds like a great idea. (Score:3, Informative)
  
  by GreenHell ( 209242 ) writes:
  
  I use 1.6, haven't upgraded to 1.7 yet.
  
  I enjoy it. Among other things, it lets me block people using empty user agents and empty host header fields, which tend to mainly be people trying to perform a variety of exploits on my server.
  - Re:This sounds like a great idea. (Score:1, Interesting)
    
    by Anonymous Coward writes:
    
    But couldn't you also do this with .htaccess? Anyway, the module sounds interesting... have to check it out!
    
    Tels
is this a better form of intrusion detection... (Score:3, Interesting)

by bluethundr ( 562578 ) * writes: on Monday October 20, 2003 @09:06PM (#7266022) Homepage Journal

than snort? easier to setup?

"powerful umbrella shielding apps from attacks" (Score:2)

by brlewis ( 214632 ) writes:

The article's description of mod_security as a "powerful umbrella shielding applications from attacks" seems to oversell it. If you have a known app with a known exploit, you can use mod_security instead of fixing the app. But even the mod_security docs themselves say it's better to fix the app.

For apps which accept arbitrary text input (most do!) a general filter against, e.g. "insert into", is a bad idea? This slashdot post includes those two words together; you have to be specific about which inputs
- Designed by the Penguin, of course (Score:1)
  
  by Medievalist ( 16032 ) writes:
  
  "The Bat-sploits of the Masked Meddlers will rebound from my giant electronic umbrella!! Nyah, nyah!"
  
  http://members.tripod.com/~AdamWest/peng.htm
- Re:"powerful umbrella shielding apps from attacks" (Score:2)
  
  by MattBurke ( 58682 ) writes:
  
  Ahh, but this sounds like (I haven't read up on it yet) the sort of thing I'd be glad to slap on an apache proxy between the world and an IIS box running badly written yet essential commercial web applications.
Another neat module I've never heard of before... (Score:2)

by WoTG ( 610710 ) writes:

I had to browse the site to see what this does, this overview page [modsecurity.org] was good.

It reminds me of URLScan [microsoft.com] for MS's IIS - but with extra features.
For those who don't want to do this on the server (Score:1)

by jjeffrey ( 558890 ) writes:

...you can of course spin up Apache on another box, preferably not the firewall, and set it up in proxy mode to forward the requests. Though this generates some SSL issues. Mabye you could even use mod_balance and have a security appliance / load balancer?

Of course Checkpoint already offer this functionality in FW-1 NG to a limited degree, and Netscreen are introducing it across their range as a free update (for those with a software subscription) in ScreenOS 5 later this year or early next.
- Re:For those who don't want to do this on the serv (Score:1)
  
  by Tinidril ( 685966 ) writes:
  
  Speaking as a bruised and bloody firewall administrator, implementing anything above layer-3 on a large firewall deployment is a bad idea. I am assuming by the use of Firewall-1 that this is a large deployment.
  
  Many of the firewalls I have been involved with support 10-50 applications, or sometimes even more. When it comes time to do an upgrade I don't have time to properly investigate how the next version of firewall code might affect or be affected by features of each application. This is especialy tr
- Re:For those who don't want to do this on the serv (Score:1)
  
  by cpghost ( 719344 ) writes:
  
  Or run Apache in chroot()ed environment. Or even better in a FreeBSD jail. Anyone done that? Experiences?
- Re:For those who don't want to do this on the serv (Score:1)
  
  by ivan.ristic ( 631774 ) writes:
  
  I have recently written an article for SecurityFocus on how mod_security can be used as part of a Apache reverse proxy: Web Security Appliance With Apache and mod_security [securityfocus.com]
mod_security evaluation by Tegatai Systems (Score:1)

by konduct ( 691763 ) writes:

Tegatai Systems [tegatai.com] has been using mod_security [modsecurity.org] in its development labs recently. It has been determined through white and blackbox testing that mod_security needs more work before it will be stable enough for wide-spread production use.
- Re:mod_security evaluation by Tegatai Systems (Score:1)
  
  by ivan.ristic ( 631774 ) writes:
  
  I am not aware of any stability problems with mod_security. It works very well for my production systems. Tegatai Systems may have different environment and it may be that there are problems. But if there are, you should inform me about them so that they are resolved.
Similar to Microsoft's URLScan... (Score:1)

by sk3tch ( 165010 ) writes:

http://www.microsoft.com/technet/security/tools/ur lscan.asp [microsoft.com]

Nice to see Apache adding this functionality. As a web admin, the availability of another layer of security is always appreciated.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

New Apache Module For Web Intrusion Detection 49

New Apache Module For Web Intrusion Detection More Login

New Apache Module For Web Intrusion Detection

Null evasion vs. anti null evasion (Score:4, Informative)

Re:Null evasion vs. anti null evasion (Score:2)

Re:Null evasion vs. anti null evasion (Score:1)

Re:Apache Problems (Score:1)

Re:Apache Problems (Score:2)

Old trolls never die (Score:2)

This sounds like a great idea. (Score:2)

Re:This sounds like a great idea. (Score:5, Interesting)

Re:This sounds like a great idea. (Score:5, Informative)

Re:This sounds like a great idea. (Score:2, Interesting)

Re:This sounds like a great idea. (Score:3, Informative)

Re:This sounds like a great idea. (Score:2)

Re:This sounds like a great idea. (Score:2)

Re:This sounds like a great idea. (Score:3, Informative)

Re:This sounds like a great idea. (Score:1, Interesting)

is this a better form of intrusion detection... (Score:3, Interesting)

"powerful umbrella shielding apps from attacks" (Score:2)

Designed by the Penguin, of course (Score:1)

Re:"powerful umbrella shielding apps from attacks" (Score:2)

Another neat module I've never heard of before... (Score:2)

For those who don't want to do this on the server (Score:1)

Re:For those who don't want to do this on the serv (Score:1)

Re:For those who don't want to do this on the serv (Score:1)

Re:For those who don't want to do this on the serv (Score:1)

mod_security evaluation by Tegatai Systems (Score:1)

Re:mod_security evaluation by Tegatai Systems (Score:1)

Similar to Microsoft's URLScan... (Score:1)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot