New Apache Module For Web Intrusion Detection 49
ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."
Null evasion vs. anti null evasion (Score:4, Informative)
new null-byte attack anti-evasion code
Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?
-- MarkusQ
Re:Null evasion vs. anti null evasion (Score:2)
Beats me.. I'm still stuck on what kind of harm an attack that sends no bytes can do. ;)
Re:Null evasion vs. anti null evasion (Score:1)
Try this from the modsecurity website:
Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.
Anti-(parse evasion by using NULL bytes in strings); Now it starts to make sense.
Re:Apache Problems (Score:1)
Re:Apache Problems (Score:2)
Old trolls never die (Score:2)
This sounds like a great idea. (Score:2)
Has anyone tried it? Any success or failure stories?
D
Re:This sounds like a great idea. (Score:5, Interesting)
Re:This sounds like a great idea. (Score:5, Informative)
ServerTokens ProductOnly
so your HTTP response looks like:
HTTP/1.1 200 OK
Date: Mon, 20 Oct 2003 17:23:13 GMT
Server: Apache
instead of:
HTTP/1.1 200 OK
Date: Mon, 20 Oct 2003 17:23:13 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.27 PHP/4.0.5pl1 mod_ssl/2.8.2 OpenSSL/0.9.8
That's just way too much information to tell the world.
Re:This sounds like a great idea. (Score:2, Interesting)
Re:This sounds like a great idea. (Score:3, Informative)
Or, for the rest of us who know how to configure apache...
Options -Indexes
in apache.conf (or wherever apache -V says the conf is)
Re:This sounds like a great idea. (Score:2)
Re:This sounds like a great idea. (Score:2)
Re:This sounds like a great idea. (Score:3, Informative)
I enjoy it. Among other things, it lets me block people using empty user agents and empty host header fields, which tend to mainly be people trying to perform a variety of exploits on my server.
Re:This sounds like a great idea. (Score:1, Interesting)
Tels
is this a better form of intrusion detection... (Score:3, Interesting)
"powerful umbrella shielding apps from attacks" (Score:2)
The article's description of mod_security as a "powerful umbrella shielding applications from attacks" seems to oversell it. If you have a known app with a known exploit, you can use mod_security instead of fixing the app. But even the mod_security docs themselves say it's better to fix the app.
For apps which accept arbitrary text input (most do!) a general filter against, e.g. "insert into", is a bad idea? This slashdot post includes those two words together; you have to be specific about which inputs
Designed by the Penguin, of course (Score:1)
"The Bat-sploits of the Masked Meddlers will rebound from my giant electronic umbrella!! Nyah, nyah!"
http://members.tripod.com/~AdamWest/peng.htm
Re:"powerful umbrella shielding apps from attacks" (Score:2)
Another neat module I've never heard of before... (Score:2)
It reminds me of URLScan [microsoft.com] for MS's IIS - but with extra features.
For those who don't want to do this on the server (Score:1)
Of course Checkpoint already offer this functionality in FW-1 NG to a limited degree, and Netscreen are introducing it across their range as a free update (for those with a software subscription) in ScreenOS 5 later this year or early next.
Re:For those who don't want to do this on the serv (Score:1)
Speaking as a bruised and bloody firewall administrator, implementing anything above layer-3 on a large firewall deployment is a bad idea. I am assuming by the use of Firewall-1 that this is a large deployment.
Many of the firewalls I have been involved with support 10-50 applications, or sometimes even more. When it comes time to do an upgrade I don't have time to properly investigate how the next version of firewall code might affect or be affected by features of each application. This is especialy tr
Re:For those who don't want to do this on the serv (Score:1)
Re:For those who don't want to do this on the serv (Score:1)
mod_security evaluation by Tegatai Systems (Score:1)
Re:mod_security evaluation by Tegatai Systems (Score:1)
Similar to Microsoft's URLScan... (Score:1)
Nice to see Apache adding this functionality. As a web admin, the availability of another layer of security is always appreciated.