Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Apache Module For Web Intrusion Detection

Posted by timothy on from the driven-by-the-forces-of-evil dept.

ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."

49 comments

  1. Null evasion vs. anti null evasion by MarkusQ · · Score: 3, Informative

    new null-byte attack anti-evasion code

    Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?

    -- MarkusQ

    1. Re:Null evasion vs. anti null evasion by Havokmon · · Score: 1
      new null-byte attack anti-evasion code
      Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?

      Beats me.. I'm still stuck on what kind of harm an attack that sends no bytes can do. ;)

      --
      "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
    2. Re:Null evasion vs. anti null evasion by lizardb0y · · Score: 1

      Try this from the modsecurity website:

      Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.

      Anti-(parse evasion by using NULL bytes in strings); Now it starts to make sense.

      --
      lizardb0y
      http://www.vintage8bit.com/
  2. Re:Apache Problems by Anonymous Coward · · Score: 0

    Sounds to me like you have a problem with Apache. Just stay away from my production servers, OK?

  3. This sounds like a great idea. by daviddennis · · Score: 1

    To try and pull the subject away from the usual trolls, this sounds like something I really need on my web server.

    Has anyone tried it? Any success or failure stories?

    D

    1. Re:This sounds like a great idea. by digitalsushi · · Score: 4, Interesting

      I am using 1.7RC1. I'm using it for just one feature -- SecServerSignature. Lets you change the reported server type. I changed mine to Microsoft-IIS/2.0. In my built in status handler that shows me all the hits as they're being served live, I almost always have one request in there that is trying to send a buffer overflow to default.ida. That behavior changed the same day I flipped my reported server type over. Always amazes me how little time it takes!

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    2. Re:This sounds like a great idea. by Anonymous Coward · · Score: 0

      To try and pull the subject away from the usual trolls

      Sorry to troll, but is "to try and" correct? I've always thought it made more sense to say "to try to".

      eg. I'm going to try TO pull the subject away from...

      Because that's what you're trying TO do...

      So I dunno. I'll try and stop... argh, no sorry, it's gotta be try to.

      Gracias.

    3. Re:This sounds like a great idea. by GreenHell · · Score: 3, Informative

      I use 1.6, haven't upgraded to 1.7 yet.

      I enjoy it. Among other things, it lets me block people using empty user agents and empty host header fields, which tend to mainly be people trying to perform a variety of exploits on my server.

      --
      "I won't mod you down - I feel the need to call you a twit explicitly, rather than by implication."
    4. Re:This sounds like a great idea. by Anonymous Coward · · Score: 1, Interesting

      But couldn't you also do this with .htaccess? Anyway, the module sounds interesting... have to check it out!

      Tels

    5. Re:This sounds like a great idea. by Anonymous Coward · · Score: 0

      It seems 'to try and' assumes that he is going to be successfull. I'm going to try and I'm going to pull the subject away from the trolls.

    6. Re:This sounds like a great idea. by bill_mcgonigle · · Score: 4, Informative

      For those who don't have mod_security, a good thing to put in your httpd.conf is:

      ServerTokens ProductOnly

      so your HTTP response looks like:

      HTTP/1.1 200 OK
      Date: Mon, 20 Oct 2003 17:23:13 GMT
      Server: Apache

      instead of:

      HTTP/1.1 200 OK
      Date: Mon, 20 Oct 2003 17:23:13 GMT
      Server: Apache/1.3.19 (Unix) mod_perl/1.27 PHP/4.0.5pl1 mod_ssl/2.8.2 OpenSSL/0.9.8

      That's just way too much information to tell the world.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    7. Re:This sounds like a great idea. by realdpk · · Score: 1

      I don't understand. You changed it to IIS/2.0, and now you get those default.ida hits? I've been seeing the default.ida hits for quite a long time on my Apache logs. What changed after you updated the ServerSignature?

    8. Re:This sounds like a great idea. by digitalsushi · · Score: 1

      the frequency increased tenfold. (ish)

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    9. Re:This sounds like a great idea. by WebProwler · · Score: 2, Interesting

      Whilst at it, you can also include this: ServerSignature Off This line tells Apache not to display server version and virtual host name in server-generated pages. And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.

      --
      Finecrafts of the Net - Bestnetcraft.com
    10. Re:This sounds like a great idea. by Mr_Perl · · Score: 2, Informative

      And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.

      Or, for the rest of us who know how to configure apache...

      Options -Indexes

      in apache.conf (or wherever apache -V says the conf is)

      --

      My poetry site welcomes the unusual.
    11. Re:This sounds like a great idea. by Anonymous Coward · · Score: 0

      Or, just patch the source to disable the 'Server:' header entirely. It's optional, per the HTTP/1.1 RFC, section 6.2.

  4. Re:Color scheme? by Anonymous Coward · · Score: 0

    Games section colors != ughly
    Games section colors = perty
    Apache section colors = blurp!
    j00 = dumbas
    suckit.

  5. Re:Apache Problems by Gunfighter · · Score: 0

    What makes you think it's Apache and not something else like... say... hardware? PHP? Perl?

    --
    -- Stu

    /. ID under 2,000. I feel old now.
  6. apache is dying! by Anonymous Coward · · Score: 0
    or at least the apache section on slashdot. One story a month, and most are actually php related (and could go in the developer section).


    Would it be *that* much work to drop the apache and geeks in space sections and add a culture section (for movies, music, things to do on saturday night (that don't involve a computer), etc?

    1. Re:apache is dying! by Anonymous Coward · · Score: 0

      ... things to do on saturday night (that don't involve a computer)

      What the hell kind of geek are you? Begone evil one, slashdot has no need of your trendy ways.

  7. Re:Apache Problems by kfuq · · Score: 0, Offtopic

    HAHAHA


    --
    iF yOu WAnT to C YOUr iP agaIn gAThEr tWO MilLIon dOLLArS IN Non - cONsEcuTivE TweNtY's AnD AWaiT FuRThER iNstrUctIoN
  8. Re:Color scheme? by Anonymous Coward · · Score: 0

    yeah, it looks like a pay toilet that no one bothers to flush. All that's missing is CmdrTaco's phone number scrawned on the stall wall.

  9. is this a better form of intrusion detection... by bluethundr · · Score: 2, Interesting

    than snort? easier to setup?

    --
    Quod scripsi, scripsi.
    1. Re:is this a better form of intrusion detection... by Anonymous Coward · · Score: 0

      To the complete idiot of a clueless moderator who modded the above post a "troll", SNORT is an open source intrusion detection system. The poster above was asking an honest question. Again, to the moderator who modded that comment a troll, you sir are clear idiot! The next time you have mod points (not sure if this is possible) you need to mod that comment back up---before I whack your ass in the head with a clue-by-four. fucking eeeediot!

  10. "powerful umbrella shielding apps from attacks" by brlewis · · Score: 1

    The article's description of mod_security as a "powerful umbrella shielding applications from attacks" seems to oversell it. If you have a known app with a known exploit, you can use mod_security instead of fixing the app. But even the mod_security docs themselves say it's better to fix the app.

    For apps which accept arbitrary text input (most do!) a general filter against, e.g. "insert into", is a bad idea? This slashdot post includes those two words together; you have to be specific about which inputs get filtered how. Again, this is better done in the app itself.

    1. Re:"powerful umbrella shielding apps from attacks" by MattBurke · · Score: 1

      Ahh, but this sounds like (I haven't read up on it yet) the sort of thing I'd be glad to slap on an apache proxy between the world and an IIS box running badly written yet essential commercial web applications.

  11. Re:Apache Problems by kalidasa · · Score: 1

    YHBT. Run a diff on this versus the "Apple" fanatics troll that always shows up on Apple stories. It's close enough to be a madlib.

  12. Another neat module I've never heard of before... by WoTG · · Score: 1

    I had to browse the site to see what this does, this overview page was good.

    It reminds me of URLScan for MS's IIS - but with extra features.

  13. Nice! Thanks! [nt] by Anonymous Coward · · Score: 0

    no text

  14. For those who don't want to do this on the server by jjeffrey · · Score: 1

    ...you can of course spin up Apache on another box, preferably not the firewall, and set it up in proxy mode to forward the requests. Though this generates some SSL issues. Mabye you could even use mod_balance and have a security appliance / load balancer?

    Of course Checkpoint already offer this functionality in FW-1 NG to a limited degree, and Netscreen are introducing it across their range as a free update (for those with a software subscription) in ScreenOS 5 later this year or early next.

  15. Designed by the Penguin, of course by Medievalist · · Score: 1


    "The Bat-sploits of the Masked Meddlers will rebound from my giant electronic umbrella!! Nyah, nyah!"

    http://members.tripod.com/~AdamWest/peng.htm

  16. Re:Apache Problems by Anonymous Coward · · Score: 0

    I don't know where will you find a "cheaper" server, apache is as cheap as free...
    You'll have trouble finding a faster or more stable server too.
    It seems to me that you don't have much experience with this software (or the hardware or settings you use for testing are really crappy).

  17. Re:For those who don't want to do this on the serv by Tinidril · · Score: 1

    Speaking as a bruised and bloody firewall administrator, implementing anything above layer-3 on a large firewall deployment is a bad idea. I am assuming by the use of Firewall-1 that this is a large deployment.

    Many of the firewalls I have been involved with support 10-50 applications, or sometimes even more. When it comes time to do an upgrade I don't have time to properly investigate how the next version of firewall code might affect or be affected by features of each application. This is especialy true when some or all of the applications use overly complex network models like Micro$oft is known to require.

    Always push complexity to the edges of the network where it can be managed one app at a time.

    Fools ignore complexity; pragmatists suffer it; experts avoid it; geniuses remove it.
    A. Perlis

    --
    XML is the best data format; unless your data needs to be read or written by a human or a computer.
  18. Re:For those who don't want to do this on the serv by cpghost · · Score: 1

    Or run Apache in chroot()ed environment. Or even better in a FreeBSD jail. Anyone done that? Experiences?

    --
    cpghost at Cordula's Web.
  19. Re:Apache Problems by Anonymous Coward · · Score: 0

    I'd rather hear some intelligent reasons why anyone would choose to use a Apache over other faster, cheaper, more stable httpd daemons.

    cheaper?!
    i'd have thought the hardware you ran apache on had some issues.. but when i noticed that bit at the end of your post, i realized it's you that certainly has issues!!

  20. Old trolls never die by bheerssen · · Score: 1

    They just find a new bridge to hang out under. Looks like this one figured out how to use the search-and-replace feature.

    --
    (Score: -1, Stupid)
  21. mod_security evaluation by Tegatai Systems by konduct · · Score: 1

    Tegatai Systems has been using mod_security in its development labs recently. It has been determined through white and blackbox testing that mod_security needs more work before it will be stable enough for wide-spread production use.

    1. Re:mod_security evaluation by Tegatai Systems by ivan.ristic · · Score: 1

      I am not aware of any stability problems with mod_security. It works very well for my production systems. Tegatai Systems may have different environment and it may be that there are problems. But if there are, you should inform me about them so that they are resolved.

  22. Similar to Microsoft's URLScan... by sk3tch · · Score: 1

    http://www.microsoft.com/technet/security/tools/ur lscan.asp

    Nice to see Apache adding this functionality. As a web admin, the availability of another layer of security is always appreciated.

  23. Re:Apache Problems by Anonymous Coward · · Score: 0

    You run windows on a 486/66 with 8 megs of ram, and *someone hired you* ?!?

    What does apache have to do with local file transfers?

    You say you have a dual T1 at home one paragraph, then you say you have cable at home in the next.

    Again, I'm surprised you're employable.

  24. Re:For those who don't want to do this on the serv by ivan.ristic · · Score: 1

    I have recently written an article for SecurityFocus on how mod_security can be used as part of a Apache reverse proxy: Web Security Appliance With Apache and mod_security