Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Apache Module For Web Intrusion Detection

Posted by timothy on from the driven-by-the-forces-of-evil dept.

ivan.ristic writes "Mod_security 1.7 has been released. Mod_security is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. The latest release adds output scanning to Apache 2.x; the ability to analyze cookies; functionality to change the identity of the web server; several new actions for rule grouping; new null-byte attack anti-evasion code."

26 of 49 comments (clear)

  1. Null evasion vs. anti null evasion by MarkusQ · · Score: 3, Informative

    new null-byte attack anti-evasion code

    Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?

    -- MarkusQ

    1. Re:Null evasion vs. anti null evasion by Havokmon · · Score: 1
      new null-byte attack anti-evasion code
      Wait...wouldn't null-byte attack anti-evasion code be code that prevented evasion of null-byte attacks? Or should I go for that second cup of coffee and try parsing it again?

      Beats me.. I'm still stuck on what kind of harm an attack that sends no bytes can do. ;)

      --
      "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
    2. Re:Null evasion vs. anti null evasion by lizardb0y · · Score: 1

      Try this from the modsecurity website:

      Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.

      Anti-(parse evasion by using NULL bytes in strings); Now it starts to make sense.

      --
      lizardb0y
      http://www.vintage8bit.com/
  2. This sounds like a great idea. by daviddennis · · Score: 1

    To try and pull the subject away from the usual trolls, this sounds like something I really need on my web server.

    Has anyone tried it? Any success or failure stories?

    D

    1. Re:This sounds like a great idea. by digitalsushi · · Score: 4, Interesting

      I am using 1.7RC1. I'm using it for just one feature -- SecServerSignature. Lets you change the reported server type. I changed mine to Microsoft-IIS/2.0. In my built in status handler that shows me all the hits as they're being served live, I almost always have one request in there that is trying to send a buffer overflow to default.ida. That behavior changed the same day I flipped my reported server type over. Always amazes me how little time it takes!

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    2. Re:This sounds like a great idea. by GreenHell · · Score: 3, Informative

      I use 1.6, haven't upgraded to 1.7 yet.

      I enjoy it. Among other things, it lets me block people using empty user agents and empty host header fields, which tend to mainly be people trying to perform a variety of exploits on my server.

      --
      "I won't mod you down - I feel the need to call you a twit explicitly, rather than by implication."
    3. Re:This sounds like a great idea. by Anonymous Coward · · Score: 1, Interesting

      But couldn't you also do this with .htaccess? Anyway, the module sounds interesting... have to check it out!

      Tels

    4. Re:This sounds like a great idea. by bill_mcgonigle · · Score: 4, Informative

      For those who don't have mod_security, a good thing to put in your httpd.conf is:

      ServerTokens ProductOnly

      so your HTTP response looks like:

      HTTP/1.1 200 OK
      Date: Mon, 20 Oct 2003 17:23:13 GMT
      Server: Apache

      instead of:

      HTTP/1.1 200 OK
      Date: Mon, 20 Oct 2003 17:23:13 GMT
      Server: Apache/1.3.19 (Unix) mod_perl/1.27 PHP/4.0.5pl1 mod_ssl/2.8.2 OpenSSL/0.9.8

      That's just way too much information to tell the world.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:This sounds like a great idea. by realdpk · · Score: 1

      I don't understand. You changed it to IIS/2.0, and now you get those default.ida hits? I've been seeing the default.ida hits for quite a long time on my Apache logs. What changed after you updated the ServerSignature?

    6. Re:This sounds like a great idea. by digitalsushi · · Score: 1

      the frequency increased tenfold. (ish)

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    7. Re:This sounds like a great idea. by WebProwler · · Score: 2, Interesting

      Whilst at it, you can also include this: ServerSignature Off This line tells Apache not to display server version and virtual host name in server-generated pages. And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.

      --
      Finecrafts of the Net - Bestnetcraft.com
    8. Re:This sounds like a great idea. by Mr_Perl · · Score: 2, Informative

      And put a standard index.html in all the directories so that people won't see the directory listing shown by Apache.

      Or, for the rest of us who know how to configure apache...

      Options -Indexes

      in apache.conf (or wherever apache -V says the conf is)

      --

      My poetry site welcomes the unusual.
  3. is this a better form of intrusion detection... by bluethundr · · Score: 2, Interesting

    than snort? easier to setup?

    --
    Quod scripsi, scripsi.
  4. "powerful umbrella shielding apps from attacks" by brlewis · · Score: 1

    The article's description of mod_security as a "powerful umbrella shielding applications from attacks" seems to oversell it. If you have a known app with a known exploit, you can use mod_security instead of fixing the app. But even the mod_security docs themselves say it's better to fix the app.

    For apps which accept arbitrary text input (most do!) a general filter against, e.g. "insert into", is a bad idea? This slashdot post includes those two words together; you have to be specific about which inputs get filtered how. Again, this is better done in the app itself.

    1. Re:"powerful umbrella shielding apps from attacks" by MattBurke · · Score: 1

      Ahh, but this sounds like (I haven't read up on it yet) the sort of thing I'd be glad to slap on an apache proxy between the world and an IIS box running badly written yet essential commercial web applications.

  5. Re:Apache Problems by kalidasa · · Score: 1

    YHBT. Run a diff on this versus the "Apple" fanatics troll that always shows up on Apple stories. It's close enough to be a madlib.

  6. Another neat module I've never heard of before... by WoTG · · Score: 1

    I had to browse the site to see what this does, this overview page was good.

    It reminds me of URLScan for MS's IIS - but with extra features.

  7. For those who don't want to do this on the server by jjeffrey · · Score: 1

    ...you can of course spin up Apache on another box, preferably not the firewall, and set it up in proxy mode to forward the requests. Though this generates some SSL issues. Mabye you could even use mod_balance and have a security appliance / load balancer?

    Of course Checkpoint already offer this functionality in FW-1 NG to a limited degree, and Netscreen are introducing it across their range as a free update (for those with a software subscription) in ScreenOS 5 later this year or early next.

  8. Designed by the Penguin, of course by Medievalist · · Score: 1


    "The Bat-sploits of the Masked Meddlers will rebound from my giant electronic umbrella!! Nyah, nyah!"

    http://members.tripod.com/~AdamWest/peng.htm

  9. Re:For those who don't want to do this on the serv by Tinidril · · Score: 1

    Speaking as a bruised and bloody firewall administrator, implementing anything above layer-3 on a large firewall deployment is a bad idea. I am assuming by the use of Firewall-1 that this is a large deployment.

    Many of the firewalls I have been involved with support 10-50 applications, or sometimes even more. When it comes time to do an upgrade I don't have time to properly investigate how the next version of firewall code might affect or be affected by features of each application. This is especialy true when some or all of the applications use overly complex network models like Micro$oft is known to require.

    Always push complexity to the edges of the network where it can be managed one app at a time.

    Fools ignore complexity; pragmatists suffer it; experts avoid it; geniuses remove it.
    A. Perlis

    --
    XML is the best data format; unless your data needs to be read or written by a human or a computer.
  10. Re:For those who don't want to do this on the serv by cpghost · · Score: 1

    Or run Apache in chroot()ed environment. Or even better in a FreeBSD jail. Anyone done that? Experiences?

    --
    cpghost at Cordula's Web.
  11. Old trolls never die by bheerssen · · Score: 1

    They just find a new bridge to hang out under. Looks like this one figured out how to use the search-and-replace feature.

    --
    (Score: -1, Stupid)
  12. mod_security evaluation by Tegatai Systems by konduct · · Score: 1

    Tegatai Systems has been using mod_security in its development labs recently. It has been determined through white and blackbox testing that mod_security needs more work before it will be stable enough for wide-spread production use.

    1. Re:mod_security evaluation by Tegatai Systems by ivan.ristic · · Score: 1

      I am not aware of any stability problems with mod_security. It works very well for my production systems. Tegatai Systems may have different environment and it may be that there are problems. But if there are, you should inform me about them so that they are resolved.

  13. Similar to Microsoft's URLScan... by sk3tch · · Score: 1

    http://www.microsoft.com/technet/security/tools/ur lscan.asp

    Nice to see Apache adding this functionality. As a web admin, the availability of another layer of security is always appreciated.

  14. Re:For those who don't want to do this on the serv by ivan.ristic · · Score: 1

    I have recently written an article for SecurityFocus on how mod_security can be used as part of a Apache reverse proxy: Web Security Appliance With Apache and mod_security