WebApp Sec mailing list archives

RE: Apache mode_security

From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Wed, 30 Nov 2005 10:35:59 -0500

-----Original Message-----
From: Ivan Ristic [mailto:ivan.ristic () gmail com]
Sent: Thursday, November 24, 2005 2:14 PM

...


Neither approach is good enough in real-life, when used on its own.
(Although there may be specific cases where they can work rather
well.) As you say, negative rules can often be bypassed. It is also
difficult to enumerate all the possible attacks. In theory, positive
security model is much safer, but there is a problem of how to create
a good-enough model. This is especially a problem if the application
you are trying to protect is constantly changing. I believe the
solution is somewhere in the middle.


I strongly agree with Ivan. Application protection is complex since
applications are complex and much more dynamic than networks. Some on
this list would even say that no real time security control can
effectively block application layer attacks. I thing that it is
achievable (well I make application firewalls for a living....), but it
does require sophisticated detection, that mash together both negative
and positive methods.

Signature detection has to go a step further than what I usually see out
there. Many of the signatures presented in articles closely detect
published attack vectors ('1=1', 'union select' and the like).
Application layer signatures must try to detect generic language
injection. I personally dig through manuals of different languages (not
just SQL) to try to predict what keywords / phrases might be used as
part of attacks. Signatures are also good mostly for injection, but fail
miserably on other attack types.

On the positive security side, static rules (such as RFC compliance),
behavioral analysis of traffic and building policy based on outbound
traffic should all be used; each one has deficiencies, but together they
can provide a lot: behavioral anomalies often do not equal attacks, and
analyzing outbound traffic is limited by the wide use of client side
code. 

On top of that you need to correlate between the different events, both
for a single request and over time, as many of the detection methods
detect anomalies rather than attacks. Only by aggregating the anomalies
one can detect attacks.

~ Ofer

Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers () breach com
http://www.breach.com

Current thread:

Apache mode_security Serg Belokamen (Nov 16)
- Re: Apache mode_security Ivan Ristic (Nov 16)
  - Re: Apache mode_security Stefano Di Paola (Nov 20)
    - Re: Apache mode_security Ivan Ristic (Nov 25)
    - Re: Apache mode_security Stefano Di Paola (Nov 26)
    - Re: Apache mode_security Ivan Ristic (Nov 28)
    - Re: Apache mode_security Stefano Di Paola (Dec 04)
- <Possible follow-ups>
- RE: Apache mode_security Erez Schwarz (Nov 16)
  - RE: Apache mode_security Serg B. (Nov 16)
    - Re: Apache mode_security K K Mookhey (Nov 29)
- RE: Apache mode_security Ofer Shezaf (Nov 30)