RE: The Santy worm and Application Security

["Ofer Shezaf" <Ofer.Shezaf () breach com>]

I must point you to an interesting thread in bugtraq (see excerpts
below) - as you can see, people writing rules for mod_security
understand that the rules are limited to a specific worm but usually
cannot handle potential variants.

"Santy" and "phpInclude" emphasize the need for real application
security measurements such as code review, application layer scanning
and real time application layer security. Simpler IPS system such as
mod_security (as well as commercial products that cost a lot of money
such as CheckPoint Web Intelligence, IntruShield or Proventia) cannot
effectively handle such attacks.

~ Ofer

> From Bugtraq: 
On Wednesday, December 29, 2004 Andy Fewtrell Wrote
> I was writing some new rules for mod_security
(http://www.modsecurity.org)
> to try and trap other methods that this sanity worm might try to
exploit
> later. Unfortunately the ideas I came up with are slightly worrying
with
> how easily this worm could actually spread. Right now the sanity worm
uses
> perl and wget to download code from remote servers but this could be
> changed to a few other methods. These methods have not *yet* been used
but
> I'm sure it is only time until there is one.
...
> While this worm
> currently uses perl it can be obviously re-written to avoid obvious
> mod_security (and other) rules. I could write proof of concept
versions of
> the sanity worm but I feel it would be better to leave this out of the
> post.
...
> -----Original Message-----
> From: Paul Laudanski [mailto:zx () castlecops com]
> Sent: Saturday, January 01, 2005 1:43 AM
> To: webappsec () securityfocus com
> Cc: Ofer Shezaf
> Subject: RE: The Santy worm and Application Security
>
> There is a good free open source solution that is built into Apache as
a
> module:
>
> http://modsecurity.org
>
> Here are some filters that can be easily installed to 406 the santy
and
> phpinclude attacks:
>
> http://castlecops.com/article-5642-nested-0-0.html
>
> From about 300,000 attacks in a 55 hour period, false positives were
> minimal, and all was logged via syslog.
>
>
> -----Original Message-----
> From: Ofer Shezaf [mailto:Ofer.Shezaf_at_breach.com]
> Sent: Monday, December 27, 2004 6:41 PM
> To: webappsec_at_securityfocus.com
> Subject: The Santy worm and Application Security
>
> [SNIP]
>
> While I'm not writing this all as a marketing pitch, some of these
ideas
> are implemented in my company's products ;-) I'd be happy to hear what
> the other pros here have to say about this.
>
> [SNIP]
> --
> Regards,
>
> Paul Laudanski - Computer Cops, LLC. CEO & Founder
> CastleCops(SM) - http://castlecops.com
> Promoting education and health in online security and privacy.