WebApp Sec mailing list archives
RE: The Santy worm and Application Security
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Fri, 31 Dec 2004 20:24:25 -0500
I must point you to an interesting thread in bugtraq (see excerpts below) - as you can see, people writing rules for mod_security understand that the rules are limited to a specific worm but usually cannot handle potential variants. "Santy" and "phpInclude" emphasize the need for real application security measurements such as code review, application layer scanning and real time application layer security. Simpler IPS system such as mod_security (as well as commercial products that cost a lot of money such as CheckPoint Web Intelligence, IntruShield or Proventia) cannot effectively handle such attacks. ~ Ofer
From Bugtraq:
On Wednesday, December 29, 2004 Andy Fewtrell Wrote
I was writing some new rules for mod_security
(http://www.modsecurity.org)
to try and trap other methods that this sanity worm might try to
exploit
later. Unfortunately the ideas I came up with are slightly worrying
with
how easily this worm could actually spread. Right now the sanity worm
uses
perl and wget to download code from remote servers but this could be changed to a few other methods. These methods have not *yet* been used
but
I'm sure it is only time until there is one.
...
While this worm currently uses perl it can be obviously re-written to avoid obvious mod_security (and other) rules. I could write proof of concept
versions of
the sanity worm but I feel it would be better to leave this out of the post.
...
-----Original Message----- From: Paul Laudanski [mailto:zx () castlecops com] Sent: Saturday, January 01, 2005 1:43 AM To: webappsec () securityfocus com Cc: Ofer Shezaf Subject: RE: The Santy worm and Application Security There is a good free open source solution that is built into Apache as
a
module: http://modsecurity.org Here are some filters that can be easily installed to 406 the santy
and
phpinclude attacks: http://castlecops.com/article-5642-nested-0-0.html From about 300,000 attacks in a 55 hour period, false positives were minimal, and all was logged via syslog. -----Original Message----- From: Ofer Shezaf [mailto:Ofer.Shezaf_at_breach.com] Sent: Monday, December 27, 2004 6:41 PM To: webappsec_at_securityfocus.com Subject: The Santy worm and Application Security [SNIP] While I'm not writing this all as a marketing pitch, some of these
ideas
are implemented in my company's products ;-) I'd be happy to hear what the other pros here have to say about this. [SNIP] -- Regards, Paul Laudanski - Computer Cops, LLC. CEO & Founder CastleCops(SM) - http://castlecops.com Promoting education and health in online security and privacy.
Current thread:
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- <Possible follow-ups>
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 01)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 01)
- RE: The Santy worm and Application Security Ofer Shezaf (Jan 02)
- RE: The Santy worm and Application Security Paul Laudanski (Jan 02)