WebApp Sec mailing list archives
Re: Apache mode_security
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Mon, 28 Nov 2005 12:55:36 +0000
On 11/26/05, Stefano Di Paola <stefano.dipaola () wisec it> wrote:
Hi Ivan, Il giorno gio, 24-11-2005 alle 12:14 +0000, Ivan Ristic ha scritto:Neither approach is good enough in real-life, when used on its own. (Although there may be specific cases where they can work rather well.)yes no absolute rules can be implemented in real life...and i hope none thinks this! And of course black list approach, which is the usual approach on mod_sec, should not be considered as well...
Agreed. I will be adding explicit support for positive security to ModSecurity in the next release. I have published my thoughts here http://www.modsecurity.org/blog/archives/2005/11/positive_securi.html so that we can discuss the issue.
I prefer a traffic based approach (for positive security model generation) and a run with real users and real data. This is usually not a problem since, due to frequent changes in applications, you must work to continuously update the security model anyway.eh...this is the real problem for hand made things...but a semi automatic approach would help.. no? What about for a learning phase? I mean a semi automatic generation of rules, based on real clients inputs from the web... yes it is untrustable... but there should be some way out there :)
To acquire reliable material for policy generation (and update) is the most difficult part of the problem. I will be looking at the following approaches: 1) designate an IP range as trusted, 2) require administrators to manually review traffic before it is used in policy generation, and 3) use negative security to assign threat score to each request using only requests with low scores for policy generation. A combination of all three is probably the way forward.
By the way , i wrote a mod_html_proxy based hmac signing for links on the fly named Mod Anti Tamper: Link: www.wisec.it/projects.php?id=3&lang=en
That's very interesting; it's one of the things missing in ModSecurity. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org
Current thread:
- Apache mode_security Serg Belokamen (Nov 16)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 25)
- Re: Apache mode_security Stefano Di Paola (Nov 26)
- Re: Apache mode_security Ivan Ristic (Nov 28)
- Re: Apache mode_security Stefano Di Paola (Dec 04)
- Re: Apache mode_security Stefano Di Paola (Nov 20)
- Re: Apache mode_security Ivan Ristic (Nov 16)
- <Possible follow-ups>
- RE: Apache mode_security Erez Schwarz (Nov 16)
- RE: Apache mode_security Serg B. (Nov 16)
- Re: Apache mode_security K K Mookhey (Nov 29)
- RE: Apache mode_security Serg B. (Nov 16)
- RE: Apache mode_security Ofer Shezaf (Nov 30)