SlideShare a Scribd company logo

Folini Extended Introduction to ModSecurity and CRS3

C
Christian Folini

This document provides an introduction to ModSecurity and the OWASP Core Rule Set (CRS) presented by Christian Folini. The presentation covers what a web application firewall (WAF) and ModSecurity are, an overview of the CRS including rule groups and paranoia levels, how to install and configure ModSecurity with the CRS, and handling false positives. The goal of ModSecurity and CRS is to provide a first line of defense against web application attacks and block around 80% of attacks with minimal false positives in the default installation.

Technology
1 of 27
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
@ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27 An Introduction to ModSecurity and the OWASP Core Rule Set (BCS DevSecOps SG) Christian Folini / @ChrFolini
Baseline / 1st Line of Defense Safety Belts
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives
Web Application Firewalls Complex • Overwhelming • Rarely Functional
ModSecurity Embedded • Rule oriented • Granular Control
Folini Extended Introduction to ModSecurity and CRS3
Folini Extended Introduction to ModSecurity and CRS3
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &
Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org
@ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini

More Related Content

PPTX
Message Falsification Attack Network Projects Guidance
Network Simulation Tools
 
PPTX
Full disclosure-vulnerabilities
slideseces
 
PDF
TechWiseTV Workshop: Programmable ASICs
Robb Boyd
 
PPTX
What is a blockchain api how can you integrate in your website
Blockchain Council
 
PDF
Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
PDF
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
PDF
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Message Falsification Attack Network Projects Guidance
Network Simulation Tools
 
Full disclosure-vulnerabilities
slideseces
 
TechWiseTV Workshop: Programmable ASICs
Robb Boyd
 
What is a blockchain api how can you integrate in your website
Blockchain Council
 
Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 
Introducing the OWASP ModSecurity Core Rule Set
Christian Folini
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
Extensive Introduction to ModSecurity and the OWASP Core Rule Set
Christian Folini
 

Similar to Folini Extended Introduction to ModSecurity and CRS3 (20)

PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
PPTX
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
PDF
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
PDF
Optimizing ModSecurity on NGINX and NGINX Plus
Christian Folini
 
PDF
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
PDF
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 
PDF
Introduction to Mod security session April 2016
Rahul
 
PDF
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
PDF
WAF In DevOps DevOpsFusion2019
Franziska Buehler
 
PDF
Using a WAF to Make the Life of Bug Bounty Hunters Miserable
Christian Folini
 
PPTX
Web Application firewall-Mod security
Romansh Yadav
 
PDF
Site Security Policy - Yahoo! Security Week
guest9663eb
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
PDF
What is ModSecurity and Its Usage.pdf
Host It Smart
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
PDF
What’s new in CRS4? An Update from the OWASP CRS project
Christian Folini
 
PDF
DevSecOps: Putting the Sec into the DevOps
shira koper
 
PPTX
msc_pyparser - ModSecurity config parser presentation @CRS Community Summit i...
digitalwave
 
ODP
Web Application Firewall
Chandrapal Badshah
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
NGINX, Inc.
 
Optimizing ModSecurity on NGINX and NGINX Plus
Christian Folini
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
JosephTesta9
 
Web Application Firewall - Friend of your DevOps Chain?
Franziska Buehler
 
Introduction to Mod security session April 2016
Rahul
 
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
WAF In DevOps DevOpsFusion2019
Franziska Buehler
 
Using a WAF to Make the Life of Bug Bounty Hunters Miserable
Christian Folini
 
Web Application firewall-Mod security
Romansh Yadav
 
Site Security Policy - Yahoo! Security Week
guest9663eb
 
ModSecurity 3.0 and NGINX: Getting Started
NGINX, Inc.
 
What is ModSecurity and Its Usage.pdf
Host It Smart
 
AllDayDevOps 2019 AppSensor
jtmelton
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
What’s new in CRS4? An Update from the OWASP CRS project
Christian Folini
 
DevSecOps: Putting the Sec into the DevOps
shira koper
 
msc_pyparser - ModSecurity config parser presentation @CRS Community Summit i...
digitalwave
 
Web Application Firewall
Chandrapal Badshah
 
Ad

More from Christian Folini (13)

PDF
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
PDF
OWASP ModSecurity - A few plot twists and what feels like a happy end
Christian Folini
 
PDF
Crazy incentives and how they drive security into no man's land
Christian Folini
 
PDF
Never Walk Alone - Inspirations from a Growing OWASP Project
Christian Folini
 
PDF
The Adventurous Tale of Online Voting in Switzerland
Christian Folini
 
PDF
EVoting in der Schweiz - Ein Fortsetzungsroman
Christian Folini
 
PDF
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Christian Folini
 
PDF
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
Christian Folini
 
PDF
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Christian Folini
 
PDF
Medieval Castles and Modern Servers
Christian Folini
 
PDF
E-Voting, die Sicherheit und die Rolle der Experten
Christian Folini
 
PDF
Black alps 2018-folini-d-dos
Christian Folini
 
PDF
A General Look at the State of Security - AFCEA 2017
Christian Folini
 
Crazy Incentives and How They Kill Security. How Do You Turn the Wheel?
Christian Folini
 
OWASP ModSecurity - A few plot twists and what feels like a happy end
Christian Folini
 
Crazy incentives and how they drive security into no man's land
Christian Folini
 
Never Walk Alone - Inspirations from a Growing OWASP Project
Christian Folini
 
The Adventurous Tale of Online Voting in Switzerland
Christian Folini
 
EVoting in der Schweiz - Ein Fortsetzungsroman
Christian Folini
 
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule Set
Christian Folini
 
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...
Christian Folini
 
Gedanken zur elektronischen Stimmabgabe für Datenschützer
Christian Folini
 
Medieval Castles and Modern Servers
Christian Folini
 
E-Voting, die Sicherheit und die Rolle der Experten
Christian Folini
 
Black alps 2018-folini-d-dos
Christian Folini
 
A General Look at the State of Security - AFCEA 2017
Christian Folini
 
Ad

Recently uploaded (20)

PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Encapsulation theory and applications.pdf
gurumoop
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Approach and Philosophy of On baking technology
30anthuong17
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 

Folini Extended Introduction to ModSecurity and CRS3

  • 1. @ChrFolini Introduction to ModSecurity and CRS – BCS 2019-11-27 An Introduction to ModSecurity and the OWASP Core Rule Set (BCS DevSecOps SG) Christian Folini / @ChrFolini
  • 2. Baseline / 1st Line of Defense Safety Belts
  • 3. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Boring Bio ● Christian Folini / ChrFolini ● Security Engineer at netnea in Switzerland ● Author, teacher and speaker ● OWASP CRS project Co-Lead
  • 4. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Plan for Today ● What is a WAF? ● What is ModSecurity? ● What is Core Rule Set? ● Demo ● Key concepts ● Rules ● False Positives
  • 5. Web Application Firewalls Complex • Overwhelming • Rarely Functional
  • 6. ModSecurity Embedded • Rule oriented • Granular Control
  • 9. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Include in server config (depending on path): Include /path-to-owasp-crs/crs-setup.conf Include /path-to-owasp-crs/rules/*.conf Clone the repository (or download latest release): $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs Copy the example config: $> cp crs-setup.conf.example crs-setup.conf Demo Time (Installation)
  • 10. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Research based on 4.5M Burp requests. CRS3 Default Install Redir.: RFI: LFI: XSS: SQLi: 0% 0% -100% -82% -100%
  • 11. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level 1: Minimal number of false positives Baseline protection Paranoia Level 2: More rules, some false positives Real data in the service Paranoia Level 3: Specialized rules, more FPs Online banking level security Paranoia Level 4: Crazy rules, many FPs Nuclear power plant level security Paranoia Levels
  • 12. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Request Rules REQUEST-910-IP-REPUTATION.conf REQUEST-911-METHOD-ENFORCEMENT.conf REQUEST-912-DOS-PROTECTION.conf REQUEST-913-SCANNER-DETECTION.conf REQUEST-920-PROTOCOL-ENFORCEMENT.conf REQUEST-921-PROTOCOL-ATTACK.conf REQUEST-930-APPLICATION-ATTACK-LFI.conf REQUEST-931-APPLICATION-ATTACK-RFI.conf REQUEST-932-APPLICATION-ATTACK-RCE.conf REQUEST-933-APPLICATION-ATTACK-PHP.conf REQUEST-941-APPLICATION-ATTACK-XSS.conf REQUEST-942-APPLICATION-ATTACK-SQLI.conf REQUEST-943-APPLICATION-ATTACK-SESS-FIX.conf REQUEST-944-APPLICATION-ATTACK-JAVA.conf REQUEST-949-BLOCKING-EVALUATION.conf
  • 13. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Important Groups of Rules Response Rules RESPONSE-950-DATA-LEAKAGES.conf RESPONSE-951-DATA-LEAKAGES-SQL.conf RESPONSE-952-DATA-LEAKAGES-JAVA.conf RESPONSE-953-DATA-LEAKAGES-PHP.conf RESPONSE-954-DATA-LEAKAGES-IIS.conf RESPONSE-959-BLOCKING-EVALUATION.conf
  • 14. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Paranoia Level Example: Protocol Enforcement Rules Paranoia Level 1: 31 Rules Paranoia Level 2: 7 Rules Paranoia Level 3: 1 Rules Paranoia Level 4: 4 Rules
  • 15. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Stricter Siblings Example: Byte Range Enforcement Paranoia Level 1: Rule 920270: Full ASCII range without null character Paranoia Level 2: Rule 920271: Full visible ASCII range, tab, newline Paranoia Level 3: Rule 920272: Visible lower ASCII range without % Paranoia Level 4: Rule 920273: A-Z a-z 0-9 = - _ . , : &
  • 16. Anomaly Scoring Adjustable Limit • Blocking Mode • Iterative Tuning
  • 17. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Sampling Mode Easing into CRS adoption / limit the impact • Define a sampling rate of n • Only n% of the requests are being funneled into CRS3 • 100% - n% of requests bypass CRS3 • Monitor performance and fix problems • Slowly raise n in an iterative way until it reaches 100%
  • 18. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  • 19. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  • 20. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  • 21. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  • 22. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  • 23. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27
  • 24. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 False Positives False Positives are expected from PL2 • FPs are fought with rule exclusions • Tutorials at https://www.netnea.com • Get cheatsheet from Netnea • Please report FPs at PL1 (github)
  • 25. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Apache / ModSecurity / CRS Tutorials https://www.netnea.com/cms/apache-tutorials/
  • 26. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Summary ModSecurity & CRS3 • 1st Line of Defense against web application attacks • Generic set of blacklisting rules for WAFs • Blocks 80% of web application attacks in the default installation (with a minimal number of FPs) • Granular control over the behaviour down to the parameter level More information at https://coreruleset.org
  • 27. @ChrFolini Introduction to ModSecurity and CRS – BCS London 2019-11-27 Questions and Answers, Contact Contact: christian.folini@netnea.com @ChrFolini