SlideShare a Scribd company logo

Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm

Download as PPTX, PDF
Security Bootcamp, profile picture
Security Bootcamp

The document discusses various techniques for web application security and traffic analysis using ModSecurity, including real-time application profiling, hacker traps, anomaly scoring, correlation of inbound and outbound events, detecting malicious links, unicode normalization, abnormal header ordering, detecting page title changes, device fingerprinting, and slowing down automated attacks. It also mentions using ELK (Elasticsearch, Logstash, Kibana) for real-time analysis of streaming log data.

Presentations & Public Speaking
1 of 47
Downloaded 72 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
MODSECURITY ELK If we do not wish to fight we can prevent! {
ModSecurity Security Bootcamp 2014 2
*log Security Bootcamp 2014 3
ELK Security Bootcamp 2014 4
ModSecurity Ryan C. Barnett ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Blackhat Arsenal 2014 Security Bootcamp 2014 5
Surviving D-Day Omaha Beach 1944 Security Bootcamp 2014 6
Surviving D-Day Omaha Beach 1944  Fake tank  Fake aircraft  Fake Napoli (Egypt)  Fake …… Security Bootcamp 2014 7
HoneyTraps with ModSecurity http://map.honeycloud.net/ Security Bootcamp 2014 8
1.Real-time Application Profiling Security Bootcamp 2014 9
Real-time Application Profiling  Request method(s)  Number of parameters (minimum/maximum range)  Parameter names  Parameter lengths (minimum/maximum range)  Parameter types  Flag (such as /path/to/foo.php?param)  Digits (such as /path/to/foo.php?param=1234)  Alpha (such as /path/to/foo.php?param=abcd)  Alphanumeric (such as /path/to/foo.php?param=abcd1234)  E-mail (such as /path/to/foo.php?param=foo@bar.com)  Path (such as /path/to/foo.php?param=/dir/somefile.txt)  URL (such as /path/to/foo.php?param=http://somehost/dir/file.txt)  SafeText (such as /path/to/foo.php?param=some_data-12) Security Bootcamp 2014 10
Real-time Application Profiling Security Bootcamp 2014 11
Post-Process Profiling Security Bootcamp 2014 12
4 scenarios  If the HTTP response code is 404, the resource doesn’t exist. In this case, not only do we skip the profiling, but we also remove the resource key, so we delete the persistent storage. This is achieved by using the setvar:!resource.KEY action.  If the HTTP response code is either level 4xx or level 5xx, the application says something is wrong with the transaction, so we won’t profile it in this case either.  The OWASP ModSecurity Core Rule Set (CRS) can use anomaly scoring. We can check this transactional anomaly score. If it is anything other than 0, we should skip profiling.  Finally, we have already seen enough traffic for our profiling model and are currently in enforcement mode, so we skip profiling. Security Bootcamp 2014 13
2. Hacker Traps Security Bootcamp 2014 14
Hacker Traps  Unused Web Ports  Fake robots.txt Disallow Entries  Fake HTML comments  Fake hidden form fields  Fake cookies Security Bootcamp 2014 15
Hacker Traps Unused Web Ports Security Bootcamp 2014 16
Hacker Traps Fake robots.txt Disallow Entries Security Bootcamp 2014 17
Hacker Traps Fake HTML comments Security Bootcamp 2014 18
Hacker Traps Fake HTML comments Security Bootcamp 2014 19
Hacker Traps Fake hidden form fields Security Bootcamp 2014 20
Hacker Traps Fake cookies Security Bootcamp 2014 21
Hacker Traps Fake cookies Security Bootcamp 2014 22
3a. Self-Contained vs. Collaborative Detection Security Bootcamp 2014 23
Self-Contained vs. Collaborative Detection Self-Contained Collaborative Security Bootcamp 2014 24
Anomaly Scoring Threshold Levels Security Bootcamp 2014 25
3b. Inbound/Outbound Correlation Security Bootcamp 2014 26
Correlation  Did an inbound attack occur?  Did an HTTP response status code error (4xx/5xx level) occur?  Did an application information leakage event occur? Security Bootcamp 2014 27
Correlation If an inbound attack was detected, and either an outbound application status codeerror or information leakage event was detected, the overall event severity is raised to one of the following:  • 0, EMERGENCY, is generated from correlation of anomaly scoring data where an inbound attack and an outbound leakage exist.  • 1, ALERT, is generated from correlation where an inbound attack and an outbound application-level error exist. Security Bootcamp 2014 28
4. Detecting Malicious Links Security Bootcamp 2014 29
Detecting Malicious Links  URI Blacklist RBL6  Google’s Safe Browsing API7  ModSecurity  @rbl operator  @gsbLookup operator  @rsub operator  SecGsbLookupDb directive  SecStreamOutBodyInspection directive  SecContentInjection directive  STREAM_OUTPUT_BODY variable Security Bootcamp 2014 30
5. Normalizing Unicode Security Bootcamp 2014 31
Normalizing Unicode  Best-Fit Mapping  Detecting Use of Full-/Half-Width Unicode Security Bootcamp 2014 32
Best-Fit Mapping %u3008scr%u0131pt%u3009%u212fval(%uFF07al%u212Frt(%22XSS%22)%u02C8)%u23 29/scr%u0131pt%u232A 〈(0x2329) ~= <(0x3c) 〈(0x3008) ~= <(0x3c) <(0xff1c) ~= <(0x3c) ʹ(0x2b9) ~= '(0x27) ʼ(0x2bc) ~= '(0x27) ˈ(0x2c8) ~= '(0x27) ′(0x2032) ~= '(0x27) '(0xff07) ~= '(0x27) Security Bootcamp 2014 33
Unicode Mapping Security Bootcamp 2014 34
Unicode Mapping Security Bootcamp 2014 35
Full-/Half-Width Unicode Security Bootcamp 2014 36
6. Abnormal Header Ordering Security Bootcamp 2014 37
Passive OS fingerprinting Security Bootcamp 2014 38
7. Detecting Page Title Changes Security Bootcamp 2014 39
Detecting Page Title Changes Security Bootcamp 2014 40
8. Web Client Device Fingerprinting Security Bootcamp 2014 41
Web Client Device Fingerprinting Security Bootcamp 2014 42
9. Slowing Down Automated Attack Tools Security Bootcamp 2014 43
Slowing Down Automated Attack Tools Security Bootcamp 2014 44
NSM Logstash Elasticsearch Kibana No code required Real-time analysis of streaming data Highly scalable Open source, community driven Security Bootcamp 2014 45
DEMO Security Bootcamp 2014 46
“ ” Thank you! Question, huh? FPT TELECOM Security Bootcamp 2014 47

More Related Content

PPTX
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
PDF
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
PDF
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
PDF
Neoito — Secure coding practices
Neoito
 
PDF
.NET for hackers
Antonio Parata
 
PDF
Malware Detection With Multiple Features
Muhammad Najmi Ahmad Zabidi
 
PDF
Applications secure by default
SecuRing
 
PPT
На страже ваших денег и данных
Positive Hack Days
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Security Bootcamp
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Neoito — Secure coding practices
Neoito
 
.NET for hackers
Antonio Parata
 
Malware Detection With Multiple Features
Muhammad Najmi Ahmad Zabidi
 
Applications secure by default
SecuRing
 
На страже ваших денег и данных
Positive Hack Days
 

What's hot (20)

PDF
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
PPTX
Secure programming with php
Mohmad Feroz
 
PPTX
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm
 
PDF
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
PDF
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
PDF
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
PPTX
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Ivan Piskunov
 
PPTX
Indicators of compromise: From malware analysis to eradication
Michael Boman
 
PPTX
How to drive a malware analyst crazy
Michael Boman
 
PPTX
MMW Anti-Sandbox Techniques
Cyphort
 
PPTX
Automating Malware Analysis
securityxploded
 
PDF
Super1
neelakanteswarreddy
 
PPT
The Future of Automated Malware Generation
Stephan Chenette
 
PPT
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
PDF
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
PDF
Challenges in High Accuracy of Malware Detection
Muhammad Najmi Ahmad Zabidi
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PDF
A Threat Hunter Himself
Sergey Soldatov
 
PPTX
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Secure programming with php
Mohmad Feroz
 
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm
 
Waf.js: How to Protect Web Applications using JavaScript
Denis Kolegov
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
Secure PHP Coding
Narudom Roongsiriwong, CISSP
 
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...
Ivan Piskunov
 
Indicators of compromise: From malware analysis to eradication
Michael Boman
 
How to drive a malware analyst crazy
Michael Boman
 
MMW Anti-Sandbox Techniques
Cyphort
 
Automating Malware Analysis
securityxploded
 
Super1
neelakanteswarreddy
 
The Future of Automated Malware Generation
Stephan Chenette
 
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
Secure Coding in C/C++
Dan-Claudiu Dragoș
 
Challenges in High Accuracy of Malware Detection
Muhammad Najmi Ahmad Zabidi
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
A Threat Hunter Himself
Sergey Soldatov
 
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Ad

Viewers also liked (20)

PPT
Hướng nghiên cứu mới cho ngành mật mã nước nhà - TS Hồ Ngọc Duy
Security Bootcamp
 
PPTX
Chu nhat 02 luu thanh tra e-prior e-trust
Security Bootcamp
 
PDF
Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN
Security Bootcamp
 
PPT
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Security Bootcamp
 
PPTX
Top 10 mobile security risks - Khổng Văn Cường
Security Bootcamp
 
PDF
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
PDF
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Security Bootcamp
 
PDF
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Security Bootcamp
 
PPT
Phan Phú Thuận - VNCERT
Security Bootcamp
 
PPTX
Võ Nhân Văn - Tối ưu hóa hạ tầng và đảm bảo attt trong ngành ngân hàng
Security Bootcamp
 
PPTX
Thu 6 04 advance penetration test with armitage
Security Bootcamp
 
PDF
Sử dụng TLS đúng cách - Phạm Tùng Dương
Security Bootcamp
 
PPT
Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước
Security Bootcamp
 
PDF
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
Security Bootcamp
 
PPTX
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Security Bootcamp
 
PDF
Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp
 
PDF
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp
 
PDF
Lê Trung Nghĩa - Suggestions after VNA attack with template
Security Bootcamp
 
PPT
Nguyễn Tấn Vi - office of the CISO
Security Bootcamp
 
PPTX
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Security Bootcamp
 
Hướng nghiên cứu mới cho ngành mật mã nước nhà - TS Hồ Ngọc Duy
Security Bootcamp
 
Chu nhat 02 luu thanh tra e-prior e-trust
Security Bootcamp
 
Xây dựng cộng đồng - Lê Trung Nghĩa - Bộ KHCN
Security Bootcamp
 
Thu 6 03 bootcamp 2014 - xxe injection - nguyen tang hung
Security Bootcamp
 
Top 10 mobile security risks - Khổng Văn Cường
Security Bootcamp
 
Finfisher- Nguyễn Chấn Việt
Security Bootcamp
 
Tấn công và khai thác mạng máy tính theo mô hình thường trực cao cấp APT - Lê...
Security Bootcamp
 
Khai thác lỗi phần mềm thi chứng chỉ của Microsoft - Phạm Đình Thắng
Security Bootcamp
 
Phan Phú Thuận - VNCERT
Security Bootcamp
 
Võ Nhân Văn - Tối ưu hóa hạ tầng và đảm bảo attt trong ngành ngân hàng
Security Bootcamp
 
Thu 6 04 advance penetration test with armitage
Security Bootcamp
 
Sử dụng TLS đúng cách - Phạm Tùng Dương
Security Bootcamp
 
Đặng Hải Sơn - Báo cáo tình hình An toàn thông tin trong các cơ quan nhà nước
Security Bootcamp
 
NETWORK SECURITY MONITORING WITH BIG DATA ANALYTICS - Nguyễn Minh Đức
Security Bootcamp
 
Tình hình ANTT ở Việt Nam - Lê Công Phú - CMC Infosec
Security Bootcamp
 
Security Bootcamp 2013 penetration testing (basic)
Security Bootcamp
 
Security Bootcamp 2013 - Định hướng công việc ngành ATTT - Nguyễn Hải Long
Security Bootcamp
 
Lê Trung Nghĩa - Suggestions after VNA attack with template
Security Bootcamp
 
Nguyễn Tấn Vi - office of the CISO
Security Bootcamp
 
Pham Ngọc Bắc - An toàn thông tin dưới góc nhìn Quản lý theo tiêu chuẩn Quốc...
Security Bootcamp
 
Ad

Similar to Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm (20)

PDF
Web Development Security
Rafael Monteiro
 
PPTX
State of the information security nation
SensePost
 
PDF
Become a Security Ninja
Paul Gilzow
 
PDF
Making Web Development "Secure By Default"
Duo Security
 
PPTX
We cant hack ourselves secure
Eoin Keary
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PDF
2013 OWASP Top 10
bilcorry
 
PPTX
OWASP top 10-2013
tmd800
 
PPTX
The path of secure software by Katy Anton
DevSecCon
 
PPTX
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PPT
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PDF
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPT
Web 2.0 Hacking
blake101
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPT
Web Apps Security
Victor Bucutea
 
Web Development Security
Rafael Monteiro
 
State of the information security nation
SensePost
 
Become a Security Ninja
Paul Gilzow
 
Making Web Development "Secure By Default"
Duo Security
 
We cant hack ourselves secure
Eoin Keary
 
OWASP Top Ten in Practice
Security Innovation
 
2013 OWASP Top 10
bilcorry
 
OWASP top 10-2013
tmd800
 
The path of secure software by Katy Anton
DevSecCon
 
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Common Web Application Attacks
Ahmed Sherif
 
BSidesDC 2016 Beyond Automated Testing
Andrew McNicol
 
Owasp top 10_openwest_2019
Sean Jackson
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Web 2.0 Hacking
blake101
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
Web Apps Security
Victor Bucutea
 

More from Security Bootcamp (20)

PDF
Ẩn mình kết nối C&C - Xu hướng tấn công và cách phòng thủ
Security Bootcamp
 
PPTX
AI-ttacks - Nghiên cứu về một số tấn công vào các mô hình học máy và AI
Security Bootcamp
 
PPTX
Human and AI - Balancing Innovation and Data Privacy in the Age of Cyber Threats
Security Bootcamp
 
PPTX
Robustness of Deep learning mode ls.pptx
Security Bootcamp
 
PPTX
DLL Sideloading cho mọi nhà - Security Bootcamp 2024
Security Bootcamp
 
PDF
Let the Hunt Begin - Security Bootcamp 2024
Security Bootcamp
 
PDF
Detection as Code - Effective Approach to manage & optimize SOC Development
Security Bootcamp
 
PDF
Quản trị rủi ro nguồn mở tại các doanh nghiệp phần mềm Việt Nam
Security Bootcamp
 
PDF
Phân tích một chiến dịch ransomware: Từ lan truyền đến tống tiền
Security Bootcamp
 
PDF
CyberJutsu - The Joern-ey of Static Code Analysis.pdf
Security Bootcamp
 
PPTX
Security in the AI and Web3 era - Veramine
Security Bootcamp
 
PDF
ĐỂ AI ĐƯỢC AN TOÀN, MINH BẠCH, CÓ TRÁCH NHIỆM VÀ ‘NHÂN TÍNH’ HƠN
Security Bootcamp
 
PDF
Modern Security Operations - Building and leading modern SOC
Security Bootcamp
 
PDF
Humanity and AI: Balancing Innovation and Data Privacy in the Age of Cyber Th...
Security Bootcamp
 
PPTX
SBC2024_AI TRONG CYBER SECURITY_final.pptx
Security Bootcamp
 
PPTX
Cyber GenAI – Another Chatbot? - Trellix
Security Bootcamp
 
PDF
Akamai_ API Security Best Practices - Real-world attacks and breaches
Security Bootcamp
 
PPTX
How to steal a drone Drone Hijacking - VNPT Cyber Immunity
Security Bootcamp
 
PDF
Empowering Malware Analysis with IDA AppCall
Security Bootcamp
 
PDF
Detection of Spreading Process on many assets over the network
Security Bootcamp
 
Ẩn mình kết nối C&C - Xu hướng tấn công và cách phòng thủ
Security Bootcamp
 
AI-ttacks - Nghiên cứu về một số tấn công vào các mô hình học máy và AI
Security Bootcamp
 
Human and AI - Balancing Innovation and Data Privacy in the Age of Cyber Threats
Security Bootcamp
 
Robustness of Deep learning mode ls.pptx
Security Bootcamp
 
DLL Sideloading cho mọi nhà - Security Bootcamp 2024
Security Bootcamp
 
Let the Hunt Begin - Security Bootcamp 2024
Security Bootcamp
 
Detection as Code - Effective Approach to manage & optimize SOC Development
Security Bootcamp
 
Quản trị rủi ro nguồn mở tại các doanh nghiệp phần mềm Việt Nam
Security Bootcamp
 
Phân tích một chiến dịch ransomware: Từ lan truyền đến tống tiền
Security Bootcamp
 
CyberJutsu - The Joern-ey of Static Code Analysis.pdf
Security Bootcamp
 
Security in the AI and Web3 era - Veramine
Security Bootcamp
 
ĐỂ AI ĐƯỢC AN TOÀN, MINH BẠCH, CÓ TRÁCH NHIỆM VÀ ‘NHÂN TÍNH’ HƠN
Security Bootcamp
 
Modern Security Operations - Building and leading modern SOC
Security Bootcamp
 
Humanity and AI: Balancing Innovation and Data Privacy in the Age of Cyber Th...
Security Bootcamp
 
SBC2024_AI TRONG CYBER SECURITY_final.pptx
Security Bootcamp
 
Cyber GenAI – Another Chatbot? - Trellix
Security Bootcamp
 
Akamai_ API Security Best Practices - Real-world attacks and breaches
Security Bootcamp
 
How to steal a drone Drone Hijacking - VNPT Cyber Immunity
Security Bootcamp
 
Empowering Malware Analysis with IDA AppCall
Security Bootcamp
 
Detection of Spreading Process on many assets over the network
Security Bootcamp
 

Recently uploaded (20)

PPTX
Introduction-to-Food-Packaging-and-packaging -materials.pptx
pragyanlahkar16
 
PPT
First Aid Training Presentation Slides.ppt
WilliamMigoya
 
PPTX
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
PDF
Microsoft-365-Administrator-s-Guide_.pdf
martinseguaoje
 
PPTX
AcademyNaturalLanguageProcessing-EN-ILT-M02-Introduction.pptx
nguyenhung549091
 
PDF
COLEAD A2F approach and Theory of Change
Francois Stepman
 
PPTX
ANICK 6 BIRTHDAY....................................................
Raju RJ
 
DOCX
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
PPTX
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
PPTX
NORMAN_RESEARCH_PRESENTATION.in education
JustineMaluma
 
PPTX
PHIL.-ASTRONOMY-AND-NAVIGATION of ..pptx
ajp27480
 
PPTX
Sustainable Forest Management ..SFM.pptx
HameedNazeer
 
PDF
_Nature and dynamics of communities and community development .pdf
RedART01
 
PPTX
FINAL TEST 3C_OCTAVIA RAMADHANI SANTOSO-1.pptx
itsvialalalla
 
PDF
Yusen Logistics Group Sustainability Report 2024.pdf
byrongeorge73
 
PDF
IKS PPT.....................................
karanmjangid
 
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
PPTX
3RD-Q 2022_EMPLOYEE RELATION - Copy.pptx
GCCHR
 
PDF
Module 7 guard mounting of security pers
MagnificoDionicio
 
PPTX
Lesson-7-Gas. -Exchange_074636.pptx
riesiscar2
 
Introduction-to-Food-Packaging-and-packaging -materials.pptx
pragyanlahkar16
 
First Aid Training Presentation Slides.ppt
WilliamMigoya
 
Hydrogel Based delivery Cancer Treatment
sgsayan31
 
Microsoft-365-Administrator-s-Guide_.pdf
martinseguaoje
 
AcademyNaturalLanguageProcessing-EN-ILT-M02-Introduction.pptx
nguyenhung549091
 
COLEAD A2F approach and Theory of Change
Francois Stepman
 
ANICK 6 BIRTHDAY....................................................
Raju RJ
 
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Myplanningtemplates
 
Intro to ISO 9001 2015.pptx wareness raising
nadianisar5
 
NORMAN_RESEARCH_PRESENTATION.in education
JustineMaluma
 
PHIL.-ASTRONOMY-AND-NAVIGATION of ..pptx
ajp27480
 
Sustainable Forest Management ..SFM.pptx
HameedNazeer
 
_Nature and dynamics of communities and community development .pdf
RedART01
 
FINAL TEST 3C_OCTAVIA RAMADHANI SANTOSO-1.pptx
itsvialalalla
 
Yusen Logistics Group Sustainability Report 2024.pdf
byrongeorge73
 
IKS PPT.....................................
karanmjangid
 
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
iamsrinjandatta
 
3RD-Q 2022_EMPLOYEE RELATION - Copy.pptx
GCCHR
 
Module 7 guard mounting of security pers
MagnificoDionicio
 
Lesson-7-Gas. -Exchange_074636.pptx
riesiscar2
 

Triển khai Modsecurity vào hệ thống NMS - Quan Minh Tâm

  • 1. MODSECURITY ELK If we do not wish to fight we can prevent! {
  • 5. ModSecurity Ryan C. Barnett ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. Blackhat Arsenal 2014 Security Bootcamp 2014 5
  • 6. Surviving D-Day Omaha Beach 1944 Security Bootcamp 2014 6
  • 7. Surviving D-Day Omaha Beach 1944  Fake tank  Fake aircraft  Fake Napoli (Egypt)  Fake …… Security Bootcamp 2014 7
  • 8. HoneyTraps with ModSecurity http://map.honeycloud.net/ Security Bootcamp 2014 8
  • 9. 1.Real-time Application Profiling Security Bootcamp 2014 9
  • 10. Real-time Application Profiling  Request method(s)  Number of parameters (minimum/maximum range)  Parameter names  Parameter lengths (minimum/maximum range)  Parameter types  Flag (such as /path/to/foo.php?param)  Digits (such as /path/to/foo.php?param=1234)  Alpha (such as /path/to/foo.php?param=abcd)  Alphanumeric (such as /path/to/foo.php?param=abcd1234)  E-mail (such as /path/to/foo.php?param=foo@bar.com)  Path (such as /path/to/foo.php?param=/dir/somefile.txt)  URL (such as /path/to/foo.php?param=http://somehost/dir/file.txt)  SafeText (such as /path/to/foo.php?param=some_data-12) Security Bootcamp 2014 10
  • 11. Real-time Application Profiling Security Bootcamp 2014 11
  • 13. 4 scenarios  If the HTTP response code is 404, the resource doesn’t exist. In this case, not only do we skip the profiling, but we also remove the resource key, so we delete the persistent storage. This is achieved by using the setvar:!resource.KEY action.  If the HTTP response code is either level 4xx or level 5xx, the application says something is wrong with the transaction, so we won’t profile it in this case either.  The OWASP ModSecurity Core Rule Set (CRS) can use anomaly scoring. We can check this transactional anomaly score. If it is anything other than 0, we should skip profiling.  Finally, we have already seen enough traffic for our profiling model and are currently in enforcement mode, so we skip profiling. Security Bootcamp 2014 13
  • 14. 2. Hacker Traps Security Bootcamp 2014 14
  • 15. Hacker Traps  Unused Web Ports  Fake robots.txt Disallow Entries  Fake HTML comments  Fake hidden form fields  Fake cookies Security Bootcamp 2014 15
  • 16. Hacker Traps Unused Web Ports Security Bootcamp 2014 16
  • 17. Hacker Traps Fake robots.txt Disallow Entries Security Bootcamp 2014 17
  • 18. Hacker Traps Fake HTML comments Security Bootcamp 2014 18
  • 19. Hacker Traps Fake HTML comments Security Bootcamp 2014 19
  • 20. Hacker Traps Fake hidden form fields Security Bootcamp 2014 20
  • 21. Hacker Traps Fake cookies Security Bootcamp 2014 21
  • 22. Hacker Traps Fake cookies Security Bootcamp 2014 22
  • 23. 3a. Self-Contained vs. Collaborative Detection Security Bootcamp 2014 23
  • 24. Self-Contained vs. Collaborative Detection Self-Contained Collaborative Security Bootcamp 2014 24
  • 25. Anomaly Scoring Threshold Levels Security Bootcamp 2014 25
  • 26. 3b. Inbound/Outbound Correlation Security Bootcamp 2014 26
  • 27. Correlation  Did an inbound attack occur?  Did an HTTP response status code error (4xx/5xx level) occur?  Did an application information leakage event occur? Security Bootcamp 2014 27
  • 28. Correlation If an inbound attack was detected, and either an outbound application status codeerror or information leakage event was detected, the overall event severity is raised to one of the following:  • 0, EMERGENCY, is generated from correlation of anomaly scoring data where an inbound attack and an outbound leakage exist.  • 1, ALERT, is generated from correlation where an inbound attack and an outbound application-level error exist. Security Bootcamp 2014 28
  • 29. 4. Detecting Malicious Links Security Bootcamp 2014 29
  • 30. Detecting Malicious Links  URI Blacklist RBL6  Google’s Safe Browsing API7  ModSecurity  @rbl operator  @gsbLookup operator  @rsub operator  SecGsbLookupDb directive  SecStreamOutBodyInspection directive  SecContentInjection directive  STREAM_OUTPUT_BODY variable Security Bootcamp 2014 30
  • 31. 5. Normalizing Unicode Security Bootcamp 2014 31
  • 32. Normalizing Unicode  Best-Fit Mapping  Detecting Use of Full-/Half-Width Unicode Security Bootcamp 2014 32
  • 33. Best-Fit Mapping %u3008scr%u0131pt%u3009%u212fval(%uFF07al%u212Frt(%22XSS%22)%u02C8)%u23 29/scr%u0131pt%u232A 〈(0x2329) ~= <(0x3c) 〈(0x3008) ~= <(0x3c) <(0xff1c) ~= <(0x3c) ʹ(0x2b9) ~= '(0x27) ʼ(0x2bc) ~= '(0x27) ˈ(0x2c8) ~= '(0x27) ′(0x2032) ~= '(0x27) '(0xff07) ~= '(0x27) Security Bootcamp 2014 33
  • 34. Unicode Mapping Security Bootcamp 2014 34
  • 35. Unicode Mapping Security Bootcamp 2014 35
  • 37. 6. Abnormal Header Ordering Security Bootcamp 2014 37
  • 38. Passive OS fingerprinting Security Bootcamp 2014 38
  • 39. 7. Detecting Page Title Changes Security Bootcamp 2014 39
  • 40. Detecting Page Title Changes Security Bootcamp 2014 40
  • 41. 8. Web Client Device Fingerprinting Security Bootcamp 2014 41
  • 42. Web Client Device Fingerprinting Security Bootcamp 2014 42
  • 43. 9. Slowing Down Automated Attack Tools Security Bootcamp 2014 43
  • 44. Slowing Down Automated Attack Tools Security Bootcamp 2014 44
  • 45. NSM Logstash Elasticsearch Kibana No code required Real-time analysis of streaming data Highly scalable Open source, community driven Security Bootcamp 2014 45
  • 47. “ ” Thank you! Question, huh? FPT TELECOM Security Bootcamp 2014 47