Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Apache mode_security

from [Ivan Ristic] Network Security [Permanent Link]
Subject: Re: Apache mode_security
Date: Mon, 28 Nov 2005 12:55:36 +0000 
On 11/26/05, Stefano Di Paola <stefano.dipaola@wisec.it> wrote:

Hi Ivan,

Il giorno gio, 24-11-2005 alle 12:14 +0000, Ivan Ristic ha scritto:

Neither approach is good enough in real-life, when used on its own.
(Although there may be specific cases where they can work rather
well.)


yes no absolute rules can be implemented in real life...and i hope none
thinks this! And of course black list approach, which is the usual
approach on mod_sec, should not be considered as well...


Agreed. I will be adding explicit support for positive security to
ModSecurity in the next release. I have published my thoughts here
http://www.modsecurity.org/blog/archives/2005/11/positive_securi.html
so that we can discuss the issue.



I prefer a traffic based approach (for positive
security model generation) and a run with real users and real data.
This is usually not a problem since, due to frequent changes in
applications, you must work to continuously update the security model
anyway.


eh...this is the real problem for hand made things...but a semi
automatic approach would help.. no?
What about for a learning phase? I mean a semi automatic generation of
rules, based on real clients inputs from the web...
yes it is untrustable...
but there should be some way out there :)


To acquire reliable material for policy generation (and update) is the
most difficult part of the problem. I will be looking at the following
approaches: 1) designate an IP range as trusted, 2) require
administrators to manually review traffic before it is used in policy
generation, and 3)  use negative security to assign threat score to
each request using only requests with low scores for policy
generation. A combination of all three is probably the way forward.



By the way , i wrote a mod_html_proxy based hmac signing for links on
the fly named Mod Anti Tamper:
Link: www.wisec.it/projects.php?id=3&lang=en


That's very interesting; it's one of the things missing in ModSecurity.

--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Simple to exploit SQL Injection ?, Griffiths, Ian
Next by Date:  RE: Simple to exploit SQL Injection ?, Rich Bergmann
Previous by Thread:  Re: Apache mode_security, Stefano Di Paola
Next by Thread:  RE: Apache mode_security, Erez Schwarz
Indexes:  [Date] [Thread] [Top] [All Lists]