Christian Folini (@ChrFolini)www.netnea.com

Core Rules Paranoia Mode

Zurich, June 10, 2016

WAF SETUPS Naïve • Overwhelmed • Functional

MODSECEmbedded • Rule-Oriented • Granular Control

RULE CONCEPTS Whitelisting • Blacklisting • Positive • Negative

xkcd: #327

Anomaly Scoring Adjustable Limit • False Positives

OWASP ModSecurity Core Rule Set

Paranoia Mode : Basic Idea

• Assign Rules According to False Positive Rate

• Add Strict Siblings to Existing Rules

• Introduce Paranoia Levels 1-4

Restricted SQL Chars

CRS 2.2.9 : Rule ID 981173

ARGS_NAMES|ARGS|XML:/*

"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){5,}"

Restricted SQL Chars

CRS 3.0.0dev : Rule ID 942430pp

Paranoia Level 1: no limitParanoia Level 2: limit 12 ID 942430Paranoia Level 3: limit 6 ID 942431Paranoia Level 4: limit 2 ID 942432

Hex Encodings : 0x[0-9a-f]

Plan for CRS 3.0.0dev (Rule ID 942450)

Paranoia 1: REQUEST_COOKIES_NAMESParanoia 2: REQUEST_COOKIES

PHP Function Names in CRS 3.0.0dev

by Walter Hoplifeforms.nl

Settings Matrix

HIGH

LOW

LOW HIGH

Anomaly Limit

Paranoia Level

Easing in

Standard SITE

Are you nuts?

High Security

Photo Sources (all licensed via Creative Commons or in the public domain)

• Discovery: https://www.flickr.com/photos/flowtastic/13385797723 (by Florian F. / Flowtography)• Watch: https://www.flickr.com/photos/billadler/391674817 (by Bill Adler)• Bamboozled: Hopefully public domain• xkcd: Little Bobby Tables: https://xkcd.com/327/ (by Randall Munroe)• Star Wars Limbo: https://www.flickr.com/photos/jdhancock/3605011903 (by JD Hancock)

Christian Folini / @ChrFolini• christian.folini@netnea.com

• https://www.netnea.com

• https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1

ModSecurity Course

The Key to ModSecurity and the OWASP ModSecurity Core Rules with Christian Folini (@ChrFolini)

London 22-23 Sep 2016

https://www.feistyduck.com/training/modsecurity

(Local trainings available on request: training@feistyduck.com)