owasp modsecurity core rules paranoia mode
TRANSCRIPT
OWASP ModSecurity Core Rule Set
Paranoia Mode : Basic Idea
• Assign Rules According to False Positive Rate
• Add Strict Siblings to Existing Rules
• Introduce Paranoia Levels 1-4
Restricted SQL Chars
CRS 2.2.9 : Rule ID 981173
ARGS_NAMES|ARGS|XML:/*
"([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){5,}"
Restricted SQL Chars
CRS 3.0.0dev : Rule ID 942430pp
Paranoia Level 1: no limitParanoia Level 2: limit 12 ID 942430Paranoia Level 3: limit 6 ID 942431Paranoia Level 4: limit 2 ID 942432
Hex Encodings : 0x[0-9a-f]
Plan for CRS 3.0.0dev (Rule ID 942450)
Paranoia 1: REQUEST_COOKIES_NAMESParanoia 2: REQUEST_COOKIES
Settings Matrix
HIGH
LOW
LOW HIGH
Anomaly Limit
Paranoia Level
Easing in
Standard SITE
Are you nuts?
High Security
Photo Sources (all licensed via Creative Commons or in the public domain)
• Discovery: https://www.flickr.com/photos/flowtastic/13385797723 (by Florian F. / Flowtography)• Watch: https://www.flickr.com/photos/billadler/391674817 (by Bill Adler)• Bamboozled: Hopefully public domain• xkcd: Little Bobby Tables: https://xkcd.com/327/ (by Randall Munroe)• Star Wars Limbo: https://www.flickr.com/photos/jdhancock/3605011903 (by JD Hancock)
Christian Folini / @ChrFolini• [email protected]
• https://www.netnea.com
• https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1
ModSecurity Course
The Key to ModSecurity and the OWASP ModSecurity Core Rules with Christian Folini (@ChrFolini)
London 22-23 Sep 2016
https://www.feistyduck.com/training/modsecurity
(Local trainings available on request: [email protected])