so hello.. how are you doing..? how is life? im good, thank you!. Status Update: I’ve seen better days tbh, i’ve faced a lot of challenges this month, im having burnout? wtf! what is that? you ask’? just google it.. In the entirety of my life, i never hated computers and programming/ developing in general, but recently i grown a haterd to computers and coding disgusts me.. like WTH? im like the polar opposite of myself, i never thought i would reach this moment in life, funny is’nt it? plus i’ve been going to my old happits - i blame being human for that.. i can never forget something and get over it can’t I.
Thankfully for burnout I got people on my back, with their help and advice, i’ve been taking breaks but the breaks are not enough, goto go to work?!! i miss old days.
> I’ve had a chance to work on modSecurity and im greatfull for that! I gained a new skill! kudos!!.
Why?
what is modSec? modSecurity is a waf, waf is like anti virus for servers, controls how the servers responds to requests and what responses are sent out. modSecurity is openSource so using is completely free and it is a must in pci compliance, modSec works based on rules that fine tuned, identified as malicious and are wrote down, the rules are the building blocks of modsecurity. a better rule set equals better protection, this is why you see many vendors who branched out from modSecurity and provide their own set of rules as their enterprise solutions like for example: atomicorp, mlware expert, Trustwave, trend micro, etc.
if you want to know about modsecurity you should know a little bit of history of mod security, the rule set history, the latest in the rules of modSecurity is the core rule set 3.0+, before this release, the modSecrity rules create many false positives, but after update some big changes are the new blocking mode, curated rule-set and better detection.
So what is the new blocking mode?
By default the anomaly scoring mode(new blocking mode) is activated, with “SecRuleEngine DetectionOnly”, you have to turn this to “SecRuleEngine On” to block the malicious requests. (first of all you install modSecurity, leave the detection phase on, collect some logs - analyse them - tweak the rules - then turn on the secRuleEngine..)
if SecDefaultAction is set to “phase:2,deny,log” then modSecurity is working by anomaly scoring mode. next thing you must know about is “Anomaly scoring severity levels” and “ Anomaly scoring threshold levels” (for blocking mostly)
what it does?
It does not block the request immediately but allows the request to pass through after assigning a score to the request, if the request any other rules another score is added to it, so there are 5 different levels where the rules are applied to the request, the scores are evaluated at the phase 3 for Inbound rules and 4 for outbound requests, yea you are right modsec scans the output content too and slaps score on it, if it sees something malicious. the rules are present in the rule-set too as
SecAction “phase:1,id:’981208’,t:none,nolog,pass,\
setvar:tx.inbound_anomaly_score_level=5”
SecAction “phase:1,id:’981209’,t:none,nolog,pass,\
setvar:tx.outbound_anomaly_score_level=4”
the inbound rules files are present in the file named along the line of “inbound_blocking.conf” and same as for the outbound request “outbound_blocking.conf”.
Based on severity anomaly scoring mode has different levels with scores by default
CRITICAL with a score of 5
Error with 4,
warning with 3,
notice with 2,
>Note: modSecurity must be tweaked to individual applications, not just install the default configuration, infact the authors of modsecurity strongly advice this too.
About audit logs - SomeOther aspects.
Audit logs provide the entire traffic data if “logging is enabled that is”.
if response code is 500 we are logging that.
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
the following parts contain the necessary information for each request.
SecAuditLogParts ABCEFHZ
• A: Audit log header
• B: Request headers
• C: Request body
• E: Intended response body
• F: Response headers
• H: Audit log trailer
• Z: Audit log footer
While logging - Sensitive Data in Logs
Be careful while logging the data, sensitive data are captured in logs too like passwords, creditcard numbers, you dont want that do you?
the below log you see credit card number captured in part c.
--8472b290-C--
paymentType=default&_D%3ApaymentType=+&
creditCardNumber=***************&_D%3AcreditCardNumber=+&cid=6802
&_D%3Acid=+&selCreditCardType=Visa&_D%3AselCreditCardType
=+&_D%3AexpirationMonth=+&expirationMon
you can mitigate this with a rule like
SecRule &ARGS:password “@eq 1” “phase:5,t:none,id:’901’,nolog,pass,\
sanitiseInput:pwd
now in audit log c section,
--c983684a-C--
log=admin&password=********&submit=Login+%C2%BB"
with the rule applied the password is now obscured.
vitual Patching
So ModSecurity has a ton of features you should not miss out is virtual patching, where would you use this you ask? well.. you found a vulnerability in your application and while you wait for the developers to fix that you could do virutual patching with the wide variety of rules available in modSecurity.
The post is getting huge and I find writing blogs tiresome (bad at typing i guess). but i still do it cuz its for the future me.
I didn’nt cover everything and i assumed u knew little about modSecurity during halfway, I just couln’t type the whole entirety, just contact me if you want to know more…bye!