httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Folini <christian.fol...@netnea.com>
Subject Re: HTTP/1.1 strict ruleset
Date Thu, 04 Aug 2016 05:29:32 GMT
On Wed, Aug 03, 2016 at 06:58:26PM -0500, William A Rowe Jr wrote:
> > I see a lot of value in logging when not applying the strict parsing,
> > so you can passively assess your traffic for a day/week/month.
> 
> That requires additional CPU, and significantly more code complexity.
> In fact, I wonder whether such 'logging-only' behavior shouldn't simply
> be a no-choice default? I also wonder if those tools or others such as
> mod_security won't already provide such an option and we can wash
> our hands of this 'extra effort'?

ModSecurity Core Rules committer here.

As you know it's all in the rules with ModSecurity and the 
OWASP ModSecurity Core Rules (CRS) are the most widespread ruleset 
on the net.

We block per default, but all the checks can run log-only. 

They are listed in these rulefiles:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/rules/REQUEST-921-PROTOCOL-ATTACK.conf

The default policy definitions: 
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/modsecurity_crs_10_setup.conf.example

(Links are for the upcoming major release 3.0, RC1 will be out within
days now).

Overall, I think the rules are not overly aggressive. Apache has been
liberal so far and we try to avoid too many false positives due to
crazy clients and bad implementations. Missing Accept headers,
silly Range headers and numerical Host headers as frequent source
of false positives spring to mind.

Also, I think the coverage is not very systematic. Joining forces and
providing a systematic coverage for all aspects of RFC 2068 for 
CRS 3.1 would be very interesting for our project. If it would simplify
the httpd code base to refer users to ModSecurity and CRS, the
CRS could profit a lot from the endorsement (and the httpd-dev
experience brought to our rules resulting in a higher security level
overall).

A possible issue is the fact that ModSecurity runs fairly late in the
lifecycle. In fact, the default hook for the first ModSecurity rule
phase has been shifted backwards a few years ago. I take it a httpd
implementation of protocol enforcement rules would run immediately after
receiving the request line and then as the headers come in. ModSecurity
would definitely run later. However, there have been discussions to
introduce additional rule phase(s) into the ModSecurity engine / module
in the past and if there is a need from the Apache project, then the
development might be open in this regard (but it would certainly take
quite a while to get this out the door).

Cheers,

Christian Folini

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini@netnea.com
twitter: @ChrFolini

Mime
View raw message