Modsecurity handbook [the complete guide to the popular open source web application firewall]

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Ristic, Ivan (VerfasserIn)
Format:	Buch
Sprache:	English
Veröffentlicht:	London. Feisty Duck 2010
Online-Zugang:	Inhaltsverzeichnis
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

MARC


LEADER	00000nam a2200000 c 4500
001	BV039156944
003	DE-604
005	20110817
007	t
008	110725s2010 \|\|\|\| 00\|\|\| eng d
020			\|a 9781907117022 \|9 978-1-907117-02-2
035			\|a (OCoLC)745521661
035			\|a (DE-599)BVBBV039156944
040			\|a DE-604 \|b ger \|e rakwb
041	0		\|a eng
049			\|a DE-739
084			\|a ST 277 \|0 (DE-625)143643: \|2 rvk
100	1		\|a Ristic, Ivan \|e Verfasser \|4 aut
245	1	0	\|a Modsecurity handbook \|b [the complete guide to the popular open source web application firewall] \|c Ivan Ristic
264		1	\|a London. \|b Feisty Duck \|c 2010
300			\|a XXIV, 340 S.
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
856	4	2	\|m Digitalisierung UB Passau \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024174567&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
999			\|a oai:aleph.bib-bvb.de:BVB01-024174567

Datensatz im Suchindex

_version_	1804148003747921920
adam_text	Table of Contents Preface ......................................................................................... xvii Scope and Audience xvii Contents xviii Updates and Online Companion xxi Feedback xxi About the Author xxii About the Technical Reviewer xxii Acknowledgments xxii I. User Guide 1 1. Introduction .............................................................................. 3 Brief History of ModSecurity 3 What Can ModSecurity Do? 4 Guiding Principles 6 Deployment Options 7 Is Anything Missing? 8 Getting Started 9 Hybrid Nature of ModSecurity 9 Main Areas of Functionality 10 What Rules Look Like 11 Transaction Lifecycle 11 Impact on Web Server 16 What Next? 17 Resources 18 General Resources 19 Developer Resources 20 Related Projects 21 Summary 21 2. Installation ..........................,.....,......,..,.,....,............,,.,....,,,.,... 23 Installation from Source 24 Downloading Releases 24 Downloading from Repository 25 Compilation under Unix 27 Installation from Binaries 30 Fedora Core, CentOS, and Red Hat Enterprise Linux 30 Debían and Ubuntu 31 Installation on Windows 31 Summary 32 3. Configuration ............................................................................ 33 Folder Locations 34 Configuration Layout 36 Adding ModSecurity to Apache 37 Powering Up 38 Request Body Handling 38 Response Body Handling 40 Filesystem Locations 41 File Uploads 42 Debug Log 43 Audit Log 43 Miscellaneous Options 44 Default Rule Match Policy 44 Handling Processing Errors 45 Verifying Installation 46 Summary 47 4. Logging ................................................................................. 49 Debug Log 49 Debugging in Production 50 Audit Log 52 Audit Log Entry Example 53 Concurrent Audit Log 55 Remote Logging 56 Configuring Remote Logging 57 Activating Remote Logging 59 Troubleshooting Remote Logging 60 File Upload Interception 62 Storing Files 62 Inspecting Files 63 Integrating with ClamAV 64 Advanced Logging Configuration 66 Increasing Logging from a Rule 66 Dynamically Altering Logging Configuration 67 Removing Sensitive Data from Audit Logs 67 Selective Audit Logging 68 Summary 68 5. Rule Language Overview .................................................................. 71 Anatomy of a Rule 71 Variables 72 Request Variables 73 Server Variables 74 Response Variables 75 Miscellaneous Variables 75 Parsing Flags 76 Collections 77 Time Variables 77 Operators 78 String Matching Operators 78 Numerical Operators /8 Validation Operators 79 Miscellaneous Operators 79 Actions 79 Disruptive Actions 80 Flow Actions 80 Metadata Actions 81 Variable Actions 81 Logging Actions 81 Special Actions 82 Miscellaneous Actions 82 Summary 83 6. Rule Language Tutorial ................................................................... 85 Introducing Rules 85 Working with Variables 86 Combining Rules into Chains 87 Operator Negation 87 Variable Counting 87 Using Actions 88 Understanding Action Defaults 88 Actions in Chained Rules 90 Unconditional Rules 91 Using Transformation Functions 91 Blocking 92 Changing Rule Flow 93 Smarter Skipping 94 If-Then-Else 95 Controlling Logging 95 Capturing Data 96 Variable Manipulation 97 Variable Expansion 98 Recording Data in Alerts 99 Adding Metadata 100 Embedded vs. Reverse Proxy Mode 102 Summary 103 7. Rule Configuration ...................................................................... 105 Apache Configuration Syntax 105 Breaking Lines 106 Directives and Parameters 106 Spreading Configuration Across Files 107 Container Directives 108 Configuration Contexts 109 Configuration Merging 110 Configuration and Rule Inheritance 111 Configuration Inheritance . Ill Rule Inheritance 112 Location-Specific Configuration Restrictions 113 SecDefaultAction Inheritance Anomaly 113 Rule Manipulation 114 Removing Rules at Configure Time 114 Updating Rules at Configure Time 115 Excluding Rules at Runtime 116 Configuration Tips 116 Summary 117 8. Persistent Storage ...................................................................... 119 Manipulating Collection Records 120 Creating Records 120 Application Namespaces 121 Initializing Records 122 Controlling Record Longevity 122 Deleting Records 123 Detecting Very Old Records 123 Collection Variables 125 Built-in Variables 125 Variable Expiry 125 Variable Value Depreciation 126 Implementation Details 127 Retrieving Records 127 Storing a Collection 128 Record Limits 130 Applied Persistence 131 Periodic Alerting 131 Denial of Service Attack Detection 133 Brute Force Attack Detection 135 Session Management 138 Initializing Sessions 138 Blocking Sessions 140 Forcing Session Regeneration 140 Restricting Session Lifetime 141 Detecting Session Hijacking 143 User Management 145 Detecting User Sign-In 145 Detecting User Sign-Out 146 Summary 147 9. Practical Rule Writing ................................................................... 149 Whitelisting 149 Whitelisting Theory 149 Whitelisting Mechanics 150 Granular Whitelisting 151 Complete Whitelisting Example 151 Virtual Patching 152 Vulnerability vs. Exploit Patching 154 Failings of Exploit Detection 154 Impedance Mismatch 155 Preferred Virtual Patching Approach 156 IP Address Reputation and Blacklisting 157 IP Address Blocking 157 Geolocation 159 Real-Time Block Lists 160 Local Reputation Management 160 VII Integration with Other Apache Modules 161 Conditional Logging 162 Header Manipulation 163 Securing Session Cookies 163 Advanced Blocking 164 Immediate Blocking 164 Keeping Detection and Blocking Separate 165 User-Friendly Blocking 166 External Blocking 168 Honeypot Diversion 168 Delayed Blocking 169 Score-Based Blocking 169 Making the Most of Regular Expressions 171 How ModSecurity Compiles Patterns 171 Changing How Patterns Are Compiled 172 Common Pattern Problems 173 Regular Expression Denial of Service 173 Resources 174 Working with Rule Sets 175 Deploying Rule Sets 175 Writing Rules for Distribution 176 Resources for Rule Writers 178 Summary 179 10. Performance .......................................................................... 181 Understanding Performance 181 Top 10 Performance Rules 182 Performance Tracking 184 Performance Metrics 184 Performance Logging 185 Real-Time Performance Monitoring 185 Load Testing 185 Rule Benchmarking 189 Preparation 189 Test Data Selection 190 Performance Baseline 192 Optimizing Pattern Matching 193 Rule per Keyword Approach 194 Combined Regular Expression Pattern 194 Optimized Regular Expression Pattern 195 VIII Parallel Pattern Matching 196 Test Results 196 Summary 197 11. Content Injection ...................................................................... 199 Writing Content Injection Rules 199 Communicating Back to the Server 201 Interrupting Page Rendering 202 Using External JavaScript Code 202 Communicating with Users 203 Summary 204 12. Writing Rules in Lua .................................................................... 205 Rule Language Integration 206 Lua Rules Skeleton 206 Accessing Variables 206 Logging 208 Lua Actions 208 Summary 209 13. Handling XML .......................................................................... 211 XML Parsing 211 DTD Validation 215 XML Schema Validation 216 XML Namespaces 217 XPath Expressions 220 XPath and Namespaces 222 XML Inspection Framework 222 Summary 224 14. Extending Rule Language ............................................................... 225 Extension Template 226 Adding a Transformation Function 228 Adding an Operator 231 Adding a Variable 235 Summary 238 Reference Manual 239 15. Directives ............................................................................. 241 SecAction 241 SecArgumentSeparator 241 SecAuditEngine 242 SecAuditLog 24? SecAuditLog2 243 SecAuditLogDirMode 243 SecAuditLogFileMode 244 SecAuditLogParts 244 SecAuditLogRelevantStatus 246 SecAuditLogStorageDir 246 SecAuditLogType 246 SecCacheTransformations 247 SecChrootDir 248 SecComponentSignature 248 SecContentlnjection 249 SecCookieFormat 249 SecDataDir 249 SecDebugLog 250 SecDebugLogLevel 250 SecDefaultAction 250 SecGeoLookupDb 251 SecGuardianLog 251 SecMarker 252 SecPcreMatchLimit 252 SecPcreMatchLimitRecursion 253 SecPdfProtect 253 SecPdfProtectMethod 254 SecPdfProtectSecret 254 SecPdfProtectTimeout 254 SecPdf ProtectTokenNa me 255 SecRequestBodyAccess 255 SecReq uestBodyLi m it 255 SecRequestBodyNoFilesLimit 256 SecRequestBodylnMemoryümit 256 SecResponseBodyLimit 257 SecResponseBodyLimitAction 257 SecResponseBodyMi meType 257 SecResponseBodyMimeTypesCIear 258 SecResponseBodyAccess 258 SecRule 258 SecRulelnheritance 259 SecRuleEngine 259 SecRuleRemoveByld 260 SecRuleRemoveByMsg 260 SecRuleScript 260 SecRuleUpdateActionByld 262 SecServerSignature 263 SecTmpDir 263 SecUploadDir 263 SecUploadFileLimit 264 SecllploadFileMode 264 SecUploadKeepFiles 265 SecWebAppId 265 16. Variables .............................................................................. 267 ARGS 267 ARGS_COMBINED_SIZE 267 ARGS_NAMES 267 ARGS_GET 267 ARGS_GET_NAMES 268 ARGS_POST 268 ARGSJOSTJIAMES 268 AUTH_TYPE 268 DURATION 268 ENV 268 FILES 269 FILES_COMBINED_SIZE 269 FILESJAMES 269 FILESJIZES 269 FILES JTMPNAMES 269 GEO 269 HIGHEST.SEVERITY 270 MATCHEDJ/AR 270 MATCHED_VAR_NAME 271 MODSEC_BUtLD 271 MULTIPART.CRLFJ.FJ.INES 271 MULTIPARLSTRICLERROR 271 MULTIPARTJJNMATCHEDJOUNDARY 272 PATHJNFO 272 PERF_COMBINED 273 PERF_GC 273 PERFJ.OGGING 273 PERF_PHASE1 273 PERF PHASE2 273 PERF_PHASE3 273 PERF_PHASE4 273 PERF_PHASE5 273 PERF_SREAD 273 PERF_SWRITE 274 QUERY_STRING 274 REMOTE_ADDR 274 REMOTEJOST 274 REMOTE_PORT 274 REMOTEJJSER 274 REQBODY_PROCESSOR 275 REQBODY_PROCESSOR_ERROR 275 REQBODY_PROCESSOR_ERROR_MSG 275 REQUESLBASENAME 275 REQUEST_BODY 276 REQUEST_BODY_LENGTH 276 REQUESLCOOKIES 276 REQUEST_COOKIES_NAMES 276 REQUESTJILENAME 276 REQUESLHEADERS 277 REQUEST_HEADERS_NAMES 277 REQUEST J.INE 277 REQUESTJ/IETHOD 277 REQUEST_PROTOCOL 277 REQUEST_URI 277 REQUEST_URI_RAW 278 RESPONSE_BODY 278 RESPONSE_CONTENT_LENGTH 278 RESPONSE_CONTENT_TYPE 278 RESPONSEJEADERS 279 RESPONSE_HEADERS_NAMES 279 RESPONSE_PROTOCOL 279 RESPONSE_STATUS 279 RULE 279 SCRIPT.BASENAME 280 SCRIPTJILENAME 280 SCRIPT.GID 280 SCRIPT.GROUPNAME 280 SCRIPT MODE 280 XII SCRIPTJJID 280 SCRIPTJJSERNAME 281 SERVER_ADDR 281 SERVER JIAME 281 SERVER_PORT 281 SESSION 281 SESSIONID 282 TIME 282 TIME_DAY 282 TIME_EPOCH 282 TIMEJOUR 282 TIMEJ/IIN 282 TIME_MON 283 TIME_SEC 283 TIME_WDAY 283 TIME_YEAR 283 TX 283 URLENCODED_ERROR 284 USERID 284 WEBAPPID 284 WEBSERVER_ERROR_LOG 284 XML 284 17. Transformation Functions ............................................................... 287 base64Decode 288 base64Encode 288 compressWhitespace 288 cssDecode 288 escapeSeqDecode 288 hexDecode 288 hexEncode 288 htmlEntityDecode 288 jsDecode 289 length 289 lowercase 289 md5 289 none 289 normaiisePath 290 normalisePathWin 290 parityEvenľbit 290 XIII parity0dd7b¡t 290 parityZeroľbit 290 removeNuils 290 removeWhitespace 290 replaceComments 290 replaceNulls 291 urlDecode 291 urlDecodeUni 291 urlEncode 291 shal 291 trimLeft 291 trimRight 291 trim 291 18. Actions ............................................................................... 293 allow 293 append 294 auditlog 294 block 294 capture 295 chain 295 ctl 296 deny 297 deprecatevar 297 drop 297 exec 298 expirevar 298 id 299 initcol 299 log 299 logdata 300 msg 300 multiMatch 300 noauditlog 300 nolog 301 pass 301 pause 301 phase 301 prepend 302 proxy 302 xiv redirect 302 rev 303 sanitiseArg 303 sanitiseMatched 303 sanitiseRequestHeader 303 sanitiseResponseHeader 303 severity 303 setuid 304 setsid 304 setenv 305 setvar 305 skip 305 skipAfter 306 status 306 t 306 tag 307 xmlns 307 19. Operators ............................................................................. 309 beginsWith 309 contains 309 endsWith 309 eq 309 ge 310 geoLookup 310 gt 310 ¡nspectFile 310 le 311 It 311 pm 311 pmFromFile 312 rbl 313 rx 313 streq 314 validateByteRange 314 validateDTD 314 validateSchema 315 validateUrlEncoding 315 validateUtfeEncoding 315 verityCC 316 XV within 316 20. Data Formats .......................................................................... 317 Alerts 317 Alert Action Description 317 Alert Justification Description 318 Metadata 319 Escaping 320 Alerts in the Apache Error Log 320 Alerts in Audit Logs 321 Audit Log 321 Parts 322 Storage Formats 329 Remote Logging Protocol 331 Index ........................................................................................... 333 XVI
any_adam_object	1
author	Ristic, Ivan
author_facet	Ristic, Ivan
author_role	aut
author_sort	Ristic, Ivan
author_variant	i r ir
building	Verbundindex
bvnumber	BV039156944
classification_rvk	ST 277
ctrlnum	(OCoLC)745521661 (DE-599)BVBBV039156944
discipline	Informatik
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01046nam a2200277 c 4500</leader><controlfield tag="001">BV039156944</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20110817 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">110725s2010 \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781907117022</subfield><subfield code="9">978-1-907117-02-2</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)745521661</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV039156944</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-739</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Ristic, Ivan</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Modsecurity handbook</subfield><subfield code="b">[the complete guide to the popular open source web application firewall]</subfield><subfield code="c">Ivan Ristic</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">London.</subfield><subfield code="b">Feisty Duck</subfield><subfield code="c">2010</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XXIV, 340 S.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024174567&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-024174567</subfield></datafield></record></collection>
id	DE-604.BV039156944
illustrated	Not Illustrated
indexdate	2024-07-10T00:00:14Z
institution	BVB
isbn	9781907117022
language	English
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-024174567
oclc_num	745521661
open_access_boolean
owner	DE-739
owner_facet	DE-739
physical	XXIV, 340 S.
publishDate	2010
publishDateSearch	2010
publishDateSort	2010
publisher	Feisty Duck
record_format	marc
spelling	Ristic, Ivan Verfasser aut Modsecurity handbook [the complete guide to the popular open source web application firewall] Ivan Ristic London. Feisty Duck 2010 XXIV, 340 S. txt rdacontent n rdamedia nc rdacarrier Digitalisierung UB Passau application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024174567&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	Ristic, Ivan Modsecurity handbook [the complete guide to the popular open source web application firewall]
title	Modsecurity handbook [the complete guide to the popular open source web application firewall]
title_auth	Modsecurity handbook [the complete guide to the popular open source web application firewall]
title_exact_search	Modsecurity handbook [the complete guide to the popular open source web application firewall]
title_full	Modsecurity handbook [the complete guide to the popular open source web application firewall] Ivan Ristic
title_fullStr	Modsecurity handbook [the complete guide to the popular open source web application firewall] Ivan Ristic
title_full_unstemmed	Modsecurity handbook [the complete guide to the popular open source web application firewall] Ivan Ristic
title_short	Modsecurity handbook
title_sort	modsecurity handbook the complete guide to the popular open source web application firewall
title_sub	[the complete guide to the popular open source web application firewall]
url	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024174567&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT risticivan modsecurityhandbookthecompleteguidetothepopularopensourcewebapplicationfirewall

Modsecurity handbook [the complete guide to the popular open source web application firewall]

MARC

Datensatz im Suchindex

Ähnliche Einträge