Category:OWASP ModSecurity Core Rule Set Project

About

Overview

ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.

Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the CRS is based on generic rules which focus on attack payload identification in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.

Why The Core Rule Set?

The focus of the core rule set is to be a "rule set" rather than a set of rules. What makes a rule set different than a set of rules?

• Performance - The Core Rule Set is optimized for performance. The amount and content of the rules used predominantly determines the performance impact of ModSecurity, so the performance optimization of the rule set is very important.
• Quality - While there will always be false positives, a lot of effort is put into trying to make the Core Rule Set better. Some of the things done are:
  • Regression tests - a regression test is used to ensure that every new version shipped does not break anything. Actually every report of a false positive, once solved, gets into the regression test.
  • Real traffic testing – A large amount of real world capture files have been converted to tests and sent through ModSecurity to detect potential false positives.
• Generic Detection - The core rule set is tuned to detect generic attacks and does not include specific rules for known vulnerabilities. Due to this feature the core rule set has better performance, is more "plug and play" and requires less updates.
• Event Information - Each rule in the Core Rule Set has a unique ID and a textual message. In the future rules are also going to be classified using a new tag action in ModSecurity, as well as longer information regarding each rule using comments in the files themselves.
• Plug and Play – The Core Rule Set is designed to be as plug and play as possible. Since its performance is good and it employs generic detection, and since the number of false positives is getting lower all the time, the Core Rule Set can be installed as is with little twisting and tweaking.

Content

In order to provide generic web applications protection, the Core Rules use the following techniques:

• Protocol compliance:
  • HTTP request validation - This first line of protection ensures that all abnormal HTTP requests are detected. This line of defense eliminates a large number of automated and non targeted attacks as well as protects the web server itself.
  • HTTP protocol anomalies - Common HTTP usage patterns are indicative of attacks.
  • Global constraints - Limiting the size and length of different HTTP protocol attributes, such as the number and length of parameters and the overall length of the request. Ensuring that these attributed are constrained can prevent many attacks including buffer overflow and parameter manipulation.
  • HTTP Usage policy – validate requests against a predefined policy, setting limitations request properties such as methods, content types and extensions.
• Attack Detection:
  • Malicious client software detection - Detect requests by malicious automated programs such as robots, crawlers and security scanners. Malicious automated programs collect information from a web site, consume bandwidth and might also search for vulnerabilities on the web site. Detecting malicious crawlers is especially useful against comments spam.
  • Generic Attack Detection - Detect application level attacks such as described in the OWASP top 10. These rules employ context based patterns match over normalized fields. Detected attacks include:
    • SQL injection and Blind SQL injection.
    • Cross Site Scripting (XSS).
    • OS Command Injection and remote command access.
    • File name injection.
    • ColdFusion, PHP and ASP injection.
    • E-Mail Injection
    • HTTP Response Splitting.
    • Universal PDF XSS.
  • Trojans & Backdoors Detection - Detection of attempts to access Trojans & backdoors already installed on the system. This feature is very important in a hosting environment when some of these backdoors may be uploaded in a legitimate way and used maliciously.
• Other:
  • Error Detection - Prevent application error messages and code snippets from being sent to the user. This makes attacking the server much harder and is also a last line of defense if an attack passes through.
  • XML Protection – The Core Rule Set can be set to examine XML payload for most signatures.
  • Search Engine Monitoring - Log access by search engines crawlers to the web site.

Installation

Quick Start

The Core Rule Set is a set of apache configuration files that should be added to your Apache configuration. To install the Core Rule Set:

• Extract the Core Rule Set content into a directory called modsecurity under your Apache configuration directory.
• Edit and customize modsecurity_crs_10_config.conf. This file contains comments which explain how to set up each directive. You may also want to edit modsecurity_crs_30_http_policy.conf which sets rules specific to your application.
• Add the directive Include conf/modsecurity/*.conf to your httpd.conf after the line where ModSecurity itself it loaded.
• Restart Apache.
• Check that the server works normally, and simulate an attack by browsing to the URL http://yourhost/cmd.exe. Instead of a “page not found” error, you should get a “Method Not Implemented” error.

We strongly recommend that you start using the Core Rule Set in monitoring only mode by changing the directive SecRuleEngine in file modsecurity_crs_10_config.conf from On to DetectionOnly. After operating in this mode for a period of time, analyze the alerts recorded in your Apache error log. If there are alerts that you dim as false positives refer to the section about handling false positives later in this document. Only after such a process it is safe to move back to blocking by setting SecRuleEngine in file modsecurity_crs_10_config.conf to On.

Documentation

Presentations and Whitepapers

Ofer Shezaf's presentation and whitepaper on the Core Rule Set for the latest version of ModSecurity presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007

Related Projects

ModSecurity-Open Source Web Application Firewall
OWASP Securing WebGoat using ModSecurity

Latest News and Mail List

Project Mail List
Subscribe here
Use here |

Contributors, Users and Adopters

Project Leader

Ryan Barnett

Project Contributors

Brian Rectanus

The Core Rule Set (CRS) project is sponsored by:

The CRS is an open source rule set licensed under GPLv2. ModSecurity Core Rule Set works with ModSecurity 2.5 and above.

PROJECT INFORMATION
Project Name	OWASP ModSecurity Core Rule Set Project
Short Project Description	The purpose of this project is the documentation and development of the ModSecurity Core Rule Set. Unlike intrusion detection and prevention systems, which rely on signature specific to known vulnerabilities, the Core Rules are based on generic rules in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.
Key Project Information	Project Leader Ryan Barnett	Project Contibutors Brian Rectanus (add account link, please)	Mailing List Subscribe here Use here	License GNU General Public License	Project Type Document	Sponsor