SlideShare ist ein Scribd-Unternehmen logo

Using IPS for Web Protection

Conferencias FIST
Conferencias FIST
Technologie
1 von 22
Downloaden Sie, um offline zu lesen
Using IPS for Web Protection Alejandro Sánchez Acosta asanchez@s21sec.com   S21SEC
Agenda ● Web Protection ● Intrusion Detection Systems (IDS) ● Active and response IDS. ● IPS as Web Protection ● Advanced Signatures ● Demo ● Conclusions
Web Protection ● Common risks – (XSS, SQL Injection, Command Execution) ● Solutions – Application Firewall  – IDS/IPS
Intrusion Detection Systems (IDS) ● Functions: – Capture events – Pattern matching – Detection – Logging ● Kind of IDS – HIDS, NIDS and LIDS
Intrusion Prevention Systems (IPS) ● Prevention systems. ● IDS evolution ● Network and application layer.
Firewall extensions ● Iptables – String matching – Patch­o­matic – Difficult configuration – Solutions based in iptables and IDS. ● snort2c, snort2iptables, snort2pf, etc.
ModSecurity – Developed by Ivan Ristick. – Easy configuration – Can work as reverse proxy using ModProxy. – Works in Application layer.
Snort ● Developed by Martin Roesch. ● Operation modes  – Sniffer, packet logger, NIDS and IPS. ● Output – Binary tcpdump, ASCII, Mysql/Postgresql.
Snort as IPS ● Preprocessors – HTTPInspect, Stream4 reassembly. ● Web rules configuration ● Response protection – (Snort Inline, Snort Divert Mode, Flexresponse)
Web configuration rules ● Community rules – Web­misc, web­cgi, web­dos, web­client, sql­ injection, etc. ● Snort rules – Custom web snort.org rules. ● Bleeding Snort
Cross Site Scripting  ● Existing snort signatures: <script>alert(document.cookie)</script> attack: alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting attempt"; flow:to_server,established;  content:"<SCRIPT>"; nocase; classtype:web­application­attack; sid:1497;  rev:6;) <img src=javascript> attack: alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting HTML Image tag set to javascript  attempt"; flow:to_server,established; content:"img src=javascript";  nocase; classtype:web­application­attack; sid:1667; rev:5;)
Easy evasion ● Can be trivially evaded using: – <a href="javas&#99;ript&#35;[code]">  – <div onmouseover="[code]">  – <img src="javascript:[code]">  – <xml src="javascript:[code]"> ● Solution: Using complex rules
Advanced signatures ● Enter PCRE – Perl Compatible Regular Expressions ● Greater flexibility ● One signature can catch multiple attacks ● Lower learning curve for Unix admins – regex is  part of daily life ● Regular expressions work with: – Snort IDS – Apache’s mod_security.
Regular expressions samples ● XSS: – /((%3D)|(=))[^n]*((%3C)|<)[^n]+((%3E)|>)  ● SQL Injection: – /(%27)|(')|(­­)|(%23) ● Redirection: site=[^(www.fistconference.org)] ● Command Execution: /(system|exec)/ ● Null byte poison: %00 ● Overflows: /[w]+=[^=]{500,+}&/
Snort Inline ● Drop – The drop rule tells iptables to drop the packet and log  it via usual snort  ● Sdrop – The sdrop rule tells iptables to drop the packet.  Nothing is logged. ● Reject  – The reject rule type tells iptables to drop the packet;  log it via usual snort means; and answer source host.
Replace contents ● Replacement: Another option replaces portions of the payload (disabling the  effectiveness of the attack) but allowing the connection to  continue: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"IIS Exploit";flags: A+; content:"/bin/sh"; replace:"/ben/sh";)
Divert Mode ● FreeBSD Inline implementation – Use divert sockets and libnet – Integrated in Snort. ● Part of snort­inline project – Reset, drop, sdrop and replace.
FlexResponse ● Portable implementation ● Doesn't support replacement ● Rule modification: var RESP_TCP resp:rst_snd; var RESP_TCP_URG resp:rst_all; var RESP_UDP resp:icmp_port,icmp_host;
Conclusion ● IDS – Snort: can work as IPS in big environments. – ModSecurity is good if you dont want network  changes. ● Response mode – Flexresponse is portable – Inline works only in GNU/Linux – Divert works only in FreeBSD.
Demo ● ModSecurity  ● Snort web rules using FlexResponse
More information ● Get Snort – www.snort.org – www.modsecurity.org
Questions?

Empfohlen

2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingUTD Computer Security Group
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
Enumeration
EnumerationEnumeration
EnumerationUTD Computer Security Group
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 

Empfohlen

2014 Security Onion Conference
2014 Security Onion Conference2014 Security Onion Conference
2014 Security Onion ConferenceDefensiveDepth
 
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsKernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingUTD Computer Security Group
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
Enumeration
EnumerationEnumeration
EnumerationUTD Computer Security Group
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
Secure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxSecure and Simple Sandboxing in SELinux
Secure and Simple Sandboxing in SELinuxJames Morris
 
Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS SecurityJose Manuel Ortega Candel
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the DockerNotSoSecure Global Services
 
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challengeПостроение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challengeOdessaFrontend
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...JosephTesta9
 
Nginx+ Naxsi
Nginx+ NaxsiNginx+ Naxsi
Nginx+ Naxsi3camp
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash CourseUTD Computer Security Group
 
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019Janith Malinga
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for PentestersNotSoSecure Global Services
 
Intro to Node.js
Intro to Node.jsIntro to Node.js
Intro to Node.jsJames Carr
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not LinuxMuhammad Moinur Rahman
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Node in Real Time - The Beginning
Node in Real Time - The BeginningNode in Real Time - The Beginning
Node in Real Time - The BeginningAxilis
 
Ips and ids
Ips and idsIps and ids
Ips and idspadolph25
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 

Weitere ähnliche Inhalte

Was ist angesagt?

Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!Maciej Lasyk
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challengeПостроение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challengeOdessaFrontend
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...JosephTesta9
 
Nginx+ Naxsi
Nginx+ NaxsiNginx+ Naxsi
Nginx+ Naxsi3camp
 
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019Janith Malinga
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Intro to Node.js
Intro to Node.jsIntro to Node.js
Intro to Node.jsJames Carr
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaNéstor Salceda
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
Node in Real Time - The Beginning
Node in Real Time - The BeginningNode in Real Time - The Beginning
Node in Real Time - The BeginningAxilis
 

Was ist angesagt? (20)

Stop disabling SELinux!
Stop disabling SELinux!Stop disabling SELinux!
Stop disabling SELinux!
 
Testing NodeJS Security
Testing NodeJS SecurityTesting NodeJS Security
Testing NodeJS Security
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Down by the Docker
Down by the DockerDown by the Docker
Down by the Docker
 
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challengeПостроение простого REST сервера на Node.js | Odessa Frontend Code challenge
Построение простого REST сервера на Node.js | Odessa Frontend Code challenge
 
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
BSides Rochester 2018: Chaim Sanders: Easily Deploying and Optimizing Open So...
 
Nginx+ Naxsi
Nginx+ NaxsiNginx+ Naxsi
Nginx+ Naxsi
 
Windows Security Crash Course
Windows Security Crash CourseWindows Security Crash Course
Windows Security Crash Course
 
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Intro to Node.js
Intro to Node.jsIntro to Node.js
Intro to Node.js
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup BarcelonaImplementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
FreeBSD is not Linux
FreeBSD is not LinuxFreeBSD is not Linux
FreeBSD is not Linux
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Node in Real Time - The Beginning
Node in Real Time - The BeginningNode in Real Time - The Beginning
Node in Real Time - The Beginning
 

Andere mochten auch

Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortDisha Bedi
 

Andere mochten auch (6)

Ips and ids
Ips and idsIps and ids
Ips and ids
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
Snort IPS
Snort IPSSnort IPS
Snort IPS
 
Network Intrusion Detection System Using Snort
Network Intrusion Detection System Using SnortNetwork Intrusion Detection System Using Snort
Network Intrusion Detection System Using Snort
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 

Ähnlich wie Using IPS for Web Protection

Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.jsorkaplan
 
How to make a high-quality Node.js app, Nikita Galkin
How to make a high-quality Node.js app, Nikita GalkinHow to make a high-quality Node.js app, Nikita Galkin
How to make a high-quality Node.js app, Nikita GalkinSigma Software
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Crypt tech technical-presales
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presalesMustafa Kuğu
 
Automated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and RedfishAutomated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and RedfishJose De La Rosa
 
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...OpenStack Korea Community
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSICT PRISTINE
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Deploying Perl apps on dotCloud
Deploying Perl apps on dotCloudDeploying Perl apps on dotCloud
Deploying Perl apps on dotClouddaoswald
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Rohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual RouterRohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual RouterShapeBlue
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchVic Hargrave
 
Eclipse NeoSCADA 0.3
Eclipse NeoSCADA 0.3Eclipse NeoSCADA 0.3
Eclipse NeoSCADA 0.3Jürgen Rose
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffNETWAYS
 
Hungarian ClusterGrid and its applications
Hungarian ClusterGrid and its applicationsHungarian ClusterGrid and its applications
Hungarian ClusterGrid and its applicationsFerenc Szalai
 

Ähnlich wie Using IPS for Web Protection (20)

Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
How to make a high-quality Node.js app, Nikita Galkin
How to make a high-quality Node.js app, Nikita GalkinHow to make a high-quality Node.js app, Nikita Galkin
How to make a high-quality Node.js app, Nikita Galkin
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Crypt tech technical-presales
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presales
 
Automated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and RedfishAutomated Out-of-Band management with Ansible and Redfish
Automated Out-of-Band management with Ansible and Redfish
 
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
[OpenStack Day in Korea 2015] Track 1-6 - 갈라파고스의 이구아나, 인프라에 오픈소스를 올리다. 그래서 보이...
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
LSA2 - 02 Namespaces
LSA2 - 02 NamespacesLSA2 - 02 Namespaces
LSA2 - 02 Namespaces
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
Deploying Perl apps on dotCloud
Deploying Perl apps on dotCloudDeploying Perl apps on dotCloud
Deploying Perl apps on dotCloud
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Rohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual RouterRohit Yadav - The future of the CloudStack Virtual Router
Rohit Yadav - The future of the CloudStack Virtual Router
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
 
Eclipse NeoSCADA 0.3
Eclipse NeoSCADA 0.3Eclipse NeoSCADA 0.3
Eclipse NeoSCADA 0.3
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
 
Software Defined Networking: Primer
Software Defined Networking: Primer Software Defined Networking: Primer
Software Defined Networking: Primer
 
Hungarian ClusterGrid and its applications
Hungarian ClusterGrid and its applicationsHungarian ClusterGrid and its applications
Hungarian ClusterGrid and its applications
 

Mehr von Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

Mehr von Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Kürzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Using IPS for Web Protection

  • 1. Using IPS for Web Protection Alejandro Sánchez Acosta asanchez@s21sec.com   S21SEC
  • 2. Agenda ● Web Protection ● Intrusion Detection Systems (IDS) ● Active and response IDS. ● IPS as Web Protection ● Advanced Signatures ● Demo ● Conclusions
  • 3. Web Protection ● Common risks – (XSS, SQL Injection, Command Execution) ● Solutions – Application Firewall  – IDS/IPS
  • 4. Intrusion Detection Systems (IDS) ● Functions: – Capture events – Pattern matching – Detection – Logging ● Kind of IDS – HIDS, NIDS and LIDS
  • 5. Intrusion Prevention Systems (IPS) ● Prevention systems. ● IDS evolution ● Network and application layer.
  • 6. Firewall extensions ● Iptables – String matching – Patch­o­matic – Difficult configuration – Solutions based in iptables and IDS. ● snort2c, snort2iptables, snort2pf, etc.
  • 7. ModSecurity – Developed by Ivan Ristick. – Easy configuration – Can work as reverse proxy using ModProxy. – Works in Application layer.
  • 8. Snort ● Developed by Martin Roesch. ● Operation modes  – Sniffer, packet logger, NIDS and IPS. ● Output – Binary tcpdump, ASCII, Mysql/Postgresql.
  • 9. Snort as IPS ● Preprocessors – HTTPInspect, Stream4 reassembly. ● Web rules configuration ● Response protection – (Snort Inline, Snort Divert Mode, Flexresponse)
  • 10. Web configuration rules ● Community rules – Web­misc, web­cgi, web­dos, web­client, sql­ injection, etc. ● Snort rules – Custom web snort.org rules. ● Bleeding Snort
  • 11. Cross Site Scripting  ● Existing snort signatures: <script>alert(document.cookie)</script> attack: alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting attempt"; flow:to_server,established;  content:"<SCRIPT>"; nocase; classtype:web­application­attack; sid:1497;  rev:6;) <img src=javascript> attack: alert tcp $EXTERNAL_NET any ­> $HTTP_SERVERS $HTTP_PORTS  (msg:"WEB­MISC cross site scripting HTML Image tag set to javascript  attempt"; flow:to_server,established; content:"img src=javascript";  nocase; classtype:web­application­attack; sid:1667; rev:5;)
  • 12. Easy evasion ● Can be trivially evaded using: – <a href="javas&#99;ript&#35;[code]">  – <div onmouseover="[code]">  – <img src="javascript:[code]">  – <xml src="javascript:[code]"> ● Solution: Using complex rules
  • 13. Advanced signatures ● Enter PCRE – Perl Compatible Regular Expressions ● Greater flexibility ● One signature can catch multiple attacks ● Lower learning curve for Unix admins – regex is  part of daily life ● Regular expressions work with: – Snort IDS – Apache’s mod_security.
  • 14. Regular expressions samples ● XSS: – /((%3D)|(=))[^n]*((%3C)|<)[^n]+((%3E)|>)  ● SQL Injection: – /(%27)|(')|(­­)|(%23) ● Redirection: site=[^(www.fistconference.org)] ● Command Execution: /(system|exec)/ ● Null byte poison: %00 ● Overflows: /[w]+=[^=]{500,+}&/
  • 15. Snort Inline ● Drop – The drop rule tells iptables to drop the packet and log  it via usual snort  ● Sdrop – The sdrop rule tells iptables to drop the packet.  Nothing is logged. ● Reject  – The reject rule type tells iptables to drop the packet;  log it via usual snort means; and answer source host.
  • 16. Replace contents ● Replacement: Another option replaces portions of the payload (disabling the  effectiveness of the attack) but allowing the connection to  continue: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"IIS Exploit";flags: A+; content:"/bin/sh"; replace:"/ben/sh";)
  • 17. Divert Mode ● FreeBSD Inline implementation – Use divert sockets and libnet – Integrated in Snort. ● Part of snort­inline project – Reset, drop, sdrop and replace.
  • 18. FlexResponse ● Portable implementation ● Doesn't support replacement ● Rule modification: var RESP_TCP resp:rst_snd; var RESP_TCP_URG resp:rst_all; var RESP_UDP resp:icmp_port,icmp_host;
  • 19. Conclusion ● IDS – Snort: can work as IPS in big environments. – ModSecurity is good if you dont want network  changes. ● Response mode – Flexresponse is portable – Inline works only in GNU/Linux – Divert works only in FreeBSD.
  • 20. Demo ● ModSecurity  ● Snort web rules using FlexResponse
  • 21. More information ● Get Snort – www.snort.org – www.modsecurity.org