1.
Christian Folini (@ChrFolini)
www.netnea.com
Core Rules Paranoia Mode
Zurich, June 10, 2016

2.
WAF SETUPS
Naïve • Overwhelmed • Functional

3.
MODSEC
Embedded • Rule-Oriented • Granular Control

4.
RULE CONCEPTS
Whitelisting • Blacklisting • Positive • Negative

5.
xkcd: #327

6.
Anomaly Scoring
Adjustable Limit • False Positives

7.
OWASP ModSecurity Core Rule Set
Paranoia Mode : Basic Idea
• Assign Rules According to False Positive Rate
• Add Strict Siblings to Existing Rules
• Introduce Paranoia Levels 1-4

8.
Restricted SQL Chars
CRS 2.2.9 : Rule ID 981173
ARGS_NAMES|ARGS|XML:/*
"([~!@#$%^&*()-+={}[]|:;"'´’‘`<>].*?){5,}"

9.
Restricted SQL Chars
CRS 3.0.0dev : Rule ID 942430pp
Paranoia Level 1: no limit
Paranoia Level 2: limit 12 ID 942430
Paranoia Level 3: limit 6 ID 942431
Paranoia Level 4: limit 2 ID 942432

10.
Hex Encodings : 0x[0-9a-f]
Plan for CRS 3.0.0dev (Rule ID 942450)
Paranoia 1: REQUEST_COOKIES_NAMES
Paranoia 2: REQUEST_COOKIES

11.
PHP Function Names in CRS 3.0.0dev
by Walter Hop
lifeforms.nl

12.
Settings Matrix
HIGH
LOW
LOW HIGH
Anomaly Limit
Paranoia Level
Easing in
Standard
SITE
Are you nuts?
High Security

13.
Photo Sources
(all licensed via Creative Commons or in the public domain)
• Discovery: https://www.flickr.com/photos/flowtastic/13385797723 (by Florian F. / Flowtography)
• Watch: https://www.flickr.com/photos/billadler/391674817 (by Bill Adler)
• Bamboozled: Hopefully public domain
• xkcd: Little Bobby Tables: https://xkcd.com/327/ (by Randall Munroe)
• Star Wars Limbo: https://www.flickr.com/photos/jdhancock/3605011903 (by JD Hancock)
Christian Folini / @ChrFolini
• christian.folini@netnea.com
• https://www.netnea.com
• https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0.0-rc1

14.
ModSecurity Course
The Key to ModSecurity and the
OWASP ModSecurity Core Rules
with Christian Folini (@ChrFolini)
London 22-23 Sep 2016
https://www.feistyduck.com/training/modsecurity
(Local trainings available on request: training@feistyduck.com)