ModSecurity and Efficient Way to Utilize it

Posted on

ModSecurity is a Web Application Firewall (WAF) which can provide immense support in the era of developing cyber attacks.

With the increasing difficulty of securing a web application, modsecurity provides a relief to budding developers by being a very efficient, flexible and reliable security covering over Apache Server.

ModSecurity basically works on a set of rules and how the developer chooses to work with the rules. ModSecurity can work in 2 modes – Anomaly Scoring Mode and Self-Contained Mode.

In anomaly scoring mode, each matching rule increases an anomaly score which after exceeding a particular threshold, blocks the request and if setting is enabled by developer, the user.

In self-contained mode, the action of the first rule that matches is taken and the rest of the rules are not checked in most of the cases.

ModSecurity also brings the concept of paranoia level which determines the strictness of modsecurity. There are total of 4 levels as described below :-

1) Level 1 – Default level and most of core rules are enabled.

2) Level 2 – Includes many extra rules and even regexp based SQL Injection and XSS protection.

3) Level 3 – Enables more rules, keyword list and tweaks limits on special characters used.

4) Level 4 – Restricts special characters. This level is used for high security requirements.

Apart from this, ModSecurity also defines a flexible way to evaluate the anomaly score by allowing the developer to add a severity level to all rules of the rule set.

There are 4 severity levels provided in ModSecurity. Those are as follows :-

1) Critical Severity – Anomaly Score of 5

2) Error Severity – Anomaly Score of 4

3) Warning Severity – Anomaly Score of 3

4) Notice Severity – Anomaly Score of 2

These scores are cumulative and the total of the anomaly score is compared with the threshold value that is defined by the developer.

However this threshold value should be carefully chosen as if the anomaly threshold is too high then some of the attacks might bypass the security.

At the same time if it is too low then there is a possibility that some of the legitimate requests might get blocked. A developer gets to the exact anomaly score value by testing it with various attacks and legitimate requests.

However for a high security site, it is advised to use low anomaly limit and high paranoia level whereas for a standard sitelow anomaly limit and low paranoia level is chosen.

ModSecurity is also works in 5 phases that include :-

1) Request headers

2) Request body

3) Response headers

4) Response body

5) Logging

However the audit log prepared from the above steps are not useful if one wants to visualize the number of illegitimate and legitimate requests.

In order to do that, the log of the modsecurity audit log must be available in a format that can be easily used by the front end developers. Such a format is JSON format.

ModSecurity audit log can be converted to JSON format by using logstash which is used collecting, parsing and storing log files for future use. In order to feed modsecurity audit log to logstash, Filebeat is used.

Filebeat is basically used to pick up a source log file and send it to logstash for JSON output in a line by line manner. So for each line the modsecurity audit log, a corresponding JSON is created by logstash.

So using filebeat, once can perform a good visualization of the complete HTTP transactions which modsecurity has recorded.

ModSecurity hence is once of those WAF that has provided a whole lot of relief to web application developer with its flexible but efficient and accurate way of detecting and taking action against cyber attacks.

It is a budding technology and soon is set to be released as an independent library in it’s upcoming version 3. 

After it is released as a library, it can be integrated with almost any type of program and the apache dependency of modsecurity will no longer be there.

Hence modsecurity is a software which surely should catch some attention and people should be informed about it.

Being an open-source technology, people should contribute in building it better as it might just be what the world needed to fight cyber crime.

Leave a Reply

Your email address will not be published. Required fields are marked *