Ask us a question

You are here

ModSecurity extensions by Approach Belgium

This page contains additional input filters developed by Approach for ModSecurity. These are aimed either at stopping some evasion techniques, or to add advanced functionalities to detect attacks that bypass ModSecurity standard features.

We are developing – since 2003 – additional ModSecurity functionalities to protect our customers in critical environments.   From time to time, we publish some of them as Open Source to the community.

Several of our modules were included, as of 2011, into ModSecurity core project, after being used by our customers during years:

  • sqlHexDecode
  • normalizeSql
  • cmdline

As we are maintaining for our customers many other transformations and operators to protect them against advanced attacks, you may expect some other extensions to come in the future ...

Important remark:   These modules are used in our highly secure management framework for ModSecurity allowing to use ModSecurity to easily manage hundreds of applications and implementing a real default-deny methodology.  But these modules are not a final solution and, to totally protect our customers, we added other specific rules: for more information about our expertise and methodology, visit our WAF page

We will continue to actively collaborate with ModSecurity development teams, so our Open Source extensions could be included in the future in ModSecurity core project as the other ones in the past.
 

bash

This filter is intended to normalise bash command line strings, to inhibit evasion techniques.

Unix/Linux bash shell commands may be escaped by different means, like:

  • rm \-rf
  • r’’m -rf
  • “r”m -rf
  • rm[tab]”-“rf
  • rm$1 -$2r$@f
  • ...

This filter avoids this problem by removing/replacing most evasion patterns. Note that some evasion patterns cannot be removed by this transformation only and we added several specific rules(that are not part of ModSecurity core rules) to totally protect our customers.

Usage:

t:bash

Ex: SecRule ARGS "\bnmap\b" "phase:2,t:none,t:bash,deny"

Installation

Add the following directive to httpd.conf:

LoadModule approach_bash_module modules/approach_bash.so


Disclaimer

Although these extensions are used in production at our premises, on our hosting centre, and at a lot of critical customers locations, they are given as is by Approach Belgium, without any warranty or support.   We publish the source code only, but binaries are available for customers.

Our approach to cyber-security

Our customers benefit from the expertise and talent of our people, combined with pragmatic and proven methods and the efficiency brought by our assets:

1

Expertise and talent

Since 2001 we have applied our experience in cyber-security gained in various industries, from small to large businesses. Our people are seasoned, certified professionals who continuously improve and extend their knowledge.

2

Pragmatic and proven methods

We rely on most recognised, easily auditable and adopted standards and good practices and apply them pragmatically. We always tailor our approach to your particular context, needs and organisation culture.

3

Asset-based approach

We make use of the most advanced and reliable tools and solutions to support our services. This enables us to be more efficient during delivery, enforce the use of standard auditable methods and provide transparency about our achievements and your results.

+
Certified professionals
0+
Success stories
0
Year of establishment
+ 0%
Average annual growth