This page contains additional input filters developed by Approach for ModSecurity. These are aimed either at stopping some evasion techniques, or to add advanced functionalities to detect attacks that bypass ModSecurity standard features.
We are developing – since 2003 – additional ModSecurity functionalities to protect our customers in critical environments. From time to time, we publish some of them as Open Source to the community.
Several of our modules were included, as of 2011, into ModSecurity core project, after being used by our customers during years:
- sqlHexDecode
- normalizeSql
- cmdline
As we are maintaining for our customers many other transformations and operators to protect them against advanced attacks, you may expect some other extensions to come in the future ...
Important remark: These modules are used in our highly secure management framework for ModSecurity allowing to use ModSecurity to easily manage hundreds of applications and implementing a real default-deny methodology. But these modules are not a final solution and, to totally protect our customers, we added other specific rules: for more information about our expertise and methodology, visit our WAF page.
We will continue to actively collaborate with ModSecurity development teams, so our Open Source extensions could be included in the future in ModSecurity core project as the other ones in the past.
bash
This filter is intended to normalise bash command line strings, to inhibit evasion techniques.
Unix/Linux bash shell commands may be escaped by different means, like:
- rm \-rf
- r’’m -rf
- “r”m -rf
- rm[tab]”-“rf
- rm$1 -$2r$@f
- ...
This filter avoids this problem by removing/replacing most evasion patterns. Note that some evasion patterns cannot be removed by this transformation only and we added several specific rules(that are not part of ModSecurity core rules) to totally protect our customers.
Usage:
t:bash
Ex: SecRule ARGS "\bnmap\b" "phase:2,t:none,t:bash,deny"
Installation
Add the following directive to httpd.conf:
LoadModule approach_bash_module modules/approach_bash.so
Disclaimer
Although these extensions are used in production at our premises, on our hosting centre, and at a lot of critical customers locations, they are given as is by Approach Belgium, without any warranty or support. We publish the source code only, but binaries are available for customers.