Analyzing Web App Attacks Using ModSecurity at MIRcon 2013

I’m extremely excited to announce that I will be speaking at MIRcon2013 on ModSecurity!  The presentation’s goal is to help systems administrators, incident responders, and security analysts better manage and run an installation of ModSecurity.  Here is the synopsis from the presentation.

Any publicly available web server and site is under attack on a regular basis. Attacks range from automated scripts firing blindly at servers to customized attacks built specifically for the targeted application. When a web application is compromised the incident responder spends a large amount of time looking at the web server logs to find out what went wrong. The problem is that Apache, IIS or other web server logs frequently do not have enough information to really see what the attacker did. If an attacks are sent via POST requests, none of the request parameters are logged. There is valuable information that can be gleaned from these logs, but the responder is only getting part of the story. ModSecurity is module for the Apache, IIS and Nginx web servers and if used properly can provide an enormous amount of detail (beyond the default web server logs) about what attackers are doing against a web server. In this presentation we will get familiar with ModSecurity, how it works, what the log formats are, the detection rules available to us and then dive into analyzing the data it provides to us. We will not only be look at what attackers have done to compromise a web application, but will be examining ways to see what the bad guys are doing right now to try to exploit our applications. We can use this information to determine whether our rule sets are effective and what needs to be done to tune them. Armed with this information our ability to make sense of this log data allows us to implement the blocking capabilities built into ModSecurity with confidence that we are not breaking legitimate functionality.

While I primarily perform penetration testing and security architecture reviews for Secure Ideas, my heart is still in the operations world of technology.  So I’m extremely pleased to be presenting what I hope will be valuable information to the blue teams out there.

The conference is November 5th and 6th, 2013 in Washington, DC.  You can view the conference agenda at https://www.mandiant.com/events/mircon/agenda.


Jason Wood is a Senior Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at jason@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Leave a Comment

Your email address will not be published. Required fields are marked *