|
1 | | -## monitoring CSRF attacks with apache's modsecurity |
| 1 | +## monitoring cross-site request forgery attacks with apache's modsecurity |
2 | 2 |
|
3 | 3 | <br> |
4 | 4 |
|
5 | 5 | ### tl; dr |
6 | 6 |
|
7 | 7 | * a tool to monitor web server's log files against CSRF attacks, including a modification for modsecurity on apache |
8 | | -* it is a nice example of parser in ruby and ragel, together with some examples in C++ and python |
| 8 | +* it is a nice example of a parser in ruby and ragel, together with some examples in C++ and python |
| 9 | + |
| 10 | +<br> |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +### introduction |
| 15 | + |
| 16 | +* designed to detect requests in a web server that may result in CSRF, by parsing a given log file derived from a web server with DIVA and verifying whether (and how) the requests in this file had the state of the system changed (named potential unsafe requests) |
| 17 | + |
| 18 | +<br> |
| 19 | + |
| 20 | +--- |
| 21 | + |
| 22 | +### parsing strategies |
| 23 | + |
| 24 | + |
| 25 | +* parsing by regular expressions (REGEXP) (at `/lib/log_parser/strategies/sql/regexp.rb`) |
| 26 | +* parsing into an abstract syntax tree (AST) (at `/lib/log_parser/strategies/sql/ragel.rl`) |
| 27 | + |
| 28 | +<br> |
| 29 | + |
| 30 | +--- |
| 31 | + |
| 32 | +### ragel state machine |
| 33 | + |
| 34 | +* one can generate `.rb` files with: |
| 35 | + |
| 36 | +``` |
| 37 | +ragel -R ragel.rl |
| 38 | +``` |
| 39 | + |
| 40 | + |
| 41 | +* ragel is a state machine compiler and parse generator. |
| 42 | +* it combines lex and yacc into one and build a full state-machine for the input stream, i.e., one state-machine for the parser and lexer. |
| 43 | +* the machine of states parses the SQL request. in an initial state, it receives a string. |
| 44 | +* if in the of the string, the machine is in a final state, the SQL is valid. the AST is a way the machine uses to save the data. |
| 45 | +* the machine can get four initial paths: UPDATE, DELETE, SELECT, INSERT. it saves into the AST when the parse is executed. |
| 46 | + |
| 47 | +``` |
| 48 | +ragel -R ragel.rl | rlgen-dot > ragel.dot |
| 49 | +``` |
| 50 | + |
| 51 | +<br> |
| 52 | + |
| 53 | +--- |
| 54 | + |
| 55 | +### whitelisting |
| 56 | + |
| 57 | +* every time one runs MonCSRF, every the potential unsafe requests will be compared to a whitelist. |
| 58 | +* in the case that program finds a previous similar whitelisted request (i.e., with same syntactic structure), the new request is automatically marked as safe. If the new request is not in the whitelist, the program will generate an alert and ask about its safety. |
| 59 | +* the whitelist file can be inspected at `/white_list`. |
| 60 | + |
| 61 | +<br> |
| 62 | + |
| 63 | +--- |
| 64 | + |
| 65 | +### testings (for developers) |
| 66 | + |
| 67 | +``` |
| 68 | +gem install bundler |
| 69 | +bundle |
| 70 | +spec spec |
| 71 | +``` |
| 72 | + |
| 73 | +<br> |
| 74 | + |
| 75 | +---- |
| 76 | + |
| 77 | +### running |
| 78 | + |
| 79 | +* name the log file: |
| 80 | + |
| 81 | +``` |
| 82 | +bin/parser.rb PATH_TO_THE_LOG |
| 83 | +```` |
| 84 | +
|
| 85 | +and run: |
| 86 | +
|
| 87 | +``` |
| 88 | +./run.sh |
| 89 | +``` |
| 90 | +
|
| 91 | +* run benchmark tests with: |
| 92 | +
|
| 93 | +``` |
| 94 | +./benchmark.sh |
| 95 | +``` |
0 commit comments