December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Recipe 14-7: Proxying Traffic to Honeypots
This recipe shows you how to use ModSecurity’s proxy action to transparently forward traffic to a separate honeypot web application.
Ingredients
- ModSecurity
- setvar action
- proxy action
Recipe 14-6 demonstrated how to use deception methods to make our web application appear to be vulnerable to SQL Injection. We can take this concept a step further and choose to send identified attacker traffic away from our site and instead have attackers transparently interact with a separate web honeypot application system.
One method of implementing this proxy technique is to simply modify the existing anomaly scoring evaluation rule. By adding the following directive to our configuration, if the anomaly score value for a transaction exceeds our threshold, it sets a new variable in the IP persistent storage:
SecRuleUpdateActionById 981176:3 "setvar:ip.proxy_to_honeypot=1"This updated rule flags malicious traffic from this client and sets the IP variable. Any future requests from this client then trigger the following rule, which proxies the connections to our honeypot web application at IP address 192.168.1.110:
SecRule IP:PROXY_TO_HONEYPOT "@eq 1" "id:'999888',phase:2,t:none,
log,msg:'Proxying Known Attacker Traffic to Honeypot Host.',
proxy:'http://192.168.1.110%{REQUEST_URI}'"To test how these rules work, let’s look at an example where a malicious client starts a SQL Injection attack against our WordPress login page. We receive the following ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.