X

Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • November 18, 2009

More on Intrusion Detection

I found that experimental Intrusion Detection module as explained in my previous blog doesn't work as expected if an external plugin's AuthTrans SAF is added in obj.conf request processing and if that SAF returns REQ_PROCEED. This may be a rarely happen in customer deployments. Will try to fix it in next update release/ next major release and will let you know when it is fixed.

My id.conf :

SecRuleEngine on 
SecRequestBodyAccess on
SecRule REQUEST_BODY "junk"

case 1: I created a dummy plugin having AuthTrans function myauth1; which just returns REQ_NOACTION it works fine. (look at
<ws7-install-dir>/samples/nsapi/ for examples of how to create a plugin)

    #ifdef XP_WIN32
#define NSAPI_PUBLIC __declspec(dllexport)
#else /\* !XP_WIN32 \*/
#define NSAPI_PUBLIC
#endif /\* !XP_WIN32 \*/
#include "nsapi.h"
extern "C"
NSAPI_PUBLIC int myauth1(pblock \*pb, Session \*sn, Request \*rq)
{
return REQ_NOACTION;
}

Added in Magnus.conf

Init fn="load-modules" shlib="myauth.so" funcs="myauth1"

Error logs in that case show :

    ...
... func_exec reports: executing fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1"
... func_exec reports: fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1" returned -2 (REQ_NOACTION)
... func_exec reports: executing fn="myauth1" Directive="AuthTrans"
... func_exec reports: fn="myauth1" Directive="AuthTrans" returned -2 (REQ_NOACTION)
... func_exec reports: executing fn="magnus-internal/secrule-filters-insert"
... func_exec reports: fn="magnus-internal/secrule-filters-insert" returned -2 (REQ_NOACTION)
... func_exec reports: executing fn="ntrans-j2ee" name="j2ee" Directive="NameTrans"
...

case 2: When I change this AuthTrans SAF to return REQ_PROCEED, it doesn't work as expected:

    #ifdef XP_WIN32
#define NSAPI_PUBLIC __declspec(dllexport)
#else /\* !XP_WIN32 \*/
#define NSAPI_PUBLIC
#endif /\* !XP_WIN32 \*/
#include "nsapi.h"
extern "C"
NSAPI_PUBLIC int myauth2(pblock \*pb, Session \*sn, Request \*rq)
{
return REQ_PROCEED;
}

Added in Magnus.conf

Init fn="load-modules" shlib="myauth.so" funcs="myauth2"

Error logs in that case shows :

    ... func_exec reports: executing fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1"
... func_exec reports: fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1" returned -2 (REQ_NOACTION)
... func_exec reports: executing fn="myauth2" Directive="AuthTrans"
... func_exec reports: fn="myauth2" Directive="AuthTrans" returned 0 (REQ_PROCEED)
... func_exec reports: executing fn="ntrans-j2ee" name="j2ee" Directive="NameTrans
...

Note fn="magnus-internal/secrule-filters-insert" is not getting executed here.

You can add this secrule-filters-insert SAF above your ExternalPluginAuthTransSAF function:

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*"
ssl-unclean-shutdown="true"

AuthTrans fn="magnus-internal/secrule-filters-insert"
AuthTrans fn="ExternalPluginAuthTransSAF"
NameTrans fn="ntrans-j2ee" name="j2ee"
...
</Object>

This will work fine when ExternalPluginAuthTransSAF function returns REQ_PROCEED but when it returns REQ_NOATCION, these filters will be added twice.


You can make a dynamic library of myauth2 plugin as shown above and put it below "ExternalPluginAuthTransSAF"
<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*"
ssl-unclean-shutdown="true"

AuthTrans fn="magnus-internal/secrule-filters-insert"
AuthTrans fn="ExternalPluginAuthTransSAF"
AuthTrans fn="myauth"
NameTrans fn="ntrans-j2ee" name="j2ee"
...
</Object>

Join the discussion

Comments ( 3 )
  • Colin Renouf Thursday, August 5, 2010

    Meena

    This stuff is really good. I'm a bit confused though as I don't know where to start with this intrusion detection feature and haven't found a reference example.

    With Apache and modsecurity I download the package, install it as per the config, and the basic rules are enabled. I can then add rules later.

    With this feature do I still download the modsecurity ruleset and cut and paste the ones I want into my "myrules.txt" equivalent, and then what do I do with the .data files?

    How would you approach this or can you point me to somewhere where the approach is written down?

    Cheers

    Colin


  • Meena Sunday, August 8, 2010

    Where did you download the exact ruleset from? Yes copy all the files in to one and manually remove keywords our implementation doesn't support. Only keywords in http://blogs.sun.com/meena/entry/intrusion_detection_in_sun_java are supported.


  • Matt Pohlman Tuesday, November 1, 2011

    This is good stuff. My question is - Is this solution now supported in any of the latest Oracle Iplanet Web Server Releases ? Is this still just experimental ?

    thank you


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.