Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ModPerl>
  3. ModPerl
mod_perl based web IDS
jhorner at 2jnetworks
Feb 22, 2000, 10:47 AM
Post #1 of 10 (3242 views)
Permalink
I'm contemplating writing a web-server based intrusion detection system.

I'll call it WebIntrude, open source, and support contracts may or may not
be sold. I was thinking that I could write a mod_perl handler to
intercept incoming requests, parse, and compare against a db of known
vulnerability issues. If a request comes in that tries to check for the
existence of, or tries to exploit an issue, the handler will notifiy an
administrator. The rest of the system may or may not be mod_perl based,
you can check out the rest if you are interested at
http://www.knoxlug.org/webintrude/webintrude.html

My question is this:

Is this worth considering? Will it, in concept, place too much load on a
web server? Is it reasonably feasible? Can mod_perl be written sleek
enough not to place a significant load on the server during the
parse/check/notifiy steps of the handler?

Any comments, tips, or suggestions are welcomed.

I'm not advertising, I'm just wondering if mod_perl will be better, or if
once I get it working in mod_perl, I should considering porting to C.

If this isn't appropriate, I apologize.

J. Horner
jhorner@knoxlug.org http://jjhorner.penguinpowered.com/
12:35pm up 10 days, 16:48, 3 users, load average: 0.00, 0.00, 0.00
Re: mod_perl based web IDS [ In reply to ]
jhorner at 2jnetworks
Feb 22, 2000, 11:17 AM
Post #2 of 10 (3176 views)
Permalink
http://www.knoxlug.org/projects/webintrude/webintrude.html

Sorry about that.

Jon

On Tue, 22 Feb 2000, kevin montuori wrote:

> Date: Tue, 22 Feb 2000 13:38:28 -0500 (EST)
> From: kevin montuori <montuori@acs.neu.edu>
> To: J. Horner <jhorner@2jnetworks.com>
> Subject: Re: mod_perl based web IDS
>
> >>> J Horner writes:
>
> j.
>
> sounds interesting; however,
>
> jh> http://www.knoxlug.org/webintrude/webintrude.html
>
> spot: wget http://www.knoxlug.org/webintrude/webintrude.html
> 13:36:20 ERROR 404: Not Found.
>
> i had difficulty reading more....
>
> cheers,
> k.
>
>

J. Horner
jhorner@knoxlug.org http://jjhorner.penguinpowered.com/
1:15pm up 10 days, 17:28, 3 users, load average: 0.00, 0.00, 0.00
Re: mod_perl based web IDS [ In reply to ]
jhorner at 2jnetworks
Feb 22, 2000, 11:21 AM
Post #3 of 10 (3176 views)
Permalink
On Tue, 22 Feb 2000, Cliff Rayman wrote:

>
> It doesn't sound feasible to me.
> A web server is designed to listen on a port or two and
> handle all sorts of stuff such as access, authentication,
> headers etc. etc..
>
> An IDS needs to listen on an interface to ALL packets for ALL
> ip addresses and ALL ports.. I think this would require a very
> tightly written 'C' program. OR maybe I don't understand what
> it is you are trying to build.
>
> cliff rayman
> genwax.com
>
A typical IDS does this, but I'm just going to limit the scope to a
web-server area. This is only for webservers, so it will only listen for
webserver exploits and only listen to web requests coming in. I'm not
sure what most IDS do, but I don't think they listen to incoming web
requests and report on 404 errors or report on multiple HEAD methods, etc.

Let me know what you think, please.

Jon


J. Horner
jhorner@knoxlug.org http://jjhorner.penguinpowered.com/
1:15pm up 10 days, 17:28, 3 users, load average: 0.00, 0.00, 0.00
Re: mod_perl based web IDS [ In reply to ]
jhorner at 2jnetworks
Feb 22, 2000, 11:31 AM
Post #4 of 10 (3172 views)
Permalink
On Tue, 22 Feb 2000, Vivek Khera wrote:

> >>>>> "JH" == J Horner <jhorner@2jnetworks.com> writes:
>
> JH> Is this worth considering? Will it, in concept, place too much load on a
> JH> web server? Is it reasonably feasible? Can mod_perl be written sleek
>
> My understanding is you want to check for known exploits of apache and
> or other web servers and then let the connection continue as normal?
> Right?
>

You are correct, sir. It will only alert, since most people want to know
what is going on so they can trace and prosecute.

>
> JH> I'm not advertising, I'm just wondering if mod_perl will be better, or if
> JH> once I get it working in mod_perl, I should considering porting to C.
>
> I might go this route, with a rules-based module that can be built
> into any Apache. For non-mod_perl servers it will definitely be
> better, and can be inserted into a front-end proxy server that many
> people around here use.
>
> It seems to me that such a module would really only be useful for
> sites that act as hacker-traps rather than a general web server
> machine.

Well, I would like to make this available to sites that do e-commerce,
gubment stuff, and really paranoid people. Who knows? I might even get a
gubment contract! "Hello, Easy Street!"

Thanks,
Jon

J. Horner
jhorner@knoxlug.org http://jjhorner.penguinpowered.com/
1:25pm up 10 days, 17:38, 3 users, load average: 0.00, 0.00, 0.00
Re: mod_perl based web IDS [ In reply to ]
cliff at genwax
Feb 22, 2000, 11:49 AM
Post #5 of 10 (3184 views)
Permalink
It doesn't sound feasible to me.
A web server is designed to listen on a port or two and
handle all sorts of stuff such as access, authentication,
headers etc. etc..

An IDS needs to listen on an interface to ALL packets for ALL
ip addresses and ALL ports.. I think this would require a very
tightly written 'C' program. OR maybe I don't understand what
it is you are trying to build.

cliff rayman
genwax.com

"J. Horner" wrote:

> I'm contemplating writing a web-server based intrusion detection system.
>
> I'll call it WebIntrude, open source, and support contracts may or may not
> be sold. I was thinking that I could write a mod_perl handler to
> intercept incoming requests, parse, and compare against a db of known
> vulnerability issues. If a request comes in that tries to check for the
> existence of, or tries to exploit an issue, the handler will notifiy an
> administrator. The rest of the system may or may not be mod_perl based,
> you can check out the rest if you are interested at
> http://www.knoxlug.org/webintrude/webintrude.html
>
> My question is this:
>
> Is this worth considering? Will it, in concept, place too much load on a
> web server? Is it reasonably feasible? Can mod_perl be written sleek
> enough not to place a significant load on the server during the
> parse/check/notifiy steps of the handler?
>
> Any comments, tips, or suggestions are welcomed.
>
> I'm not advertising, I'm just wondering if mod_perl will be better, or if
> once I get it working in mod_perl, I should considering porting to C.
>
> If this isn't appropriate, I apologize.
>
> J. Horner
> jhorner@knoxlug.org http://jjhorner.penguinpowered.com/
> 12:35pm up 10 days, 16:48, 3 users, load average: 0.00, 0.00, 0.00
Re: mod_perl based web IDS [ In reply to ]
khera at kciLink
Feb 22, 2000, 12:08 PM
Post #6 of 10 (3171 views)
Permalink
>>>>> "JH" == J Horner <jhorner@2jnetworks.com> writes:

JH> Is this worth considering? Will it, in concept, place too much load on a
JH> web server? Is it reasonably feasible? Can mod_perl be written sleek

My understanding is you want to check for known exploits of apache and
or other web servers and then let the connection continue as normal?
Right?


JH> enough not to place a significant load on the server during the
JH> parse/check/notifiy steps of the handler?

The existence of mod_perl in a server causes load due to extra memory
requirements. Other than that, it shouldn't be much more of a CPU
load than an equivalent C program, but then again, it might be ;-)

JH> I'm not advertising, I'm just wondering if mod_perl will be better, or if
JH> once I get it working in mod_perl, I should considering porting to C.

I might go this route, with a rules-based module that can be built
into any Apache. For non-mod_perl servers it will definitely be
better, and can be inserted into a front-end proxy server that many
people around here use.

It seems to me that such a module would really only be useful for
sites that act as hacker-traps rather than a general web server
machine.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-301-545-6996
PGP & MIME spoken here http://www.kciLink.com/home/khera/
Re: mod_perl based web IDS [ In reply to ]
joshua at chamas
Feb 22, 2000, 12:57 PM
Post #7 of 10 (3184 views)
Permalink
"J. Horner" wrote:
>
> I'm contemplating writing a web-server based intrusion detection system.
>
> I'll call it WebIntrude, open source, and support contracts may or may not
> be sold. I was thinking that I could write a mod_perl handler to
> intercept incoming requests, parse, and compare against a db of known
> vulnerability issues. If a request comes in that tries to check for the
> existence of, or tries to exploit an issue, the handler will notifiy an
> administrator. The rest of the system may or may not be mod_perl based,
> you can check out the rest if you are interested at
> http://www.knoxlug.org/webintrude/webintrude.html
>
> My question is this:
>
> Is this worth considering? Will it, in concept, place too much load on a
> web server? Is it reasonably feasible? Can mod_perl be written sleek
> enough not to place a significant load on the server during the
> parse/check/notifiy steps of the handler?
>

It would be very easy to write, would be computationally inexpensive
if done correctly, and would be a useful security tool.

I would recommend having user config options for customizable
exclude and include lists, as well as a function people could
override which would be called to take action. For example,
I could log it to my syslogd, which is already monitored by swatch.
Others might want this to be sent as an email, or entered into a
database, etc. By default, the action handler could just write
to the apache error log.

-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
Re: mod_perl based web IDS [ In reply to ]
joshua at chamas
Feb 22, 2000, 1:05 PM
Post #8 of 10 (3186 views)
Permalink
Cliff Rayman wrote:
>
> It doesn't sound feasible to me.
> A web server is designed to listen on a port or two and
> handle all sorts of stuff such as access, authentication,
> headers etc. etc..
>
> An IDS needs to listen on an interface to ALL packets for ALL
> ip addresses and ALL ports.. I think this would require a very
> tightly written 'C' program. OR maybe I don't understand what
> it is you are trying to build.
>

A simple kernel level packet filter like IPFilter already does
99% of what you need at the ip level, but after you have locked
down your webserver with a kernel level firewall, you still
have arbitrary traffic hitting your web server on port 80,
since you allow this in general.

I think a mod_perl web hacking detection system would be a
nice touch, where the web script kiddies could trip an alarm
even on my web server. I guess this person's system would fall
under the realm of application level filtering which usually
falls to commercial firewalls for implementation.

-- Joshua
_________________________________________________________________
Joshua Chamas Chamas Enterprises Inc.
NodeWorks >> free web link monitoring Huntington Beach, CA USA
http://www.nodeworks.com 1-714-625-4051
Re: mod_perl based web IDS [ In reply to ]
les at mcs
Feb 22, 2000, 1:37 PM
Post #9 of 10 (3181 views)
Permalink
According to J. Horner:
> >
> A typical IDS does this, but I'm just going to limit the scope to a
> web-server area. This is only for webservers, so it will only listen for
> webserver exploits and only listen to web requests coming in. I'm not
> sure what most IDS do, but I don't think they listen to incoming web
> requests and report on 404 errors or report on multiple HEAD methods, etc.
>
> Let me know what you think, please.

Why not just add a stack of RewriteRules to bounce urls of known
exploits to a set of appropriate handlers? The real problem is
that there generally isn't an appropriate action to take. If the
exploit came from a real browser you could issue a client redirect
to another box so they wouldn't bother your real users, but it
it probably just a program that is going to continue probing
anyway.

Les Mikesell
les@mcs.com
Re: mod_perl based web IDS [ In reply to ]
bill at fccj
Feb 22, 2000, 2:35 PM
Post #10 of 10 (3170 views)
Permalink
You are only monitoring WWW based services?

Apache is capable of almost being a tcp_wrappers drop-in.
____________________________________________________________________
Bill Jones * Systems Programmer * http://www.fccj.org/cgi/mail?sneex

('> Running -
//\ Perl, Apache, MySQL, PHP3,
v_/_ Ultra 10, LinuxPPC, BeOS...


> From: "J. Horner" <jhorner@2jnetworks.com>
> Date: Tue, 22 Feb 2000 13:17:53 -0500 (EST)
> To: modperl@apache.org
> Subject: Re: mod_perl based web IDS
>
> http://www.knoxlug.org/projects/webintrude/webintrude.html

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal