Web Application Profiles
Writing specific rule sets for web applications is a tedious task. The ModSecurity module provides a powerful language for protecting applications against a wide range of attacks - if the rules are properly written and organized. Unfortunately the low-level rule language is somehow a double-edged sword: it empowers the experienced users to write good and complex rules, but often leaves the unexperienced one with a lot of frustration, since he is not capable of achieving his goals without a deep understanding of the rule language.Moreover, when it comes to rule sets aiming at a positive security model approach, complex applications often imply comprehensive and complex rule sets. With the concept of Web Application Profiles proposed in this project we aim at several goals for simplifying the creation of so-called white-listing based rule sets:
- Create an abstract language for defining rules in a user-understandable and intuitive way
- Make it possible to automatically generate ModSecurity rules from the given XML based Web Application Profiles.
- Provide a simple graphical editor for visualizing and modifying the profiles.
- Allow for the integration of other components, e.g. the REMO editor, by creating import and export interfaces using the simple XML that the language is based on.
- Provide other tools for handling the XML based profiles, such as the WebApplicationProfiler, which tries to automatically learn the profiles from access-log or audit-log data.
Concept
The idea of creating an abstract language for writing web-application policies is not new. However, there has only been little support such as open-source tools for creating policies in an interchangable format. The profiles which are subject to this project are created using a simple standalone Java application, which allows writing profiles on a wide range of systems, even if your ModSecurity filter is deployed on a different architecture. The way on creating profiles and generating rule sets is depicted in the following figure:
