haproxy/contrib/mod_defender
Christopher Faulet 48d02d0d21 BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags
A recent fix on the SPOE revealed a mismatch between the SPOE specification and
the mod_defender implementation on the way flags are encoded or decoded. They
must be exchanged using the network bytes order and not the host one.

Be careful though, this patch breaks the compatiblity with HAProxy SPOE before
commit c4dcaff3 ("BUG/MEDIUM: spoe: Flags are not encoded in network order").
2018-05-18 15:06:18 +02:00
..
defender.c BUG/MINOR: contrib/mod_defender: close the va_list argp before return 2017-09-18 11:18:09 +02:00
defender.h
Makefile BUILD: Fix LDFLAGS vs. LIBS re linking order in various makefiles 2017-12-02 14:36:15 +01:00
README
spoa.c BUG/MEDIUM: contrib/mod_defender: Use network order to encode/decode flags 2018-05-18 15:06:18 +02:00
spoa.h
standalone.c
standalone.h

                       --------------------------
                        Mod Defender for HAProxy
                       --------------------------


This is a service that talks SPOE protocol and uses the Mod Defender
(https://github.com/VultureProject/mod_defender) functionality to detect
HTTP attacks. It returns a HTTP status code to indicate whether the request
is suspicious or not, based on NAXSI rules. The value of the returned code
can be used in HAProxy rules to determine if the HTTP request should be
blocked/rejected.

Unlike ModSecurity, Mod Defender is a whitelist based WAF (everything is
disallowed, unless there are rules saying otherwise). It's a partial
replication of NAXSI and it uses NAXSI compatible rules configuration
format.


1) How to build it
------------------

Required packages :

    * Mod Defender source (https://github.com/VultureProject/mod_defender)
    * Asynchronous event notification library and headers (libevent)
    * Apache 2 (>= 2.4) development headers
    * APR library and headers
    * GNU C (gcc) and C++ (g++) >= 4.9
    * GNU Standard C++ Library v3 (libstdc++)
    * GNU Make


Compile the source :

    $ make MOD_DEFENDER_SRC=/path/to/mod_defender_src


2) Configuration
----------------

Download the Naxsi core rules file :

    $ wget -O /path/to/core.rules \
    https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules


Create the Mod Defender configuration file. For example :

    # Defender toggle
    Defender On
    # Match log path
    MatchLog /path/to/defender_match.log
    # JSON Match log path
    JSONMatchLog /path/to/defender_json_match.log
    # Request body limit
    RequestBodyLimit 8388608
    # Learning mode toggle
    LearningMode Off
    # Extensive Learning log toggle
    ExtensiveLog Off
    # Libinjection SQL toggle
    LibinjectionSQL On
    # Libinjection XSS toggle
    LibinjectionXSS On

    # Rules
    Include /path/to/core.rules

    # Score action
    CheckRule "$SQL >= 8" BLOCK
    CheckRule "$RFI >= 8" BLOCK
    CheckRule "$TRAVERSAL >= 4" BLOCK
    CheckRule "$EVADE >= 4" BLOCK
    CheckRule "$XSS >= 8" BLOCK
    CheckRule "$UPLOAD >= 8" BLOCK

    # Whitelists
    # ....


Next step is to configure the SPOE for use with the Mod Defender service.
Example configuration (args elements order is important) :

    [mod_defender]

    spoe-agent mod-defender-agent
        messages check-request
        option   var-prefix    defender
        timeout  hello         100ms
        timeout  idle          30s
        timeout  processing    15ms
        use-backend spoe-mod-defender

    spoe-message check-request
        args src unique-id method path query req.ver req.hdrs_bin req.body
        event on-frontend-http-request


The engine is in the scope "mod_defender". To enable it, you must set the
following line in a frontend/listener section :

    frontend my_frontend
        ...
        filter spoe engine mod_defender config /path/to/spoe-mod-defender.conf
        ...


Also, we must define the "spoe-mod-defender" backend in HAProxy configuration :

    backend spoe-mod-defender
      mode tcp
      balance roundrobin
      timeout connect 5s
      timeout server  3m
      server defender1 127.0.0.1:12345


The Mod Defender status is returned in a variable "sess.defender.status" --
it contains the returned HTTP status code. The request is considered
malicious if the variable contains value greater than zero.

The following rule can be used to reject all suspicious HTTP requests :

    http-request deny if { var(sess.defender.status) -m int gt 0 }


3) Start the service
--------------------

To start the service, you need to use "defender" binary :

    $ ./defender -h
    Usage : ./defender [OPTION]...
        -h                   Print this message
        -f <config-file>     Mod Defender configuration file
        -l <log-file>        Mod Defender log file
        -d                   Enable the debug mode
        -m <max-frame-size>  Specify the maximum frame size (default : 16384)
        -p <port>            Specify the port to listen on (default : 12345)
        -n <num-workers>     Specify the number of workers (default : 10)
        -c <capability>      Enable the support of the specified capability
        -t <time>            Set a delay to process a message (default: 0)
                               The value is specified in milliseconds by default,
                               but can be in any other unit if the number is suffixed
                               by a unit (us, ms, s)

        Supported capabilities: fragmentation, pipelining, async

Example:

    $ ./defender -n 4 -f /path/to/mod_defender.conf -d -l /path/to/error.log


4) Known bugs and limitations
-----------------------------

In its current state, the module is limited by haproxy to the analysis of
the first buffer. One workaround may consist in significantly increasing
haproxy's buffer size.