After years of running WAFs using the Core Rule Set I wanted a way to detect known malicious users before they get a chance to send their attack payloads. Normally, when an attacker sends their payload, the contents of the request are checked via ModSecurity using the Core Rule Set (CRS). The CRS is essentially a large black list which means that the payload either matches or passes. There is no middle ground. Attackers normally perform reconnaissance before they attack which may or may not contain malicious payloads. Ideally we want to stop known malicious attackers as early as possible, i.e. via an IP reputation background check, and not wait for them to send their attack.
As a result, I started on the Open Fraud Detection Project (OFDEP) which aims at providing a free community supported API that ModSecurity can query to receive a score indicating the odds that a given user / transaction is bad. The WAF can then make a decision on how to proceed based on the score. At the moment the API is Beta quality and supports IP, email address and username lookups. Query results are currently returned in XML but JSON will be supported shortly. The most common use cases that I tried to cover are: o IP reputation o comment spam o account creation fraud For specific API details see: http://wafsec.com/api.html -- - Josh
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
