commit 59bb97a19279610b2cbae996bd726c8336cb1a02
author Dragan Dosen <ddosen@haproxy.com> Fri Jun 02 12:03:16 2017 +0200
committer Willy Tarreau <w@1wt.eu> Fri Jun 02 12:14:55 2017 +0200
tree 2f4880fa8015fe9c3dd07c6d426f79529e205f59
parent 9ac143b6070e78afa3086b676f1049c6eb93cc13

MINOR: Add Mod Defender integration as contrib

This is a service that talks SPOE protocol and uses the Mod Defender (a
NAXSI clone) functionality to detect HTTP attacks. It returns a HTTP
status code to indicate whether the request is suspicious or not, based on
NAXSI rules. The value of the returned code can be used in HAProxy rules
to determine if the HTTP request should be blocked/rejected.

contrib/mod_defender/README

diff --git a/contrib/mod_defender/README b/contrib/mod_defender/README
new file mode 100644
index 0000000..f417773
--- /dev/null
+++ b/contrib/mod_defender/README
@@ -0,0 +1,159 @@
+                       --------------------------
+                        Mod Defender for HAProxy
+                       --------------------------
+
+
+This is a service that talks SPOE protocol and uses the Mod Defender
+(https://github.com/VultureProject/mod_defender) functionality to detect
+HTTP attacks. It returns a HTTP status code to indicate whether the request
+is suspicious or not, based on NAXSI rules. The value of the returned code
+can be used in HAProxy rules to determine if the HTTP request should be
+blocked/rejected.
+
+Unlike ModSecurity, Mod Defender is a whitelist based WAF (everything is
+disallowed, unless there are rules saying otherwise). It's a partial
+replication of NAXSI and it uses NAXSI compatible rules configuration
+format.
+
+
+1) How to build it
+------------------
+
+Required packages :
+
+    * Mod Defender source (https://github.com/VultureProject/mod_defender)
+    * Asynchronous event notification library and headers (libevent)
+    * Apache 2 (>= 2.4) development headers
+    * APR library and headers
+    * GNU C (gcc) and C++ (g++) >= 4.9
+    * GNU Standard C++ Library v3 (libstdc++)
+    * GNU Make
+
+
+Compile the source :
+
+    $ make MOD_DEFENDER_SRC=/path/to/mod_defender_src
+
+
+2) Configuration
+----------------
+
+Download the Naxsi core rules file :
+
+    $ wget -O /path/to/core.rules \
+    https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules
+
+
+Create the Mod Defender configuration file. For example :
+
+    # Defender toggle
+    Defender On
+    # Match log path
+    MatchLog /path/to/defender_match.log
+    # JSON Match log path
+    JSONMatchLog /path/to/defender_json_match.log
+    # Request body limit
+    RequestBodyLimit 8388608
+    # Learning mode toggle
+    LearningMode Off
+    # Extensive Learning log toggle
+    ExtensiveLog Off
+    # Libinjection SQL toggle
+    LibinjectionSQL On
+    # Libinjection XSS toggle
+    LibinjectionXSS On
+
+    # Rules
+    Include /path/to/core.rules
+
+    # Score action
+    CheckRule "$SQL >= 8" BLOCK
+    CheckRule "$RFI >= 8" BLOCK
+    CheckRule "$TRAVERSAL >= 4" BLOCK
+    CheckRule "$EVADE >= 4" BLOCK
+    CheckRule "$XSS >= 8" BLOCK
+    CheckRule "$UPLOAD >= 8" BLOCK
+
+    # Whitelists
+    # ....
+
+
+Next step is to configure the SPOE for use with the Mod Defender service.
+Example configuration (args elements order is important) :
+
+    [mod_defender]
+
+    spoe-agent mod-defender-agent
+        messages check-request
+        option   var-prefix    defender
+        timeout  hello         100ms
+        timeout  idle          30s
+        timeout  processing    15ms
+        use-backend spoe-mod-defender
+
+    spoe-message check-request
+        args src unique-id method path query req.ver req.hdrs_bin req.body
+        event on-frontend-http-request
+
+
+The engine is in the scope "mod_defender". To enable it, you must set the
+following line in a frontend/listener section :
+
+    frontend my_frontend
+        ...
+        filter spoe engine mod_defender config /path/to/spoe-mod-defender.conf
+        ...
+
+
+Also, we must define the "spoe-mod-defender" backend in HAProxy configuration :
+
+    backend spoe-mod-defender
+      mode tcp
+      balance roundrobin
+      timeout connect 5s
+      timeout server  3m
+      server defender1 127.0.0.1:12345
+
+
+The Mod Defender status is returned in a variable "sess.defender.status" --
+it contains the returned HTTP status code. The request is considered
+malicious if the variable contains value greater than zero.
+
+The following rule can be used to reject all suspicious HTTP requests :
+
+    http-request deny if { var(sess.defender.status) -m int gt 0 }
+
+
+3) Start the service
+--------------------
+
+To start the service, you need to use "defender" binary :
+
+    $ ./defender -h
+    Usage : ./defender [OPTION]...
+        -h                   Print this message
+        -f <config-file>     Mod Defender configuration file
+        -l <log-file>        Mod Defender log file
+        -d                   Enable the debug mode
+        -m <max-frame-size>  Specify the maximum frame size (default : 16384)
+        -p <port>            Specify the port to listen on (default : 12345)
+        -n <num-workers>     Specify the number of workers (default : 10)
+        -c <capability>      Enable the support of the specified capability
+        -t <time>            Set a delay to process a message (default: 0)
+                               The value is specified in milliseconds by default,
+                               but can be in any other unit if the number is suffixed
+                               by a unit (us, ms, s)
+
+        Supported capabilities: fragmentation, pipelining, async
+
+Example:
+
+    $ ./defender -n 4 -f /path/to/mod_defender.conf -d -l /path/to/error.log
+
+
+4) Known bugs and limitations
+-----------------------------
+
+In its current state, the module is limited by haproxy to the analysis of
+the first buffer. One workaround may consist in significantly increasing
+haproxy's buffer size.