README for Apache 1.3.23 Buffer Overflow Sledge Detector Module
[March, 2002]

The files in the src/modules/detect directory under the Apache
distribution directory tree are provided as an implementation of a
module for doing Intrusion Detection at the application level.

The main file is mod_detect.c which represents the detection module
and includes the necessary callback routines for Apache. 

FUNCTIONALITY
=============

The basic functionality of this module can be summarized in the
following paragraphs:

1) During initialization of the Apache Webserver the datastructures
are initialized once with the data from

	/usr/local/apache/conf/detect.data. 

2) Each time a request is sent to the Webserver the module is called
and the request is analyzed. 

	a) URL decoding is performed
	b) The request is checked for executable instructions at
	   various positions of the request. If a request contains 
	   large number of consecutive executable instructions, the 
	   request is dropped (therby preventing it from entering the
	   possible vulnerable processing routines of the Webserver)
	   with an error (FORBIDDEN).

INSTALLATION
============

In order to make your system run Apache with this module enabled, you
will need to get the Apache 1.3.23 source as well as the source from
the detect module.

The Apache 1.3.23 source is available at

	http://www.apache.org/dist/httpd/apache_1.3.23.tar.gz

while the detection module is available at

	http://www.infosys.tuwien.ac.at/Staff/tt/abstract_execution/Apache_1.3.23_detect_module.tgz

Installing Apache:
------------------

First of all untar the Apache 1.3.23 source in a working directory with

	tar -xzf apache_1.3.23.tar.gz

This creates a directory apache containing the relevant files.

Enter the apache directory with

	cd apache

and then call the configuration script with

	 ./configure --prefix=PREFIX

where PREFIX is the directory where Apache will be installed into. We
recommend using '/usr/local/apache' as prefix, thus calling

	./configure --prefix=/usr/local/apache

After this you can build the binaries of apache with 

	./make

Then you have to install Apache in the directory that you specified
with PREFIX before. For doing this you need root rights (use the 'su'
command to obtain them). Install the Apache binary with

	./make install

which will copy the required files into the specified directory.

The Apache webserver can be started with having root rights and
calling 

	PREFIX/bin/apachectl start

Test whether Apache works by accessing 

	http://localhost/index.html

with a browser like Netscape or equivalent.

If you don't see an Apache logo on your screen something went wrong
with setting up Apache. Consult the Apache documentation to fix this
problem. 

Installing the Detection Module
-------------------------------
Installing the detection module only makes sense if you have a running
Apache 1.3.23.

Unpack the apache detector module with

	tar -xzf Apache_1.3.23_detect_module.tgz

This will create the directory

	detect
and
	detect.data

This file 'detect.data' has to be copied with root-rights to the
PREFIX/conf/ directory. This file will be read once during the startup
phase of apache and contains data for decoding instructions.

The 'detect' directory contains the Apache module. 
To integrate this module into your Apache the following steps have to be
done: 

1) Copy the 'detect' directory into the source tree of Apache at the position 

	apache/src/modules

2) Edit the file

	apache/src/Configuration

from the source-tree. Insert 

	AddModule modules/detect/mod_detect.o

at the end of this file.

3) call with superuse privileges in the directory apache/src/

	./Configure
	make

4) change to the apache/ directory and call

	./make install


After stopping and starting your Apache server, you should be able to test the
module by accessing

	http://localhost/index.html%90%90%90%90AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

If you get back FORBIDDEN, the module works

CONTACT INFORMATION
===================
The author can be reached via e-mail: ttoth@infosys.tuwien.ac.at
