This guide will give you some tips for installing a "static" Modsecurity (an open-source web application firewall - WAF) in a self-contained mode (it means that the action of the first rule that matches is taken and the rest of the rules are not checked in most of the cases). Note that this approach detects a lot of false positives and should be improved using the Anomaly Scoring Mode.
OS used can be downloaded here: SUSE Linux Enterprise Server 12 SP4 x86-64
Type | Value |
---|---|
Kernel Name | Linux |
Kernel Release | 4.12.14-94.41-default |
Hardware Architecture | x86_64 |
OS information | GNU/Linux |
OS Distribution version | SUSE Linux Enterprise Server 12 SP4 |
OS Release version | 12.4 |
Python version | 3.6.5 |
GCC version | 7.3.1 |
OS used can be downloaded here: Ubuntu Server 18.04.3 LTS
Type | Value |
---|---|
Kernel name | Linux |
Kernel Release | 4.15.0-70-generic |
Hardware Architecture | x86_64 |
OS information | GNU/Linux |
OS Distribution version | Ubuntu Server 18.04.3 LTS |
OS Release version | 18.04.3 |
Python version | 3.6.9 |
GCC version | 7.4.0 |
In the following paragraphs there are all the instructions to setup the environment:
- Download and install OS
- Install Modsecurity
- Set the OWASP CRS
Download and install the openSUSE15.0 repository from here. Add the following packages:
$ sudo zypper addrepo http://download.opensuse.org/repositories/devel:libraries:c_c++/SLE_12_SP1/devel:libraries:c_c++.repo
$ sudo zypper addrepo http://download.opensuse.org/repositories/devel:tools:building/SLE_12_SP1/devel:tools:building.repo
$ sudo zypper ar http://download.opensuse.org/repositories/systemsmanagement/SLE_12_SP2/systemsmanagement.repo
$ sudo zypper addrepo http://download.opensuse.org/repositories/Education/SLE_12/Education.repo
$ sudo zypper addrepo http://download.opensuse.org/repositories/multimedia:libs/SLE_12_SP2/multimedia:libs.repo
$ sudo zypper refresh
$ sudo zypper in gcc7-c++
$ sudo zypper in gcc-c++
$ sudo zypper in git-core
$ sudo zypper in pcre-devel
$ sudo zypper in flex bison curl libjal2 libtool libxml2-2
Add the following packages:
$ sudo apt-get install flex
$ sudo apt-get install bison
$ sudo apt-get install curl
$ sudo apt-get install libtool
$ sudo apt-get install libyajl-dev
$ sudo apt-get install libxml
$ sudo apt-get install libpcre3-dev
$ sudo apt install python3-pip
These steps come from ModSecurity Releases and ModSecurity Installation Guide with some adjustments.
$ cd /opt/
$ sudo wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.3/modsecurity-v3.0.3.tar.gz
$ sudo tar -xvzf modsecurity-v3.0.3.tar.gz
$ sudo mv modsecurity-v3.0.3 ModSecurity
$ cd ModSecurity/
$ export MODSECURITY_INC="/usr/local/modsecurity/include"
$ export MODSECURITY_LIB="/usr/local/modsecurity/lib"
$ sudo ./configure --prefix=/usr/local
$ sudo make
$ sudo make install
These steps come from pymodsecurity with some adjustments. Remember to execute the following commands in ModSecurity folder (/opt/ModSecurity/
).
$ git clone --recurse-submodules https://github.com/actions-security/pymodsecurity.git
$ cd pymodsecurity
$ sudo git checkout -b v0.0.4
$ sudo pip3 install pybind11
$ sudo pthon3 setup.py install
These steps come from OWASP ModSecurity. CRS. Remember to execute the following command in pymodsecurity folder (/opt/ModSecurity/pymodsecurity/
).
$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
The waf.py
program (copy it into /opt/ModSecurity/pymodsecurity/examples/
) accept an input file and return a csv file with the additional field ModSecFlag settet to 1 (true) if a rule is triggered, otherwise it is set to 0 (false).
The input text file was based on Cloudflare Log dropped with some attributes.
{
"ClientCountry":"us",
"ClientDeviceType":"mobile",
"ClientIP":"23.56.175.55",
"ClientIPClass":"noRecord",
"ClientRequestHost":"www.xyz.org",
"ClientRequestMethod":"GET",
"ClientRequestURI":"/test?key1=value1&key2=value2&key3=value3&test=args&test=test",
"ClientRequestUserAgent":"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
}
There are no security rules configured by default, so we need to enable the rules. Edit the basic_rules.conf
file (located at /opt/ModSecurity/pymodsecurity/examples/
) and set the ‘SecRuleEngine’ option to On:
SecRuleEngine On
The modsec_rules.conf
files (in /opt/ModSecurity/pymodsecurity/modsec_rules.conf
) contains all the rules to include.
include examples/basic_rules.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
These rules (located in /opt/ModSecurity/pymodsecurity/owasp-modsecurity-crs/rules/
) are set to "block" as default. For setting WAF in self-contained mode, replacing "block" with "deny".
$ cd /opt/ModSecurity/pymodsecurity/owasp-modsecurity-crs
$ sudo cp crs-setup.conf.example crs-setup.conf
$ cd rules
$ sudo sed -i 's/block/deny/' REQUEST-930-APPLICATION-ATTACK-LFI.conf
$ sudo sed -i 's/block/deny/' REQUEST-931-APPLICATION-ATTACK-RFI.conf
$ sudo sed -i 's/block/deny/' REQUEST-932-APPLICATION-ATTACK-RCE.conf
$ sudo sed -i 's/block/deny/' REQUEST-933-APPLICATION-ATTACK-PHP.conf
$ sudo sed -i 's/block/deny/' REQUEST-941-APPLICATION-ATTACK-XSS.conf
$ sudo sed -i 's/block/deny/' REQUEST-942-APPLICATION-ATTACK-SQLI.conf
$ sudo sed -i 's/block/deny/' REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
The paranoia level has the default value (Pranoia Level 1). If you need to change it take a look to crs-setup.conf
Link to the unicode.mapping file
$ sudo ln -s /opt/ModSecurity/unicode.mapping /opt/ModSecurity/pymodsecurity/examples/
Now, you can run the program.
$ sudo python3 waf.py -i log.txt - o result.csv