Getting Started #22

Closed
kcmurphy opened this Issue Mar 13, 2013 · 18 comments

Projects

None yet

2 participants

@kcmurphy

We are using Apache 2.2.24 32bit (provided by apachelounge.org) running on a Windows 2008 R2 server 64bit. We have been able to successfully run security2_module and the modsecurity_crs_10_setup.conf.example. Where we seem to be running into trouble is with loading of the individual rules. Per the readme.txt instructions, we attempted to add this code into our configuration files:

$ pwd
/apache2/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
....... ect.

We receive these errors in our Windows Application logs during start-up (which fails):

The Apache service named reported the following error:
Invalid command '$', perhaps misspelled or defined by a module not included in the server configuration .

The Apache service named reported the following error:
Syntax error on line 6 of C:/Apache2.2.24/conf/crs/activated_rules/modsecurity_crs_10_activated_rules.conf:

We are obviously missing something but can't figure out what. Any assistance would be greatly appreciated.

Also, we are running our Apache in ReverseProxy mode. Is there anything special we need to do to make certain that the rules are pointing in the right directions?

Thanks, Kevin

@kcmurphy

I am still hoping that someone can help me. I am guess my issue is that I am trying to do this on a Windows box and the include code is either perl, unix or linux. If that is the case would it be easy to convert to windows or would all of the rules have to be changed as well?

Any feedback would be appreciated.

Thanks
Kevin

@rcbarnett

Syntax error on line 6 of C:/Apache2.2.24/conf/crs/activated_rules/modsecurity_crs_10_activated_rules.conf:

What is on line 6 of that conf file?

@kcmurphy

Thank you for the reply. It is actually the first line of the code ($pw)....

_Start_*

-- Load OWASP RULES -----------------------------------------------------

$ pwd <------ Fails Here
/apache2/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
LICENSE base_rules modsecurity_crs_10_config.conf.example util
README experimental_rules modsecurity_crs_15_customrules.conf
activated_rules lua optional_rules
$ sudo ln -s /apache2/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
$ for f in ls base_rules/ ; do sudo ln -s /apache2/conf/crs/base_rules/$f activated_rules/$f ; done
$ for f in ls optional_rules/ | grep comment_spam ; do sudo ln -s /apache2/conf/crs/optional_rules/$f activated_rules/$f ; done
$ ls -l activated_rules
total 216

lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /apache2/conf/crs/base_rules/modsecurity_35_bad_robots.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /apache2/conf/crs/base_rules/modsecurity_35_scanners.data
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /apache2/conf/crs/base_rules/modsecurity_40_generic_attacks.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /apache2/conf/crs/base_rules/modsecurity_50_outbound.data
lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /apache2/conf/crs/base_rules/modsecurity_50_outbound_malware.data
lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf
lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf
lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_45_trojans.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /apache2/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_50_outbound.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_60_correlation.conf

@rcbarnett

That is not a rules conf file and should not be included. It is a README file. How are yo activating the ModSecurity rules in the Apache conf files? Are you using Include directives?

@kcmurphy

That did not come out as it is in my code. The site spiced it up!

As for yorur question, I am did include a directive in the httpd.conf file here:

Include conf/crs/modsecurity_crs_10_config.conf Include conf/crs/activated_rules/modsecurity_crs_10_activated_rules.conf

The first conf file is the base code that came from the modsecurity_crs_10_setup.conf.example. That work. I have validated that it triggers. Whereas the second conf is the file submitted earlier. I simply do not know how to call the crs filters by name. I have tried many variations.

@kcmurphy

There is a IfModule security2_module condition around that code and it is executing. Thanks again for the help.

@kcmurphy

It looks like I messed up. I failed to add the SecRuleEngine On command and therefore it may not have been running as I had thought. I simply removed the second conf (modsecurity_crs_10_activated_rules.conf) and added the SecRuleEngine On into the httpd.conf within the "IfModule security2_module" conditional statement.

However, it still unclear to me how that actual rules are called since there does not appear to be any reference to the activated_rules or the base_rules folders or explicit calls to a specific rule. Am I missing something or are all the rules within those two folders are automatically initiated. Sorry for my struggles. As you can tell, I am still very new to Apache.

@kcmurphy

OK, as you can tell, I have not given up yet. I believe my issues is understanding symlinks and how they work. In addition, there are may be difference in how one applies symlinks on a windows machine. Here is an article that I found:

http://blog.echothis.com/2012/10/05/symlinks-apache-and-windows/

Is this applicable to my issue? Can someone give me an example of how to use mklink.exe as it pertains to the crs rules? And is there any good way for me to confirm that they are actually being used (i.e. command prompt command)?

Thanks
Kevin

@rcbarnett

You don't have to use Symlinks, it is just an example. The idea behind the activated_rules and symlinks was to try and make it easier for upgrades. With symlinks you just add them in that directory and then in the Apache httpd.conf file do -

Include /path/to/crs/activated_rules/*.conf

This would then include all of the rules you want. By using symlinks, this means that when you upgrade you would automatically get the new rules activated simply by copy/pasting the new CRS rules in the right location. This is especially handy if you are using additional rules from the optional_rules or experimental_rules directories and not just the base_rules. If you want to use the base_rules, however, you can simply do -

Include conf/crs/modsecurity_crs_10_config.conf
Include conf/crs/base_rules/*.conf

And that should work.

@kcmurphy

That's it! I am sure you are amazed on how simple you made this and yet someone like me still needs to ask a bunch of questions before they understand how easy this is. Thank you!

I am very much looking forward to playing around with this and see what can come of it. I appreciate you and others efforts to this project. It is sorely needed in this day and age.

@rcbarnett

I am glad I could help and glad you got it working.

By the way - since you are on Windows OS, are you aware that we have an IIS version of ModSecurity?

@kcmurphy

I read something about it but wanted to focus on this first. Will these CRS work the same way?

Also, what is your opinion of ModSecurity Commercial Rules? Are the worth the price if you have custom code applications behind them (i.e. not wordpress, cPanel, etc)? It seems very reasonable if there is some real upside and it is a mature product. Any recommendation would be appreciated.

@rcbarnett

Yes, they support the OWASP CRS. A couple of links:
http://blogs.technet.com/b/srd/archive/2013/02/11/introducing-modsecurity-iis-2-7-2-stable-release.aspx
http://blogs.technet.com/b/srd/archive/2012/07/26/announcing-the-availability-of-modsecurity-extension-for-iis.aspx

As for the commercial rules from Trustwave - I am a bit biased as I developed them :) As you pointed out, if you are only running custom coded apps, then the value is not as great as a key component is virtual patches in public software. That being said - we also have IP Reputation data feeds (where we list IP addresses that have been recently seen attacking our customer sites/honeypots) and also rules to identify if you site gets infected with malware links.

One other note - our commercial rules also include virtual patches for Microsoft products such as SharePoint and OWA that we create through a participation in the Microsoft Active Protections Program (MAPP).

@kcmurphy

That is great. I also looked at your list of application and was impressed with the depth. You should look at Oracle's OAM and OAAM (UIO) version. There are a number of people uses those platform and this would be a great fit for them. Thanks again.

@rcbarnett

You mean for virtual patching support for Oracle OAM software? Or for getting ModSecurity installed for that platform?

@kcmurphy

If you have my contact information, give me a call to discuss further. I am certainly interested in the commercial platform as well. Thanks

P.S. I am also getting alot of these errors in my error.log.

[Thu Mar 14 20:22:35 2013] [error] [client 10.199.199.72] ModSecurity: Unable to retrieve collection (name "ip", key "10.199.199.72_19b62e2f697adc030c6dcc59146d5b002dadf041"). Use SecDataDir to define data directory first. [hostname "www.mydomain.com"] [uri "/favicon.ico"] [unique_id "UUJpy8CoDRoAAAXUFS0AAAPi"]

[Thu Mar 14 20:30:56 2013] [error] [client 10.199.199.72] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "www.mydomain.com"] [uri "/login.do"] [unique_id "UUJrwMCoDRoAAAXUFS4AAAPi"]

Any idea what I failed to set?

@rcbarnett

rbarnett [at] trustwave.com

Ah, in addition to the CRS rules/conf files, you also need a main config for ModSecurity itself. See the recommended base file here -
https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended

That file is where you would set SecDataDir and other key directives.

@kcmurphy

Thank you! I am now running fully. I can see immediately that some tweeks are in order. Hopefully others who are getting start will be able to use this post which can be renamed "owasp-modsecurity-crs for Dumbies".

I will reach out to you on Monday to discuss the commercial rules.

@kcmurphy kcmurphy closed this Mar 19, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment