Saturday, October 01, 2011

Install ModSecurity CRS

I posted Deploy modsecurity-apache in Apache HTTP. I interested ModSecurity Core Rule Set as well. How to install it?
*** Make sure, modsecurity-apache was deployed in Apache HTTP before***

In conf/httpd.conf file, It should have ...
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
- Download ModSecurity Core Rule Set
- Install it *** should read INSTALL file ***
# ls modsecurity-crs_2.2.2.tar.gz
# tar zxvf modsecurity-crs_2.2.2.tar.gz
# mv modsecurity-crs_2.2.2 /usr/local/apache/conf/crs
# cd /usr/local/apache/conf/crs/
# cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
# ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
# for f in `ls base_rules/` ; do ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done
# for f in `ls optional_rules/ | grep comment_spam` ; do ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done
# ls -l activated_rules
- Modify conf/httpd.conf
<IfModule security2_module>
Include conf/crs/modsecurity_crs_10_config.conf
Include conf/crs/activated_rules/*.conf
</IfModule>
- Modify conf/crs/modsecurity_crs_10_config.conf
SecRuleEngine DetectionOnly
- Restart Apache HTTP
# /usr/local/apache/bin/apachectl restart
# ps -aef | grep http
root 21240 1 1 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21241 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21242 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21243 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21244 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
daemon 21245 21240 0 00:14 ? 00:00:00 /usr/local/apache/bin/httpd -k start
- Test browsed http://192.168.1.35 and then checked logs/error_log file.
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 2, SQLi=, XSS=): Host header is a numeric IP address"] [hostname "192.168.1.35"] [uri "/index.html"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
[Sat Oct 01 00:41:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/index.html"] [unique_id "ToX-RsCoASgAAFYjB4UAAAAA"]
-Test More..., Modify conf/crs/modsecurity_crs_10_config.conf
SecRule REMOTE_ADDR "@ipMatch 192.168.1.91" "phase:1,t:none,nolog,pass,ctl:ruleEngine=On,setvar:tx.regression_testing=1"
Browsed http://192.168.1.35 and then checked logs/error_log file again.
[Sat Oct 01 01:05:10 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:10 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:15 2011] [error] [client 192.168.1.91] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYEy8CoASgAAFnDDqsAAAAA"]
[Sat Oct 01 01:05:15 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYEy8CoASgAAFnDDqsAAAAA"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/"] [unique_id "ToYE1sCoASgAAFnHD0oAAAAE"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
[Sat Oct 01 01:05:26 2011] [error] [client 192.168.1.91] ModSecurity: Unable to retrieve collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
[Sat Oct 01 01:05:28 2011] [error] [client 192.168.1.91] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/usr/local/apache/conf/crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2.2.2"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
[Sat Oct 01 01:05:28 2011] [error] [client 192.168.1.91] ModSecurity: Unable to store collection (name "ip", key "192.168.1.91_533425b64e726d79289b77ff14342c1c50d8ea44"). Use SecDataDir to define data directory first. [hostname "192.168.1.35"] [uri "/favicon.ico"] [unique_id "ToYE5sCoASgAAFnHD0sAAAAE"]
On Browser: It showed "403 Forbidden".

Related Post:
Deploy modsecurity-apache in Apache HTTP
Bookmark and Share
เขียนโดย Surachart Opun ที่ 1:14 AM
ป้ายกำกับ: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)