Re: [mod-security-users] Easing in to mod_security
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <rya...@br...> - 2010-03-26 20:56:53
|
On Friday 26 March 2010 16:41:49 Ken S. wrote: > I installed mod_security-2.5.11+CRS-2.0.3 this past January in > DetectionOnly mode just to see what kind of things were going to show > up in the logs and what things were going to be problems with our web > applications. Watching the audit_log and the apache error_log was > pretty overwhelming; there were so many log entries. I read somewhere > where it said that if the log entry didn't say "error" that it was > just informational and didn't actually block it. I couldn't find any > entries like that so I switched it to "On". Almost every website that > did a POST broke so I had to switch it back to DetectionOnly. So I > put the project on the back burner for a bit. > > So now I've come to the point to where I'd like to enable mod_security > + CRS, but in small stages, slowly adding in rules.conf files. I > found that there are newer versions of both mod_security and CRS so > I've downloaded both and re-installed them (2.5.12 & crs-2.0.6). It > looks like a lot has changed in the rulesets in these past couple > months, too. > > To ease in to it I've edited modsecurity_crs_10_config.conf and only > put modsecurity_crs_41_sql_injection_attacks.conf and > modsecurity_41_sql_injection_attacks.data in to the base_rules > directory. My hope is to see it catch a couple SQLi attempts, see it > block and also log them and if all goes well start adding other rules > config files in and monitor. > > My problem is that it's been almost 2 days and I haven't seen any > feedback in the logs about blocking attempts. It is totally possible > that there hasn't been any attempts, but I thought at least one > automated scanner would've hit one of our sites by now. My worry is > that I haven't included enough of the config files to actually do the > blocking and/or logging. > > I guess my question would be: what would be the minimal configuration > files needed with CRS and mod_security to get basic functionality plus > one area of attacks with the idea of adding the rest in gradually? > > Thanks for any gentle shoves in the right direction. > > -ken Hey Ken - great questions. Here is what I would recommend as the minimum set of rules/configs - 1) Base ModSecurity engine config file This is not something that the CRS should handle. These are settings such as log file locations, debug logging, Cookie Parsing, etc... These are local Mod settings controlled by the Admin. 1) modsecurity_crs_10_config.conf file You should edit this file and set appropriate settings for the anomaly score system, if you want to block or now (SecDefaultAction directive) and how you want to run the CRS (Paranoid_Mode or not). 2) Any rules files you want to check for on inbound attacks. In your case, you are choosing the SQL injection files. 3) modsecurity_crs_49_inbound_blocking.conf file This file inspects the anomaly scores at the end of phase:2 and this is where you want to decide to block the transaction or not. The rules in this file should inherit the anomaly score thresholds you set in the 10 file and do appropriate blocking as set by the SecDefaultAction directive also in the 10 file. 4) modsecurity_crs_60_correlation.conf file This file is used to do post processing of the transaction and it is here that the approriate error_log file event entry will be made. The alerts/events before this file are only logging to the audit_log file and are used as reference events to a correlated event. So, that is the recommended minimum files you need for inbound blocking/alerting. Now, if you want to start to do outbound inspection/blocking, then you need to add the modsecurity_crs_50_outbound.conf and modsecurity_crs_59_outbound_blocking.conf files. The 59 file is analogous to the 49 file and it handles blocking outbound responses at the end of phase 4. Hope this helps. Ryan |