Configuring Modsecurity Rules for Owasp

1. Download owasp modsecurity rules

Cd/etc/httpdgit Clone Https://github.com/SpiderLabs/owasp-modsecurity-crs.git
MV Owasp-modsecurity-crs Modsecurity-crs
CD Modsecurity-crs
MV Modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

2. Enable rules in Apache

Vi/etc/httpd/conf/httpd.conf

Add at the end

<ifmodule security2_module>include modsecurity-crs/modsecurity_crs_10_setup.confinclude modsecurity-crs/ Base_rules/*.conf
Include modsecurity-crs/activated_rules/*.conf</ifmodule>

3. Create White List

Vi/etc/httpd/modsecuirty.d/whitelist.conf#whitelist file to control Modsec<ifmodule mod_security2.c> Secruleengine onsecrequestbodyaccess onsecresponsebodyaccess onsecdatadir/tmp</ifmodule>

4. Custom Rules

Vi/etc/httpd/modsecurity-crs/activated_rules/custom.conf

Here you can write some rules yourself or remove some rules.

IP White List

Secrule remote_addr "^192\.168\.1\.11" phase:1,log,allow,ctl:ruleengine=off,id:100001

White List of rules

<locationmatch .*>        Secruleremovebyid 960020</locationmatch>

White List of directory rules

<locationmatch "/home/www/test/" >        secruleremovebyid 300015 300016 300017</locationmatch>    

Or

<directory/path/to/dir>secruleengine off</directory>

5. Frequently Asked Questions

When you test locally, if you enable full policy, access the Web directory.

Forbidden

You don't have permission to access/bwapp/on the this server.

View Modsec Logs

Message:access denied with code 403 (phase 2). Pattern Match "^[\\d.:]+$" at Request_headers:host. [File "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [Line "98"] [id "960017"] [rev "2"] [MSG "Host header is a numeric IP address"] [Data "192.168.14.21"] [Severity "WARNING"] [ver "owasp_crs/2.2.9"] [Maturity "9"] [accuracy "9"] [Tag "Owasp_crs/protocol_violation/ip_host"] [Tag "wasctc/wasc-21"] [Tag "Owasp_top_10/a7"] [Tag "pci/6.5.10"] [Tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] action:intercepted (phase 2) apache-handler:php5-scriptstopwatch:1478141159604281 1340 (---) STOPWATCH2: 1478141159604281 1340; combined=316, p1=207, p2=82, p3=0, p4=0, p5=27, sr=23, sw=0, L=0, Gc=0response-body-transformed:dechunkedproducer:modse Curity for apache/2.7.3 (http://www.modsecurity.org/); owasp_crs/2.2.9.server:apache/2.4.6 (CentOS) openssl/1.0.1e-fips mod_auth_gssapi/1.3.1engine-mode: "ENABLED"

960017 corresponding rules

# Check that the host header was not a IP address # This was not a HTTP RFC Violati On but it's indicative of automated client access.# many web-based worms propagate by scanning IP address blocks.##-=[R Ule Logic]=-# This rule triggers if the Host header contains all digits (and possible port) # #-=[References]=-#/http/ Technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx#secrule request_headers:host "^[\d.:]+$" "Phase:2, Rev: ' 2 ', ver: ' owasp_crs/2.2.9 ', maturity: ' 9 ', accuracy: ' 9 ', t:none,block,msg: ' Host header is a numeric IP address ', Logdata: '%{matched_var} ', severity: ' 4 ', id: ' 960017 ', tag: ' Owasp_crs/protocol_violation/ip_host ', tag: ' wasctc/ WASC-21 ', tag: ' Owasp_top_10/a7 ', tag: ' pci/6.5.10 ', tag: ' http://technet.microsoft.com/en-us/magazine/2005.01. Hackerbasher.aspx ', Setvar: ' Tx.msg=%{rule.msg} ', Setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx. %{rule.id}-owasp_crs/policy/ip_host-%{matched_var_name}=%{matched_var} "

Join the rules in/etc/httpd/modsecurity-crs/activated_rules/custom.conf

<locationmatch .*>
Secruleremovebyid 960017</locationmatch>

Removes detection of the HTTP Header host field content as an IP address. By default, an IP address blocks access.

Configuring Modsecurity Rules for Owasp