how can i install modsecurity from Trustwave

Rahimian

• August 23, 2015 18:20

hi we purchase TrustWave commercial rules for modsecurity but i dont know how can i install it like OWASP in modsecurity Vendor but now with modsecurity 2.9 i dont know how can i create trustwave vendor for modsecurity with your guide :

• 

  quizknows

  • August 24, 2015 17:46

  I suggest either manually configuring the rules includes from modsec2.user.conf or contacting trustwaves support to see if they have created a vendor package for their rules.

  0
• 

  cPanelMichael

  • September 01, 2015 15:08

  Hello :) You may also find these threads helpful: Thank you.

  0
• 

  wrender

  • September 21, 2015 15:01

  Here is what I did: 1. Buy a subscription to the Trustwave Commercial ModSecurity rules, and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in WHM in your ModSecurity Vendor Configuration: modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512). rules/REQUEST-01-COMMON-EXCEPTIONS.conf rules/REQUEST-10-IP-REPUTATION.conf rules/REQUEST-12-DOS-PROTECTION.conf rules/REQUEST-13-SCANNER-DETECTION.conf rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf rules/REQUEST-21-PROTOCOL-ATTACK.conf rules/REQUEST-49-BLOCKING-EVALUATION.conf rules/RESPONSE-59-BLOCKING-EVALUATION.conf rules/RESPONSE-80-CORRELATION.conf 2. Put together this script which downloads the rules each night and installs them. For example just put this somewhere on your server and then setup a cronjob to run it once per night:
  #!/usr/local/bin/perl # This script downloads latest Commercial ModSecurity Rules from Trustwave and restarts Apache web server. # Written by Wesley Render, OtherData # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . use strict; use warnings; my $registration_email = 'your@domain.com'; # Your Trustwave Subscription Registration Email my $license_key = 'xxxxxxxxxxxxxxxxxxxxxxxxx'; # Your Trustwave License Key my $fromnotification_email = 'your-noreply@domain.com'; # Email which notifications come from my $notification_email = 'your@domain.com'; # Email where notifications of failures will be sent to my $modsecurity_rule_location = '/usr/local/apache/conf'; # Script will create a sub folder at this location to store the rules. Should NOT end with a slash. # Put together download string my $download_string = "\"User-Agent: $registration_email ($license_key)\""; my $complete_download_string = "curl -o $modsecurity_rule_location/slr_vuln_latest_1.0.0.zip -f -k -H $download_string https://www.modsecurity.org/autoupdate/repository/modsecurity-slr/slr_vuln_latest/slr_vuln_latest_1.0.0.zip"; print $complete_download_string; # Download the files print "\n Downloading rules from Trustwave \n\n"; system($complete_download_string); if ( $? == 0 ) { print "command succeeded: $!\n"; } else { print "Content-type: text/html\n\n"; my $title ='Trustwave Notification'; my $to = $notification_email; my $from = $fromnotification_email; my $subject ='Trustwave Notification'; open(MAIL, "|/usr/sbin/sendmail -t"); ## Mail Header print MAIL "To: $to\n"; print MAIL "From: $from\n"; print MAIL "Subject: $subject\n\n"; ## Mail Body print MAIL "The trustwave rules failed to download. Please look into issue.\n"; close(MAIL); print "$title\n\n\n"; ## HTML content sent, let use know we sent an email print "

  $title

  A message has been sent from $from to $to

  "; printf "command exited with value %d", $? >> 8; exit; } # Remove old files before unziping new ones print "\n Removing old rule files in $modsecurity_rule_location/slr_vuln_rules \n\n"; my $remove_old_rules_command = "rm -rf $modsecurity_rule_location/slr_vuln_rules"; system($remove_old_rules_command); # Unzip files into correct folder print "\n Extracting rules to $modsecurity_rule_location/slr_vuln_rules \n\n"; my $unzip_command = "unzip -d $modsecurity_rule_location $modsecurity_rule_location/slr_vuln_latest_1.0.0.zip"; system($unzip_command); # Restart Apache Web Server to load latest rules print "\n Restarting Apache \n\n"; system ('service httpd restart');
  3. Then add the rules to the end of your /usr/local/apache/conf/modsec2.user.conf
  # Include Trustwave Commercial Modsecurity Rules Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf Include conf/slr_vuln_rules/botnet_attacks/*.conf # Include conf/slr_vuln_rules/creditcard_tracking/*.conf # Disabled credit card tracking as was creating false positives for clients. Include conf/slr_vuln_rules/dos_attacks/*.conf Include conf/slr_vuln_rules/webshell_backdoors/*.conf # Include application specific rules that were not included by default Include conf/slr_vuln_rules_custom/*.conf # Whitelisted Apps Include conf/modsecurity-whitelist-apps/*.conf Include /usr/local/apache/conf/modsec2.whitelist.conf
  

  0

Please sign in to leave a comment.