I am still hoping that someone can help me. I am guess my issue is that I am trying to do this on a Windows box and the include code is either perl, unix or linux. If that is the case would it be easy to convert to windows or would all of the rules have to be changed as well?

Any feedback would be appreciated.

Thanks
Kevin

from owasp-modsecurity-crs.

Syntax error on line 6 of C:/Apache2.2.24/conf/crs/activated_rules/modsecurity_crs_10_activated_rules.conf:

What is on line 6 of that conf file?

from owasp-modsecurity-crs.

Thank you for the reply. It is actually the first line of the code ($pw)....

_Start_*

-- Load OWASP RULES -----------------------------------------------------

$ pwd <------ Fails Here
/apache2/conf/crs
$ ls
CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
LICENSE base_rules modsecurity_crs_10_config.conf.example util
README experimental_rules modsecurity_crs_15_customrules.conf
activated_rules lua optional_rules
$ sudo ln -s /apache2/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
$ for f in ls base_rules/ ; do sudo ln -s /apache2/conf/crs/base_rules/$f activated_rules/$f ; done
$ for f in ls optional_rules/ | grep comment_spam ; do sudo ln -s /apache2/conf/crs/optional_rules/$f activated_rules/$f ; done
$ ls -l activated_rules
total 216

lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /apache2/conf/crs/base_rules/modsecurity_35_bad_robots.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /apache2/conf/crs/base_rules/modsecurity_35_scanners.data
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /apache2/conf/crs/base_rules/modsecurity_40_generic_attacks.data
lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /apache2/conf/crs/base_rules/modsecurity_50_outbound.data
lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /apache2/conf/crs/base_rules/modsecurity_50_outbound_malware.data
lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf
lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf
lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_45_trojans.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /apache2/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_50_outbound.conf
lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /apache2/conf/crs/base_rules/modsecurity_crs_60_correlation.conf

from owasp-modsecurity-crs.

That is not a rules conf file and should not be included. It is a README file. How are yo activating the ModSecurity rules in the Apache conf files? Are you using Include directives?

from owasp-modsecurity-crs.

That did not come out as it is in my code. The site spiced it up!

As for yorur question, I am did include a directive in the httpd.conf file here:

The first conf file is the base code that came from the modsecurity_crs_10_setup.conf.example. That work. I have validated that it triggers. Whereas the second conf is the file submitted earlier. I simply do not know how to call the crs filters by name. I have tried many variations.

from owasp-modsecurity-crs.

There is a IfModule security2_module condition around that code and it is executing. Thanks again for the help.

from owasp-modsecurity-crs.

It looks like I messed up. I failed to add the SecRuleEngine On command and therefore it may not have been running as I had thought. I simply removed the second conf (modsecurity_crs_10_activated_rules.conf) and added the SecRuleEngine On into the httpd.conf within the "IfModule security2_module" conditional statement.

However, it still unclear to me how that actual rules are called since there does not appear to be any reference to the activated_rules or the base_rules folders or explicit calls to a specific rule. Am I missing something or are all the rules within those two folders are automatically initiated. Sorry for my struggles. As you can tell, I am still very new to Apache.

from owasp-modsecurity-crs.

OK, as you can tell, I have not given up yet. I believe my issues is understanding symlinks and how they work. In addition, there are may be difference in how one applies symlinks on a windows machine. Here is an article that I found:

http://blog.echothis.com/2012/10/05/symlinks-apache-and-windows/

Is this applicable to my issue? Can someone give me an example of how to use mklink.exe as it pertains to the crs rules? And is there any good way for me to confirm that they are actually being used (i.e. command prompt command)?

Thanks
Kevin

from owasp-modsecurity-crs.

You don't have to use Symlinks, it is just an example. The idea behind the activated_rules and symlinks was to try and make it easier for upgrades. With symlinks you just add them in that directory and then in the Apache httpd.conf file do -

Include /path/to/crs/activated_rules/*.conf

This would then include all of the rules you want. By using symlinks, this means that when you upgrade you would automatically get the new rules activated simply by copy/pasting the new CRS rules in the right location. This is especially handy if you are using additional rules from the optional_rules or experimental_rules directories and not just the base_rules. If you want to use the base_rules, however, you can simply do -

Include conf/crs/modsecurity_crs_10_config.conf
Include conf/crs/base_rules/*.conf

And that should work.

from owasp-modsecurity-crs.

That's it! I am sure you are amazed on how simple you made this and yet someone like me still needs to ask a bunch of questions before they understand how easy this is. Thank you!

I am very much looking forward to playing around with this and see what can come of it. I appreciate you and others efforts to this project. It is sorely needed in this day and age.

from owasp-modsecurity-crs.

I am glad I could help and glad you got it working.

By the way - since you are on Windows OS, are you aware that we have an IIS version of ModSecurity?

from owasp-modsecurity-crs.

I read something about it but wanted to focus on this first. Will these CRS work the same way?

Also, what is your opinion of ModSecurity Commercial Rules? Are the worth the price if you have custom code applications behind them (i.e. not wordpress, cPanel, etc)? It seems very reasonable if there is some real upside and it is a mature product. Any recommendation would be appreciated.

from owasp-modsecurity-crs.

Yes, they support the OWASP CRS. A couple of links:
http://blogs.technet.com/b/srd/archive/2013/02/11/introducing-modsecurity-iis-2-7-2-stable-release.aspx
http://blogs.technet.com/b/srd/archive/2012/07/26/announcing-the-availability-of-modsecurity-extension-for-iis.aspx

As for the commercial rules from Trustwave - I am a bit biased as I developed them :) As you pointed out, if you are only running custom coded apps, then the value is not as great as a key component is virtual patches in public software. That being said - we also have IP Reputation data feeds (where we list IP addresses that have been recently seen attacking our customer sites/honeypots) and also rules to identify if you site gets infected with malware links.

One other note - our commercial rules also include virtual patches for Microsoft products such as SharePoint and OWA that we create through a participation in the Microsoft Active Protections Program (MAPP).

from owasp-modsecurity-crs.

That is great. I also looked at your list of application and was impressed with the depth. You should look at Oracle's OAM and OAAM (UIO) version. There are a number of people uses those platform and this would be a great fit for them. Thanks again.

from owasp-modsecurity-crs.

You mean for virtual patching support for Oracle OAM software? Or for getting ModSecurity installed for that platform?

from owasp-modsecurity-crs.

If you have my contact information, give me a call to discuss further. I am certainly interested in the commercial platform as well. Thanks

P.S. I am also getting alot of these errors in my error.log.

[Thu Mar 14 20:22:35 2013] [error] [client 10.199.199.72] ModSecurity: Unable to retrieve collection (name "ip", key "10.199.199.72_19b62e2f697adc030c6dcc59146d5b002dadf041"). Use SecDataDir to define data directory first. [hostname "www.mydomain.com"] [uri "/favicon.ico"] [unique_id "UUJpy8CoDRoAAAXUFS0AAAPi"]

[Thu Mar 14 20:30:56 2013] [error] [client 10.199.199.72] ModSecurity: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first. [hostname "www.mydomain.com"] [uri "/login.do"] [unique_id "UUJrwMCoDRoAAAXUFS4AAAPi"]

Any idea what I failed to set?

from owasp-modsecurity-crs.

rbarnett [at] trustwave.com

Ah, in addition to the CRS rules/conf files, you also need a main config for ModSecurity itself. See the recommended base file here -
https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended

That file is where you would set SecDataDir and other key directives.

from owasp-modsecurity-crs.

Thank you! I am now running fully. I can see immediately that some tweeks are in order. Hopefully others who are getting start will be able to use this post which can be renamed "owasp-modsecurity-crs for Dumbies".

I will reach out to you on Monday to discuss the commercial rules.

from owasp-modsecurity-crs.