ModSec Rules - Update

Aus HS Syswiki
Wechseln zu: Navigation, Suche

Inhaltsverzeichnis

Changelog

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/rules-updates-changelog-t101377.30.html

Used version in prod: 1.48 (24.09.15)

Download

Download from https://waf.comodo.com/user/cwaf_revisions on your workstation credentials:

jezejisy-8475@yopmail.com:testor1234

Copy downloaded files to bkp001

Prepare Rules

This all is to be done on bkp001

1. Go to a temporary (or your own) directory:

mkdir cwaf_rules_<ver>
cd cwaf_rules_<ver>
tar xvzf ../tar xvzf ../cwaf_rules-<ver>.tgz

2. Comment out rules with mentioned IDs within those files:

02_Global_Agents.conf:
210830
210831

07_XSS_XSS.conf:
212660
212510
212540
212750
213020
212800

25_Apps_Joomla.conf:
220240

31_Apps_OtherApps.conf:
222131

20_Outgoing_FilterInFrame.conf:
214530

21_Outgoing_FiltersEnd.conf:
214940

16_Outgoing_FilterPHP.conf:
214420

28_Apps_WPPlugin.conf:
226680

28_Apps_WordPress.conf:
225030
225031

Attention: Comment our whole Block sticking together, like this:

#<LocationMatch "/index\.php$">
#SecRule REQUEST_METHOD "@streq POST" \
#   "id:220240,chain,msg:'COMODO WAF: found CVE 2013-5576 attack',phase:2,deny,status:403,log"
#SecRule ARGS_GET:option "@streq com_media" \
#   "chain"
#SecRule ARGS_GET:task "@rx ^file\.upload$" \
#   "chain"
#SecRule ARGS_GET:tmpl "@streq component" \
#   "chain"
#SecRule FILES_NAMES "@rx ^Filedata\[\]$" \
#   "chain"
#SecRule MULTIPART_FILENAME "@rx \..+\.$"
#</LocationMatch>

or

#SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/ "\bbackground-image:" \
#   "id:212660,msg:'COMODO WAF: Cross-site Scripting (XSS) Attack',phase:2,severity:2,capture,block,setvar:'tx.xss_points=+%{tx.points_limit4}',setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'htmlEntityDecode',t:'compressWhiteSpace',t:'lowercase'"

3. Change standard error code (because fail2ban watches for this status code for modsec action):

sed -i 's|status:403|status:510|g' *

Test

Test on one server (e.g. tux3) by

  • backing up current rule fieles: cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`
  • coping the (modified) cwaf files to the server: scp * tux3:/usr/local/apache2/conf/mod_security2/cwaf-rules/
  • test configuration with /usr/local/apache2/sbin/apache2ctl -t
  • restarting apache web server with /etc/init.d/apache2 restart
  • check default error log with grep -i modsec /var/log/httpd/error_log | grep "id"

Deploy

If all went fine, do the same using dscp and dssh:

dssh cp -a /usr/local/apache2/conf/mod_security2/cwaf-rules /usr/local/apache2/conf/mod_security2/cwaf-rules_`date -I`
dscp * []://usr/local/apache2/conf/mod_security2/cwaf-rules/
dssh /etc/init.d/apache2 reload
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Navigation
Werkzeuge