- use core rules with various features
- five processing phases: request headers, request body, response headers, response body, logging
- per-rule transformation options (previously normalization was implicit and hard-coded). New transformation functions were added.
- transaction variables. This can be used to store pieces of data, create a transaction anomaly score etc.
- data persistence. It can be configured any way you want. Most people will want to use this feature to track IP addresses, application sessions, and application users).
- support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
- support for web applications and session IDs.
- regular expression back-references (allows one to create custom variables using transaction content).
- many new functions that can be applied to the variables (where you could use only use regular expressions, previously).
- XML support (parsing, validation, XPath).
Download mod_security
- Download source from mod_security2
(you need to sign up to download).
Step by Step Ubuntu install guide
1) install g++ environment
apt-get install g++ doc-base autoconf automake1.9 bison bison libtool make
2) install preconditions for mod_security2
apt-get install apache2-threaded-dev libxml2-dev libcurl4-gnutls-dev
- try to run configure with missing libraries or header files
./configure --with-apxs2=/usr/bin/apxs2 result: checking for strtol... yes configure: looking for Apache module support via DSO through APXS configure: error: couldn't find APXS
- install apache apxs
apt-get install apache2-threaded-dev
- next error with configure: missing libxml2
checking for libxml2 config script... no configure: *** libxml2 library not found. configure: error: libxml2 library is required
- install libxml2-dev
sudo apt-get install libxml2-dev
- next error with configure: missing libcurl
- this step is optional, only needed if you want to build mlogc, id did it.
checking for libcurl config script... no configure: *** curl library not found. configure: NOTE: curl library is only required for building mlogc
- this step is optional, only needed if you want to build mlogc, id did it.
- install libcurl4-gnutls-dev
sudo apt-get install libcurl4-gnutls-dev
3) final configure works, run make now
cd ~/modsecurity-apache_2.5.6/apache2 ./configure --with-apx2=/usr/bin/apxs2 output: checking for g++... g++ checking for C++ compiler default output file name... a.out checking whether the C++ compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking for gcc... gcc checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking how to run the C preprocessor... gcc -E checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking whether make sets $(MAKE)... yes checking for ranlib... ranlib checking for perl... /usr/bin/perl checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for unistd.h... (cached) yes checking for an ANSI C-conforming const... yes checking for inline... inline checking for C/C++ restrict keyword... __restrict checking for size_t... yes checking whether struct tm is in sys/time.h or time.h... time.h checking for uint8_t... yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking for working memcmp... yes checking for atexit... yes checking for fchmod... yes checking for getcwd... yes checking for memset... yes checking for strcasecmp... yes checking for strchr... yes checking for strdup... yes checking for strerror... yes checking for strncasecmp... yes checking for strrchr... yes checking for strstr... yes checking for strtol... yes configure: looking for Apache module support via DSO through APXS configure: found apxs at /usr/bin/apxs2 configure: checking httpd version configure: httpd is recent enough checking for libpcre config script... /usr/bin/pcre-config configure: using '-L/usr/lib -lpcre' for pcre Library checking for libapr config script... /usr/bin/apr-1-config configure: using ' -luuid -lrt -lcrypt -lpthread -ldl' for apr Library checking for libapr-util config script... /usr/bin/apu-1-config configure: using ' -L/usr/lib -laprutil-1' for apu Library checking for libxml2 config script... /usr/bin/xml2-config configure: using '-lxml2' for libxml Library checking for pkg-config script for lua library... no configure: optional lua library not found checking for libcurl config script... /usr/bin/curl-config configure: using '-lcurl -lgssapi_krb5' for curl Library configure: creating ./config.status config.status: creating Makefile config.status: creating build/apxs-wrapper config.status: creating t/run-unit-tests.pl config.status: creating t/run-regression-tests.pl config.status: creating t/gen_rx-pm.pl config.status: creating t/csv_rx-pm.pl config.status: creating t/regression/server_root/conf/httpd.conf config.status: creating ../tools/rules-updater.pl config.status: creating mod_security2_config.h
make
4) install mod_security2
i did this manual way to control what is installed,of course you can use "make install".
cp modsecurity-apache_2.5.6/apache2/.libs/mod_security2.so /usr/lib/apache2/modules chmod 644 /usr/lib/apache2/modules/mod_security2.so chown root:root /usr/lib/apache2/modules/mod_security2.so
5) include mod_security2 in the apache2 way
/etc/apache2/mods-available# cat mod_security2.load LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so /etc/apache2/mods-enabled# ln -s ../mods-available/mod_security2.load .
6) load apache2 mod_unique_id
- run apachectl configtest and find the missing mod_unique_id error
apachectl configtest less /var/log/apache2/error.log [Fri Aug 15 11:59:34 2008] [error] ModSecurity: ModSecurity requires mod_unique_id to be installed
- fix it with a2enmod of make a manual symlink in mods-enabled
a2enmod mod_unique_id
7) reload apache config
- reload config and check error.log
apachectl configtest apachectl graceful less /var/log/apache2/error.log
8) initial mod_security configuration
After initial installation of mod_security2 you can add mod_security2 rules. For example you can add a core rule, for example add rule to apache conf directory:/etc/apache2/conf.d/mod_security2# ls modsecurity_crs_10_config.conf
9) adopt log path
SecAuditLog /var/log/apache2/modsec_audit.log SecDebugLog /var/log/apache2/modsec_debug.log
10) example: set higher SecDebugLogLevel
# NOTE Debug logging is generally very slow. You should never # use values greater than "3" in production. # 0 - no logging. # 1 - errors (intercepted requests) only. # 2 - warnings. # 3 - notices // default value. # 4 - details of how transactions are handled. # 5 - as above, but including information about each piece of information handled. # 9 - log everything, including very detailed debugging information. SecDebugLogLevel 5
No comments:
Post a Comment
tag ur valuable ideas below