The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how can i install modsecurity from Trustwave

Discussion in 'Security' started by Rahimian, Aug 23, 2015.

  1. Rahimian

    Rahimian Member

    Joined:
    Apr 23, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I suggest either manually configuring the rules includes from modsec2.user.conf or contacting trustwaves support to see if they have created a vendor package for their rules.
     
  3. wrender

    wrender Well-Known Member

    Joined:
    Sep 29, 2007
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Here is what I did:

    1. Buy a subscription to the Trustwave Commercial ModSecurity rules , and run their application specific rules in conjunction with some of the base OWASP rules in anomaly detection mode. For example with these rules loaded in WHM in your ModSecurity Vendor Configuration:

    modsecurity_crs_10_setup.conf (Set to run in Anomaly Detection Mode by uncommenting that line, and increasing the 255 character limit line to something higher like 512).
    rules/REQUEST-01-COMMON-EXCEPTIONS.conf
    rules/REQUEST-10-IP-REPUTATION.conf
    rules/REQUEST-12-DOS-PROTECTION.conf
    rules/REQUEST-13-SCANNER-DETECTION.conf
    rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf
    rules/REQUEST-21-PROTOCOL-ATTACK.conf
    rules/REQUEST-49-BLOCKING-EVALUATION.conf
    rules/RESPONSE-59-BLOCKING-EVALUATION.conf
    rules/RESPONSE-80-CORRELATION.conf

    2. Put together this script which downloads the rules each night and installs them. For example just put this somewhere on your server and then setup a cronjob to run it once per night:

    Code:
    #!/usr/local/bin/perl
    # This script downloads latest Commercial ModSecurity Rules from Trustwave and restarts Apache web server.
    # Written by Wesley Render, OtherData <https://www.otherdata.com>
    
    # This program is free software: you can redistribute it and/or modify
    # it under the terms of the GNU General Public License as published by
    # the Free Software Foundation, either version 3 of the License, or
    # (at your option) any later version.
    #
    # This program is distributed in the hope that it will be useful,
    # but WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    # GNU General Public License for more details.
    #
    # You should have received a copy of the GNU General Public License
    # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    
    use strict; use warnings;
    
    my $registration_email = 'your@domain.com';  # Your Trustwave Subscription Registration Email
    my $license_key = 'xxxxxxxxxxxxxxxxxxxxxxxxx';  # Your Trustwave License Key
    my $fromnotification_email = 'your-noreply@domain.com';  # Email which notifications come from
    my $notification_email = 'your@domain.com';  # Email where notifications of failures will be sent to
    my $modsecurity_rule_location = '/usr/local/apache/conf';  # Script will create a sub folder at this location to store the rules. Should NOT end with a slash.
    
    # Put together download string
    my $download_string = "\"User-Agent: $registration_email ($license_key)\"";
    my $complete_download_string = "curl -o $modsecurity_rule_location/slr_vuln_latest_1.0.0.zip -f -k -H $download_string https://www.modsecurity.org/autoupdate/repository/modsecurity-slr/slr_vuln_latest/slr_vuln_latest_1.0.0.zip";
    print $complete_download_string;
    
    # Download the files
    print "\n Downloading rules from Trustwave \n\n";
    system($complete_download_string);
    if ( $? == 0 )
    {
      print "command succeeded: $!\n";
     
    }
    else
    {
      print "Content-type: text/html\n\n";
      my $title ='Trustwave Notification';
      my $to = $notification_email;
      my $from = $fromnotification_email;
      my $subject ='Trustwave Notification';
      open(MAIL, "|/usr/sbin/sendmail -t");
      ## Mail Header
      print MAIL "To: $to\n";
      print MAIL "From: $from\n";
      print MAIL "Subject: $subject\n\n";
      ## Mail Body
      print MAIL "The trustwave rules failed to download. Please look into issue.\n";
      close(MAIL);
      print "<html><head><title>$title</title></head>\n<body>\n\n";
      ## HTML content sent, let use know we sent an email
      print "<h1>$title</h1><p>A message has been sent from $from to $to</p></body></html>";
      printf "command exited with value %d", $? >> 8;
      exit;
    }
    
    # Remove old files before unziping new ones
    print "\n Removing old rule files in $modsecurity_rule_location/slr_vuln_rules \n\n";
    my $remove_old_rules_command = "rm -rf $modsecurity_rule_location/slr_vuln_rules";
    system($remove_old_rules_command);
    
    # Unzip files into correct folder
    print "\n Extracting rules to $modsecurity_rule_location/slr_vuln_rules \n\n";
    my $unzip_command = "unzip -d $modsecurity_rule_location $modsecurity_rule_location/slr_vuln_latest_1.0.0.zip";
    system($unzip_command);
    
    # Restart Apache Web Server to load latest rules
    print "\n Restarting Apache \n\n";
    system ('service httpd restart');
    
    

    3. Then add the rules to the end of your /usr/local/apache/conf/modsec2.user.conf
    Code:
    # Include Trustwave Commercial Modsecurity Rules
    Include conf/slr_vuln_rules/modsecurity_slr_10_ip_reputation.conf
    Include conf/slr_vuln_rules/modsecurity_slr_46_known_vulns.conf
    Include conf/slr_vuln_rules/modsecurity_slr_50_malware_detection.conf
    Include conf/slr_vuln_rules/owasp_crs_integration/application_specific/*.conf
    Include conf/slr_vuln_rules/botnet_attacks/*.conf
    # Include conf/slr_vuln_rules/creditcard_tracking/*.conf
    # Disabled credit card tracking as was creating false positives for clients.
    Include conf/slr_vuln_rules/dos_attacks/*.conf
    Include conf/slr_vuln_rules/webshell_backdoors/*.conf
    
    # Include application specific rules that were not included by default
    Include conf/slr_vuln_rules_custom/*.conf
    
    
    # Whitelisted Apps
    Include conf/modsecurity-whitelist-apps/*.conf
    Include /usr/local/apache/conf/modsec2.whitelist.conf
     
    #4 wrender, Sep 21, 2015
    Last edited: Sep 21, 2015
Loading...

Share This Page