Upgrading the provided OWASP Core Rule Set of ModSecurity

Introduction

The Virtual Host pattern provides the setting OWASP ModSecurity CRS version, where you can either select a pre-configured version of the Core Rule Set, or choose the custom option, and provide a customized rule bundle. The preconfigured versions include only slight changes compared to the official Core Rule Set releases.

In case you prefer to customize the Core Rule Set, the following guide describes how to create a rule bundle for the Virtual Host pattern, based on the Core Rule Set version 3.3.4 with ModSecurity engine version 3.0.8.

Step 1: Set up the modsecurity.conf

First, create a new directory and download the default modsecurity.conf-recommended file. The version of this file should match the version of the ModSecurity engine shipped with nevisProxy. Rename the configuration file to modsecurity.conf and apply the following changes:

1. Set the SecRuleEngine to On, which enables blocking requests.
2. In the file system configuration section, adapt the location where ModSecurity stores temporary files. This way admin4 will generate a proper instance level location for these files. Edit the following lines:
3. Replace SecTmpDir /tmp/ with ${tmp_dir}
4. Replace SecDataDir /tmp/ with ${data_dir}
5. Replace SecAuditLog /var/log/modsec_audit.log with ${audit_log}
6. Comment out the rule SecUnicodeMapFile unicode.mapping 20127 as it can fail the startup process if the file is not provided.
7. Finally, at the very end, insert the following line to include the CRS configuration file (which will be created in the second step):

Include crs-setup.conf

Recommended scaling considerations

• Adapt the SecRequestBodyLimit and SecRequestBodyNoFilesLimit parameters to your environment. For example:

SecRequestBodyLimit 104857600
SecRequestBodyNoFilesLimit 10485760

• The default value of SecPcreMatchLimit and SecPcreMatchLimitRecursion parameters may be too low for real world applications. To avoid false positives, they can be increased to the following values:

SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000

• If there are requests still exceeding the above limits, instead of blocking the request, a warning can be traced by adapting the following rule:

SecRule TX:/^MSC_/ "!@streq 0" \
 "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

To:

SecRule TX:MSC_PCRE_LIMITS_EXCEEDED "@eq 1" \
 "id:'200005',phase:5,t:none,log,pass,msg:'PCRE match limits were exceeded.'"

• Disable the SecAuditEngine by setting it to Off, as the navajo.log in nevisProxy already traces the necessary information.
• Disable sharing information by setting SecStatusEngine to Off.

Step 2: Set up the Core Rule Set

Download the latest stable release of the Core Rule Set, and extract it. Move the following to the above created directory:

• crs-setup.conf.example, and rename it to crs-setup.conf
• The whole rules folder with all of its content, except the two exclusion file examples:
  • REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
  • RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example

Once done, adapt the crs-setup.conf to your needs.

We recommend reviewing rule 900200 as the list of allowed HTTP methods is rather restrictive by default.

Finally, to include the rules from the rules folder, we need a new file named rules.conf, with the following content:

Include rules/REQUEST-901-INITIALIZATION.conf
Include rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
Include rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include rules/REQUEST-910-IP-REPUTATION.conf
Include rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include rules/REQUEST-912-DOS-PROTECTION.conf
Include rules/REQUEST-913-SCANNER-DETECTION.conf
Include rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include rules/REQUEST-922-MULTIPART-ATTACK.conf
Include rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include rules/RESPONSE-950-DATA-LEAKAGES.conf
Include rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include rules/RESPONSE-980-CORRELATION.conf

At the end, the directory should have the following structure:

├── crs-setup.conf
├── modsecurity.conf
├── rules
│   ├── crawlers-user-agents.data
│   ├── iis-errors.data
│   ├── java-classes.data
│   ├── java-code-leakages.data
│   ├── java-errors.data
│   ├── lfi-os-files.data
│   ├── php-config-directives.data
│   ├── php-errors.data
│   ├── php-function-names-933150.data
│   ├── php-function-names-933151.data
│   ├── php-variables.data
│   ├── REQUEST-901-INITIALIZATION.conf
│   ├── REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
│   ├── REQUEST-905-COMMON-EXCEPTIONS.conf
│   ├── REQUEST-910-IP-REPUTATION.conf
│   ├── REQUEST-911-METHOD-ENFORCEMENT.conf
│   ├── REQUEST-912-DOS-PROTECTION.conf
│   ├── REQUEST-913-SCANNER-DETECTION.conf
│   ├── REQUEST-920-PROTOCOL-ENFORCEMENT.conf
│   ├── REQUEST-921-PROTOCOL-ATTACK.conf
│   ├── REQUEST-922-MULTIPART-ATTACK.conf
│   ├── REQUEST-930-APPLICATION-ATTACK-LFI.conf
│   ├── REQUEST-931-APPLICATION-ATTACK-RFI.conf
│   ├── REQUEST-932-APPLICATION-ATTACK-RCE.conf
│   ├── REQUEST-933-APPLICATION-ATTACK-PHP.conf
│   ├── REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
│   ├── REQUEST-941-APPLICATION-ATTACK-XSS.conf
│   ├── REQUEST-942-APPLICATION-ATTACK-SQLI.conf
│   ├── REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
│   ├── REQUEST-944-APPLICATION-ATTACK-JAVA.conf
│   ├── REQUEST-949-BLOCKING-EVALUATION.conf
│   ├── RESPONSE-950-DATA-LEAKAGES.conf
│   ├── RESPONSE-951-DATA-LEAKAGES-SQL.conf
│   ├── RESPONSE-952-DATA-LEAKAGES-JAVA.conf
│   ├── RESPONSE-953-DATA-LEAKAGES-PHP.conf
│   ├── RESPONSE-954-DATA-LEAKAGES-IIS.conf
│   ├── RESPONSE-959-BLOCKING-EVALUATION.conf
│   ├── RESPONSE-980-CORRELATION.conf
│   ├── restricted-files.data
│   ├── restricted-upload.data
│   ├── scanners-headers.data
│   ├── scanners-urls.data
│   ├── scanners-user-agents.data
│   ├── scripting-user-agents.data
│   ├── sql-errors.data
│   ├── unix-shell.data
│   └── windows-powershell-commands.data
└── rules.conf

Compress the content of the directory into a zip file, for example:

zip -r modseccrs.zip ./*

and upload the archive to the Virtual Host pattern.