Skip to main content
Version: 4.12.x.x LTS

Upgrading the provided OWASP Core Rule Set of ModSecurity

Introduction

The following guide describes the upgrading of CRS to version 3.3.2 with ModSecurity engine version 3.0.4.

Step 1: modsecurity.conf

First, create a new directory and download the default modsecurity.conf-recommended file from `http://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3.0.4/modsecurity.conf-recommended. The version of this file should match the version of the ModSecurity engine shipped with nevisProxy. Rename the configuration file to modsecurity.conf and apply the following changes:

  1. Set the SecRuleEngine to On, which enables blocking requests.
  2. In the file system configuration section, adapt the location where ModSecurity stores temporary files. This way admin4 will generate a proper instance level location for these files. Edit the following lines:
  3. SecTmpDir /tmp/ with ${tmp_dir}
  4. SecDataDir /tmp/ with ${data_dir}
  5. SecAuditLog /var/log/modsec_audit.log with ${audit_log}
  6. Comment out the rule SecUnicodeMapFile unicode.mapping 20127 as it can fail the startup process if the file is not provided.
  7. Finally, at the very end, insert the following line to include the CRS configuration file (which will be created in [the second step](:
Include crs-setup.conf
  • Disable the SecResponseBodyAccess by setting it to Off, as it increases the memory consumption and response latency.
  • Adapt the SecRequestBodyLimit and SecRequestBodyNoFilesLimit parameters to your environment. For example:
SecRequestBodyLimit 104857600
SecRequestBodyNoFilesLimit 10485760
  • The default value of SecPcreMatchLimit and SecPcreMatchLimitRecursion parameters may be too low for real world applications. To avoid false positives, they can be increased to the following values:
SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000
  • If there are requests still exceeding the above limits, instead of blocking the request, a warning can be traced by adapting the following rule:
SecRule TX:/^MSC_/ "!@streq 0" \
 "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

To:

SecRule TX:MSC_PCRE_LIMITS_EXCEEDED "@eq 1" \
 "id:'200005',phase:5,t:none,log,pass,msg:'PCRE match limits were exceeded.'"
  • Disable the SecAuditEngine by setting it to Off, as the navajo.log in nevisProxy already traces the necessary information.
  • Disable sharing information by setting SecStatusEngine to Off.

Step 2: Set up the CRS

Download the latest stable release of CRS from `http://github.com/coreruleset/coreruleset/releases, and extract it. Move the following to the above created directory:

  • crs-setup.conf.example, and rename it to crs-setup.conf
  • The whole rules folder with all of its content, except the two exclusion file example:

Once done, adapt the crs-setup.conf to your needs. We recommend changing the default mode of operation from Anomaly mode to Self-contained mode. For this, comment or remove this two lines:

SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

Then enable the blocking mode with setting the default action to deny:

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

Finally, to include the rules from the rules folder, we need a new file named rules.conf, with the following content:

Include rules/REQUEST-901-INITIALIZATION.conf
Include rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
Include rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
Include rules/REQUEST-905-COMMON-EXCEPTIONS.conf
Include rules/REQUEST-910-IP-REPUTATION.conf
Include rules/REQUEST-911-METHOD-ENFORCEMENT.conf
Include rules/REQUEST-912-DOS-PROTECTION.conf
Include rules/REQUEST-913-SCANNER-DETECTION.conf
Include rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Include rules/REQUEST-921-PROTOCOL-ATTACK.conf
Include rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
Include rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
Include rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
Include rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
Include rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
Include rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
Include rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Include rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
Include rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Include rules/REQUEST-949-BLOCKING-EVALUATION.conf
Include rules/RESPONSE-950-DATA-LEAKAGES.conf
Include rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
Include rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
Include rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
Include rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
Include rules/RESPONSE-959-BLOCKING-EVALUATION.conf
Include rules/RESPONSE-980-CORRELATION.conf

At the end, the directory should have the following structure:

├── crs-setup.conf
├── modsecurity.conf
├── rules
│   ├── crawlers-user-agents.data
│   ├── iis-errors.data
│   ├── java-classes.data
│   ├── java-code-leakages.data
│   ├── java-errors.data
│   ├── lfi-os-files.data
│   ├── php-config-directives.data
│   ├── php-errors.data
│   ├── php-function-names-933150.data
│   ├── php-function-names-933151.data
│   ├── php-variables.data
│   ├── REQUEST-901-INITIALIZATION.conf
│   ├── REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
│   ├── REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
│   ├── REQUEST-905-COMMON-EXCEPTIONS.conf
│   ├── REQUEST-910-IP-REPUTATION.conf
│   ├── REQUEST-911-METHOD-ENFORCEMENT.conf
│   ├── REQUEST-912-DOS-PROTECTION.conf
│   ├── REQUEST-913-SCANNER-DETECTION.conf
│   ├── REQUEST-920-PROTOCOL-ENFORCEMENT.conf
│   ├── REQUEST-921-PROTOCOL-ATTACK.conf
│   ├── REQUEST-930-APPLICATION-ATTACK-LFI.conf
│   ├── REQUEST-931-APPLICATION-ATTACK-RFI.conf
│   ├── REQUEST-932-APPLICATION-ATTACK-RCE.conf
│   ├── REQUEST-933-APPLICATION-ATTACK-PHP.conf
│   ├── REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
│   ├── REQUEST-941-APPLICATION-ATTACK-XSS.conf
│   ├── REQUEST-942-APPLICATION-ATTACK-SQLI.conf
│   ├── REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
│   ├── REQUEST-944-APPLICATION-ATTACK-JAVA.conf
│   ├── REQUEST-949-BLOCKING-EVALUATION.conf
│   ├── RESPONSE-950-DATA-LEAKAGES.conf
│   ├── RESPONSE-951-DATA-LEAKAGES-SQL.conf
│   ├── RESPONSE-952-DATA-LEAKAGES-JAVA.conf
│   ├── RESPONSE-953-DATA-LEAKAGES-PHP.conf
│   ├── RESPONSE-954-DATA-LEAKAGES-IIS.conf
│   ├── RESPONSE-959-BLOCKING-EVALUATION.conf
│   ├── RESPONSE-980-CORRELATION.conf
│   ├── restricted-files.data
│   ├── restricted-upload.data
│   ├── scanners-headers.data
│   ├── scanners-urls.data
│   ├── scanners-user-agents.data
│   ├── scripting-user-agents.data
│   ├── sql-errors.data
│   ├── unix-shell.data
│   └── windows-powershell-commands.data
└── rules.conf