• Stars
    star
    1,334
  • Rank 35,105 (Top 0.7 %)
  • Language
    Perl
  • License
    Apache License 2.0
  • Created over 9 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ModSecurity v3 Nginx Connector

Build Status

The ModSecurity-nginx connector is the connection point between nginx and libmodsecurity (ModSecurity v3). Said another way, this project provides a communication channel between nginx and libmodsecurity. This connector is required to use LibModSecurity with nginx.

The ModSecurity-nginx connector takes the form of an nginx module. The module simply serves as a layer of communication between nginx and ModSecurity.

Notice that this project depends on libmodsecurity rather than ModSecurity (version 2.9 or less).

What is the difference between this project and the old ModSecurity add-on for nginx?

The old version uses ModSecurity standalone, which is a wrapper for Apache internals to link ModSecurity to nginx. This current version is closer to nginx, consuming the new libmodsecurity which is no longer dependent on Apache. As a result, this current version has less dependencies, fewer bugs, and is faster. In addition, some new functionality is also provided - such as the possibility of use of global rules configuration with per directory/location customizations (e.g. SecRuleRemoveById).

Compilation

Before compile this software make sure that you have libmodsecurity installed. You can download it from the ModSecurity git repository. For information pertaining to the compilation and installation of libmodsecurity please consult the documentation provided along with it.

With libmodsecurity installed, you can proceed with the installation of the ModSecurity-nginx connector, which follows the nginx third-party module installation procedure. From the nginx source directory:

./configure --add-module=/path/to/ModSecurity-nginx

Or, to build a dynamic module:

./configure --add-dynamic-module=/path/to/ModSecurity-nginx --with-compat

Note that when building a dynamic module, your nginx source version needs to match the version of nginx you're compiling this for.

Further information about nginx third-party add-ons support are available here: http://wiki.nginx.org/3rdPartyModules

Usage

ModSecurity for nginx extends your nginx configuration directives. It adds four new directives and they are:

modsecurity

syntax: modsecurity on | off

context: http, server, location

default: off

Turns on or off ModSecurity functionality. Note that this configuration directive is no longer related to the SecRule state. Instead, it now serves solely as an nginx flag to enable or disable the module.

modsecurity_rules_file

syntax: modsecurity_rules_file <path to rules file>

context: http, server, location

default: no

Specifies the location of the modsecurity configuration file, e.g.:

server {
    modsecurity on;
    location / {
        root /var/www/html;
        modsecurity_rules_file /etc/my_modsecurity_rules.conf;
    }
}

modsecurity_rules_remote

syntax: modsecurity_rules_remote <key> <URL to rules>

context: http, server, location

default: no

Specifies from where (on the internet) a modsecurity configuration file will be downloaded. It also specifies the key that will be used to authenticate to that server:

server {
    modsecurity on;
    location / {
        root /var/www/html;
        modsecurity_rules_remote my-server-key https://my-own-server/rules/download;
    }
}

modsecurity_rules

syntax: modsecurity_rules <modsecurity rule>

context: http, server, location

default: no

Allows for the direct inclusion of a ModSecurity rule into the nginx configuration. The following example is loading rules from a file and injecting specific configurations per directory/alias:

server {
    modsecurity on;
    location / {
        root /var/www/html;
        modsecurity_rules_file /etc/my_modsecurity_rules.conf;
    }
    location /ops {
        root /var/www/html/opts;
        modsecurity_rules '
          SecRuleEngine On
          SecDebugLog /tmp/modsec_debug.log
          SecDebugLogLevel 9
          SecRuleRemoveById 10
        ';
    }
}

modsecurity_transaction_id

syntax: modsecurity_transaction_id string

context: http, server, location

default: no

Allows to pass transaction ID from nginx instead of generating it in the library. This can be useful for tracing purposes, e.g. consider this configuration:

log_format extended '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" $request_id';

server {
    server_name host1;
    modsecurity on;
    modsecurity_transaction_id "host1-$request_id";
    access_log logs/host1-access.log extended;
    error_log logs/host1-error.log;
    location / {
        ...
    }
}

server {
    server_name host2;
    modsecurity on;
    modsecurity_transaction_id "host2-$request_id";
    access_log logs/host2-access.log extended;
    error_log logs/host2-error.log;
    location / {
        ...
    }
}

Using a combination of log_format and modsecurity_transaction_id you will be able to find correlations between access log and error log entries using the same unique identificator.

String can contain variables.

Contributing

As an open source project we invite (and encourage) anyone from the community to contribute to our project. This may take the form of: new functionality, bug fixes, bug reports, beginners user support, and anything else that you are willing to help with. Thank you.

Providing Patches

We prefer to have your patch within the GitHub infrastructure to facilitate our review work, and our QA integration. GitHub provides an excellent documentation on how to perform “Pull Requests”. More information available here: https://help.github.com/articles/using-pull-requests/

Please respect the coding style in use. Pull requests can include various commits, so provide one fix or one functionality per commit. Do not change anything outside the scope of your target work (e.g. coding style in a function that you have passed by).

Don’t know where to start?

Within our code there are various items marked as TODO or FIXME that may need your attention. Check the list of items by performing a grep:

$ cd /path/to/modsecurity-nginx
$ egrep -Rin "TODO|FIXME" -R *

You may also take a look at recent bug reports and open issues to get an idea of what kind of help we are looking for.

Testing your patch

Along with the manual testing, we strongly recommend that you to use the nginx test utility to make sure that you patch does not adversely affect the behavior or performance of nginx.

The nginx tests are available on: http://hg.nginx.org/nginx-tests/

To use those tests, make sure you have the Perl utility prove (part of Perl 5) and proceed with the following commands:

$ cp /path/to/ModSecurity-nginx/tests/* /path/to/nginx/test/repository
$ cd /path/to/nginx/test/repository
$ TEST_NGINX_BINARY=/path/to/your/nginx prove .

If you are facing problems getting your added functionality to pass all the nginx tests, feel free to contact us or the nginx mailing list at: http://nginx.org/en/support.html

Debugging

We respect the nginx debugging schema. By using the configuration option "--with-debug" during the nginx configuration you will also be enabling the connector's debug messages. Core dumps and crashes are expected to be debugged in the same fashion that is used to debug nginx. For further information, please check the nginx debugging information: http://wiki.nginx.org/Debugging

Reporting Issues

If you are facing a configuration issue or if something is not working as you expect it to be, please use ModSecurity user’s mailing list. Issues on GitHub are also welcome, but we prefer to have users question on the mailing list first, where you can reach an entire community. Also don’t forget to look for an existing issue before opening a new one.

Lastly, If you are planning to open an issue on GitHub, please don’t forget to tell us the version of your libmodsecurity and the version of the nginx connector you are running.

Security issue

Please do not publicly report any security issue. Instead, contact us at: [email protected] to report the issue. Once the problem is fixed we will provide you with credit for the discovery.

Feature Request

We would love to discuss any ideas that you may have for a new feature. Please keep in mind this is a community driven project so be sure to contact the community via the mailing list to get feedback first. Alternatively, feel free to open GitHub issues requesting for new features. Before opening a new issue, please check if there is an existing feature request for the desired functionality.

Packaging

Having our packages in distros on time is something we highly desire. Let us know if there is anything we can do to facilitate your work as a packager.

More Repositories

1

ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.
C++
6,764
star
2

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Python
4,197
star
3

owasp-modsecurity-crs

OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
Perl
2,404
star
4

HostHunter

HostHunter a recon tool for discovering hostnames using OSINT techniques.
Python
890
star
5

portia

Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised.
PowerShell
497
star
6

MCIR

The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds.
PHP
435
star
7

DoHC2

DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
C#
432
star
8

scavenger

scavenger : is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.
Python
320
star
9

SharpCompile

SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
C#
288
star
10

malware-analysis

A repository of tools and scripts related to malware analysis
Ruby
236
star
11

Nmap-Tools

SpiderLabs shared Nmap Tools
Lua
227
star
12

ikeforce

Python
226
star
13

snappy

Python
219
star
14

CryptOMG

CryptOMG is a configurable CTF style test bed that highlights common flaws in cryptographic implementations.
PHP
188
star
15

jboss-autopwn

A JBoss script for obtaining remote shell access
Shell
171
star
16

cribdrag

cribdrag - an interactive crib dragging tool for cryptanalysis on ciphertext generated with reused or predictable stream cipher keys
Python
168
star
17

Airachnid-Burp-Extension

A Burp Extension to test applications for vulnerability to the Web Cache Deception attack
Java
136
star
18

beef_injection_framework

Inject beef hooks into HTTP traffic and track hooked systems from cmdline
Ruby
122
star
19

SQLol

A configurable SQL injection test-bed
PHP
121
star
20

cve_server

Simple REST-style web service for the CVE searching
Ruby
98
star
21

msfrpc

Perl/Python modules for interfacing with Metasploit MSGRPC
Python
91
star
22

ModSecurity-apache

ModSecurity v3 Apache Connector
Perl
86
star
23

IOCs-IDPS

This repository will hold PCAP IOC data related with known malware samples (owner: Bryant Smith)
84
star
24

burplay

Burplay is a Burp Extension allowing for replaying any number of requests using same modifications definition. Its main purpose is to aid in searching for Privilege Escalation issues.
Java
82
star
25

BurpNotesExtension

Burp Notes Extension is a plugin for Burp Suite that adds a Notes tab. The tool aims to better organize external files that are created during penetration testing.
Java
66
star
26

KoreLogic-Rules

Updated version of the 2010 KoreLogic password cracking rules for John the Ripper
61
star
27

thicknet

TCP session interception and injection framework
Perl
56
star
28

BlackByteDecryptor

C#
55
star
29

groupenum

Python
54
star
30

ModSecurity-log-utilities

Set of CLI tools to transform ModSecurity logs into a meaningful information, given a context.
Python
47
star
31

Firework

Firework is a proof of concept tool to interact with Microsoft Workplaces creating valid files required for the provisioning process.
Python
46
star
32

UPnP-request-generator

A tool to parse UPnP descriptor XML files and generate SOAP control requests for use with Burp Suite or netcat
PHP
45
star
33

ackack

A program to monitor network traffic and detect unauthorized sessions.
Perl
40
star
34

OWASP-CRS-Documentation

Documentation for the OWASP CRS project
Python
40
star
35

batchyDNS

A reconnaissance tool that can quickly discover hostnames from a list of IP addresses.
Perl
39
star
36

microphisher

µphisher spear phishing tool (reference implementation)
Ruby
38
star
37

deblaze

Performs method enumeration and interrogation against flash remoting end points.
Python
37
star
38

ModSecurity-status

ModSecurity status
JavaScript
34
star
39

XMLmao

A configurable XPath/XML injection testbed
PHP
33
star
40

net-tns

Net::TNS, a Ruby library for connecting to Oracle databases.
Ruby
33
star
41

deface

A Java Server Faces (JSF) testing tool for decoding view state and creating view state attack vectors.
Java
30
star
42

yara-ruby

Ruby bindings for the yara file analysis and classification library
Ruby
30
star
43

owasp-distributed-web-honeypots

Repository for the OWASP/WASC Distributed Web Honeypots Project -
Shell
28
star
44

oracle_pwd_tools

Oracle Database 12c password brute forcer
Python
27
star
45

ModSecurity-pcap

The ModSecurity Pcap Connector
C++
25
star
46

cerealbox

Arduino-based network monitor
Java
24
star
47

ModSecurity-Python-bindings

Python bindings for libModSecurity (aka ModSecurity v3)
Python
23
star
48

pingback

Python
21
star
49

modsecurity-mlogc-ng

Next generation remote logging tool for ModSecurity, supporting native and JSON format.
C
21
star
50

modsec-sdbm-util

Utility to manipulate SDBM files used by ModSecurity. With that utility it is possible to _shrink_ SDBM databases. It is also possible to list the SDBM contents with filters such as: expired or invalid items only.
C
21
star
51

XSSmh

XSSmh - A configurable Cross-Site Scripting testbed
PHP
18
star
52

advisories-poc

C
18
star
53

masher

multiple password 'asher using Python’s hashlib
Python
16
star
54

OWASP-CRS-regressions

Regression tests for OWASP CRS v3
Python
16
star
55

ShelLOL

A configurable OS shell command injection vulnerability testbed
PHP
16
star
56

secrules-language-evaluation

Set of Python scripts to perform SecRules language evaluation on a given http request.
Python
14
star
57

secrules-language-tests

Set of test cases that can be used to test custom implementations of the SecRules language (ModSecurity rules format).
Perl
12
star
58

Keystone

This repository contains the scripts released under the "Keystone Rocks" series of the SpiderLabs blog
Perl
11
star
59

nrfdump

Python script for dumping firmware from read-back protected nRF51 chips
Python
9
star
60

TWSL2011-007_iOS_code_workaround

Workaround for the vulnerability identified by TWSL2011-007 or CVE-2008-0228 - iOS x509 Certificate Chain Validation Vulnerability
Objective-C
7
star
61

json_crypto_helper

Ruby
7
star
62

Jorogumo

Red Team Stored XSS SVG phishing-companion tool with the ability to serve a malicious login page, or clone an html page and implement custom javascript. It then generates a relevant SVG.
Python
6
star
63

zpminternational

5
star
64

REvil_config

Configuration file for REvil / Kaseya July campaign
4
star
65

Misc

A repository for miscellaneous files shared by SpiderLabs
2
star
66

Scripts

Various Scripts
1
star
67

Grandoreiro-decryptor

Grandoreiro decryptor and DGA generator (26.May.2022)
Python
1
star