These are the installation instructions for the downloadable rules.
You are required to have Nginx and LibModsecurity 3.0.3+ installed before using these directions
Requirements:
- libmodsecurity 3.0.3+
- Valid rules subscription
Step 1) Enable modsecurity modules in /etc/nginx/nginx.conf
load_module modules/ngx_http_modsecurity_module.so;
Step 2) Create the following directories and modify permissions
mkdir /etc/nginx/modsecurity mkdir /var/asl/data/suspicious mkdir /var/asl/data/audit mkdir /var/asl/data/msa chown -R nginx:nginx /var/asl/data/ # or www-data if your nginx user is different chmod -R 0770 /var/asl/data/
Step 3) Download ruleset from: https://updates.atomicorp.com/channels/rules/nginx-latest/ to /etc/nginx/modsecurity
https://updates.atomicorp.com/channels/rules/nginx-latest/*
Step 4) Create the tortix_waf.conf
vi /etc/nginx/modsecurity/tortix_waf.conf
Step 5) Add the following entries to the tortix_waf.conf and save the file
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecComponentSignature 200911012341 SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogType Concurrent SecAuditLog logs/audit_log SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial SecAuditLogDirMode 0770 SecPcreMatchLimit 250000 SecPcreMatchLimitRecursion 250000
Step 6) Extract and configure the rules to /etc/nginx/modsecurity/modsecurity.conf
modsecurity on; modsecurity_rules_file /etc/nginx/modsecurity/tortix_waf.conf; modsecurity_rules_file /etc/nginx/modsecurity/00_asl_whitelist.conf; modsecurity_rules_file /etc/nginx/modsecurity/00_asl_x_searchengines.conf; modsecurity_rules_file /etc/nginx/modsecurity/00_asl_y_searchengines.conf; modsecurity_rules_file /etc/nginx/modsecurity/00_asl_z_antievasion.conf; modsecurity_rules_file /etc/nginx/modsecurity/00_asl_zz_strict.conf; modsecurity_rules_file /etc/nginx/modsecurity/01_asl_content.conf; modsecurity_rules_file /etc/nginx/modsecurity/03_asl_dos.conf; modsecurity_rules_file /etc/nginx/modsecurity/05_asl_exclude.conf; modsecurity_rules_file /etc/nginx/modsecurity/10_asl_rules.conf; modsecurity_rules_file /etc/nginx/modsecurity/11_asl_data_loss.conf; modsecurity_rules_file /etc/nginx/modsecurity/12_asl_brute.conf; modsecurity_rules_file /etc/nginx/modsecurity/20_asl_useragents.conf; modsecurity_rules_file /etc/nginx/modsecurity/30_asl_antispam.conf; modsecurity_rules_file /etc/nginx/modsecurity/31_asl_urispam.conf; modsecurity_rules_file /etc/nginx/modsecurity/50_asl_rootkits.conf; modsecurity_rules_file /etc/nginx/modsecurity/51_asl_rootkits.conf; modsecurity_rules_file /etc/nginx/modsecurity/60_asl_recons.conf; modsecurity_rules_file /etc/nginx/modsecurity/61_asl_recons_dlp.conf; modsecurity_rules_file /etc/nginx/modsecurity/98_asl_jitp.conf; modsecurity_rules_file /etc/nginx/modsecurity/99_asl_jitp.conf;Note: Not all rule classes are appropriate for every configuration.
Consult the WAF rule family documentation for more information