[Owasp-leaders] Adding OWASP ModSecurity CRS to OWASP Live CD

Matt Tesauro mtesauro at gmail.com
Sun Jan 22 03:38:17 UTC 2012


First, apologies are due you - I did see your email a while ago and meant
to reply much sooner.  Changing jobs and generally trying to catch up on my
life at home has left me little free time.  In all honesty, I barely kept
up with my OWASP Board work between November and December.  Luckily my
fellow board members didn't mind picking up my slack for a bit.  And I
still owe Dan Cornell a reply about the Live CD as well.

About the post on the AppSecLive.org site:  Apparently spammer and black
hat SEO schmucks have figured out how to get past the CAPTCHA I was using
and your request got buried in a ton of watch and certification cruft which
mucked up my site.  I nuked a bunch of bogus looking users and forced admin
approval for new users to keep them at bay. That part of the project is
also needs some attention desperately.

About your class and a mod_security ISO to use in VMware:  I'd very much
suggest you use the September 2011 release of OWASP WTE (the new name for
the Live CD).  I have VMs already setup for VMware and Virtualbox (also
reported to work on Parallels too).

You can grab them here:
  <aside> yes, I know directory indexing is on for that directory - its
Free and Open Source stuff for crying out loud!  ; ) </aside>

Also, as luck would have it, I've agreed to do two OWASP chapter talks on
WTE + Cloud so I'll be reviewing the .debs that make up WTE and updating
any of them that need it in February.  If you have decent setup
instructions for Apache + mod_security + CRS, I can probably wrap those
into a .deb and add that to the WTE repository.

Contact me off list and we can bat ideas back and forth to find something
that works for both of us.  I'm sure we can trade war stories about getting
a classroom of VMs up and going.


-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site

On Sat, Jan 21, 2012 at 8:36 AM, Ryan Barnett <ryan.barnett at owasp.org>wrote:

> I will be giving a virtual patching training session at the AppSecDC 2012
> conf -
> https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop
> In the class, we will be front-ending WebGoat with a ModSecurity reverse
> proxy server and then attempt to virtually patch as many of the lessons as
> possible.  For the class, I was planning to use the OWASP Live CD iso image
> in VMware.  When teaching this class previously, the students then had to
> manually install Apache, ModSecurity and the OWASP ModSecurity CRS.  What I
> would rather have, is for these items to already be pre-installed on the
> OWASP Live CD image.
> I am sending this note to the leaders list as I have previously tried to
> contact the project leaders via email and the user formums -
> http://appseclive.org/content/add-modsecurity-and-owasp-crs - but have
> not gotten any responses.
> If anyone can help me get this request moving forward, it would be much
> appreciated.
> Thanks,
> Ryan Barnett
> OWASP ModSecurity Core Rule Set Project Leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120121/1264929b/attachment.html>

More information about the OWASP-Leaders mailing list