[Owasp-leaders] Adding OWASP ModSecurity CRS to OWASP Live CD

Brad Causey bradcausey at owasp.org
Mon Jan 23 15:21:54 UTC 2012


Sounds like your site admin sucks.




On 1/21/12, Matt Tesauro <mtesauro at gmail.com> wrote:
> Ryan,
>
> First, apologies are due you - I did see your email a while ago and meant
> to reply much sooner.  Changing jobs and generally trying to catch up on my
> life at home has left me little free time.  In all honesty, I barely kept
> up with my OWASP Board work between November and December.  Luckily my
> fellow board members didn't mind picking up my slack for a bit.  And I
> still owe Dan Cornell a reply about the Live CD as well.
>
> About the post on the AppSecLive.org site:  Apparently spammer and black
> hat SEO schmucks have figured out how to get past the CAPTCHA I was using
> and your request got buried in a ton of watch and certification cruft which
> mucked up my site.  I nuked a bunch of bogus looking users and forced admin
> approval for new users to keep them at bay. That part of the project is
> also needs some attention desperately.
>
> About your class and a mod_security ISO to use in VMware:  I'd very much
> suggest you use the September 2011 release of OWASP WTE (the new name for
> the Live CD).  I have VMs already setup for VMware and Virtualbox (also
> reported to work on Parallels too).
>
> You can grab them here:
> http://appseclive.org/apt/downloads/
>   <aside> yes, I know directory indexing is on for that directory - its
> Free and Open Source stuff for crying out loud!  ; ) </aside>
>
> Also, as luck would have it, I've agreed to do two OWASP chapter talks on
> WTE + Cloud so I'll be reviewing the .debs that make up WTE and updating
> any of them that need it in February.  If you have decent setup
> instructions for Apache + mod_security + CRS, I can probably wrap those
> into a .deb and add that to the WTE repository.
>
> Contact me off list and we can bat ideas back and forth to find something
> that works for both of us.  I'm sure we can trade war stories about getting
> a classroom of VMs up and going.
>
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
>
> On Sat, Jan 21, 2012 at 8:36 AM, Ryan Barnett <ryan.barnett at owasp.org>wrote:
>
>> I will be giving a virtual patching training session at the AppSecDC 2012
>> conf -
>>
>> https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop
>>
>> In the class, we will be front-ending WebGoat with a ModSecurity reverse
>> proxy server and then attempt to virtually patch as many of the lessons as
>> possible.  For the class, I was planning to use the OWASP Live CD iso
>> image
>> in VMware.  When teaching this class previously, the students then had to
>> manually install Apache, ModSecurity and the OWASP ModSecurity CRS.  What
>> I
>> would rather have, is for these items to already be pre-installed on the
>> OWASP Live CD image.
>>
>> I am sending this note to the leaders list as I have previously tried to
>> contact the project leaders via email and the user formums -
>> http://appseclive.org/content/add-modsecurity-and-owasp-crs - but have
>> not gotten any responses.
>>
>> If anyone can help me get this request moving forward, it would be much
>> appreciated.
>>
>> Thanks,
>> Ryan Barnett
>> OWASP ModSecurity Core Rule Set Project Leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>

-- 
Sent from my mobile device

-Brad Causey
CISSP, MCSE, C|EH, CIFI, CGSP

http://www.owasp.org
--
"Si vis pacem, para bellum"
--


More information about the OWASP-Leaders mailing list