[Owasp-leaders] Adding OWASP ModSecurity CRS to OWASP Live CD

Chuck Willis chuck at securityfoundry.com
Tue Jan 24 01:26:30 UTC 2012

Another option to consider is the OWASP Broken Web Apps VM
(www.owaspbwa.org - full disclosure, I lead that project).  It has
WebGoat (and a bunch of other vulnerable web applications) already set
up, along with ModSecurity and the CRS.  The CRS rules are disabled by
default so that the applications are easily exploited.  Once the VM is
started, run owaspbwa-modsecurity-crs-block.sh (or
owaspbwa-modsecurity-crs-log.sh) to enable blocking (or logging) using
the CRS.  You can later run owaspbwa-modsecurity-crs-off.sh to disable
the rules again.

I'm realizing now that this isn't really documented anywhere.  I'll
work on correcting that.


On Sat, Jan 21, 2012 at 9:36 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> I will be giving a virtual patching training session at the AppSecDC 2012
> conf -
> https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop
> In the class, we will be front-ending WebGoat with a ModSecurity reverse
> proxy server and then attempt to virtually patch as many of the lessons as
> possible.  For the class, I was planning to use the OWASP Live CD iso image
> in VMware.  When teaching this class previously, the students then had to
> manually install Apache, ModSecurity and the OWASP ModSecurity CRS.  What I
> would rather have, is for these items to already be pre-installed on the
> OWASP Live CD image.
> I am sending this note to the leaders list as I have previously tried to
> contact the project leaders via email and the user formums -
> http://appseclive.org/content/add-modsecurity-and-owasp-crs - but have not
> gotten any responses.
> If anyone can help me get this request moving forward, it would be much
> appreciated.
> Thanks,
> Ryan Barnett
> OWASP ModSecurity Core Rule Set Project Leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list