[Owasp-leaders] Adding OWASP ModSecurity CRS to OWASP Live CD

Ryan Barnett ryan.barnett at owasp.org
Tue Jan 24 02:07:55 UTC 2012

Wow, just what I needed :). Thanks Chuck!

Do you happen to know what version of ModSecurity is installed?  Does it have Lua support?  We will need to utilize Lua scripts to try and virtually patch some issues. 

Thanks again for the info. 


On Jan 23, 2012, at 8:26 PM, Chuck Willis <chuck at securityfoundry.com> wrote:

> Another option to consider is the OWASP Broken Web Apps VM
> (www.owaspbwa.org - full disclosure, I lead that project).  It has
> WebGoat (and a bunch of other vulnerable web applications) already set
> up, along with ModSecurity and the CRS.  The CRS rules are disabled by
> default so that the applications are easily exploited.  Once the VM is
> started, run owaspbwa-modsecurity-crs-block.sh (or
> owaspbwa-modsecurity-crs-log.sh) to enable blocking (or logging) using
> the CRS.  You can later run owaspbwa-modsecurity-crs-off.sh to disable
> the rules again.
> I'm realizing now that this isn't really documented anywhere.  I'll
> work on correcting that.
> Chuck
> On Sat, Jan 21, 2012 at 9:36 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> I will be giving a virtual patching training session at the AppSecDC 2012
>> conf -
>> https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop
>> In the class, we will be front-ending WebGoat with a ModSecurity reverse
>> proxy server and then attempt to virtually patch as many of the lessons as
>> possible.  For the class, I was planning to use the OWASP Live CD iso image
>> in VMware.  When teaching this class previously, the students then had to
>> manually install Apache, ModSecurity and the OWASP ModSecurity CRS.  What I
>> would rather have, is for these items to already be pre-installed on the
>> OWASP Live CD image.
>> I am sending this note to the leaders list as I have previously tried to
>> contact the project leaders via email and the user formums -
>> http://appseclive.org/content/add-modsecurity-and-owasp-crs - but have not
>> gotten any responses.
>> If anyone can help me get this request moving forward, it would be much
>> appreciated.
>> Thanks,
>> Ryan Barnett
>> OWASP ModSecurity Core Rule Set Project Leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list