[Owasp-leaders] Adding OWASP ModSecurity CRS to OWASP Live CD

Chuck Willis chuck at securityfoundry.com
Wed Jan 25 01:41:27 UTC 2012

The VM is running ModSecurity from the Ubuntu 10.04 LTS (lucid)
packages, which is version 2.5.11-1.  I believe that version includes
Lua support.  I looked a bit and don't see a package available to
upgrade ModSecurity to 2.6.x (without having upgrade the whole OS),
but installing from source shouldn't be too painful.  I'll put that on
my list of things to do for the 1.0 release.

The CRS is synced to the SVN server for that project.  As shipped, the
VM has somewhere around version 2.1.2, but you can update to current
by running:

svn update /owaspbwa/modsecurity-crs-svn

Let me know if you run into any issues.  I'm looking to get a 1.0
release out in the next few months.


On Mon, Jan 23, 2012 at 9:07 PM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> Wow, just what I needed :). Thanks Chuck!
> Do you happen to know what version of ModSecurity is installed?  Does it have Lua support?  We will need to utilize Lua scripts to try and virtually patch some issues.
> Thanks again for the info.
> Ryan
> On Jan 23, 2012, at 8:26 PM, Chuck Willis <chuck at securityfoundry.com> wrote:
>> Another option to consider is the OWASP Broken Web Apps VM
>> (www.owaspbwa.org - full disclosure, I lead that project).  It has
>> WebGoat (and a bunch of other vulnerable web applications) already set
>> up, along with ModSecurity and the CRS.  The CRS rules are disabled by
>> default so that the applications are easily exploited.  Once the VM is
>> started, run owaspbwa-modsecurity-crs-block.sh (or
>> owaspbwa-modsecurity-crs-log.sh) to enable blocking (or logging) using
>> the CRS.  You can later run owaspbwa-modsecurity-crs-off.sh to disable
>> the rules again.
>> I'm realizing now that this isn't really documented anywhere.  I'll
>> work on correcting that.
>> Chuck
>> On Sat, Jan 21, 2012 at 9:36 AM, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>>> I will be giving a virtual patching training session at the AppSecDC 2012
>>> conf -
>>> https://www.owasp.org/index.php/OWASP_AppSec_DC_2012/Training/Virtual_Patching_Workshop
>>> In the class, we will be front-ending WebGoat with a ModSecurity reverse
>>> proxy server and then attempt to virtually patch as many of the lessons as
>>> possible.  For the class, I was planning to use the OWASP Live CD iso image
>>> in VMware.  When teaching this class previously, the students then had to
>>> manually install Apache, ModSecurity and the OWASP ModSecurity CRS.  What I
>>> would rather have, is for these items to already be pre-installed on the
>>> OWASP Live CD image.
>>> I am sending this note to the leaders list as I have previously tried to
>>> contact the project leaders via email and the user formums -
>>> http://appseclive.org/content/add-modsecurity-and-owasp-crs - but have not
>>> gotten any responses.
>>> If anyone can help me get this request moving forward, it would be much
>>> appreciated.
>>> Thanks,
>>> Ryan Barnett
>>> OWASP ModSecurity Core Rule Set Project Leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list