Managing Rules with AUM for rules only accounts

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Managing Rules with AUM for rules only accounts

Unread post by kirkre »

I'm new to AUM and used to managing rule sets manually. First question I have that I can't find the answer to, the default 00_mod_security.conf installed by AUM loads all rule sets including for instance 99_asl_a_redactor.conf, which according to the description in the WAF rule families wiki should not be loaded if you are not using ASL. Is it intended that the user must remove "*asl*.conf" from 00_mod_security.conf and instead load rules individually with rules only accounts? Since AUM is normally used with ASL this could be logical, but the documentation does not mention this that I can see.

Second question, is there any capability to exclude rule sets? I'm used to excluding individual rules via 999_user_exclude.conf, but I can't help wondering if entire rule sets/families can be excluded also in this file? Of course even if this did work it might not be a good idea if AUM is only intended to update, not manage rules on a non ASL system, but if all rule sets loaded by AUM are intended to be enabled on a system, whether ASL is present or not, then I am thinking that excluding rule sets might be better than only loading specific sets, because then AUM could load a new rule family as it was released, without manual intervention. It might be better to find out a new rule set was loaded even via a false positive, than find out after the fact that a new rule set would have protected the system! I will probably want to exclude some families either way, so if AUM is intended to manage rules, the ability to exclude entire families would be nice.

Thanks,

Kirk
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Managing Rules with AUM for rules only accounts

Unread post by mikeshinn »

Thank you for the questions.
First question I have that I can't find the answer to, the default 00_mod_security.conf installed by AUM loads all rule sets including for instance 99_asl_a_redactor.conf
It will only load the rules you've enabled in /etc/asl/config. aum copies in the rulesets you've enabled. 99_asl_a_redactor.conf, for example, is enabled by default.
which according to the description in the WAF rule families wiki should not be loaded if you are not using ASL.
Its not supported on non-ASL systems, but if your system has mod_sed installed those rules should work. If you dont have mod_sed installed, the rules dont actually load even though they may be installed. Theres internal logic in the rules to prevent them from loading if mod_sed is not available.
Is it intended that the user must remove "*asl*.conf" from 00_mod_security.conf and instead load rules individually with rules only accounts? Since AUM is normally used with ASL this could be logical, but the documentation does not mention this that I can see.
If you are using aum, no. You do not need to remove, change or add anything to the 00_mod_security.conf file. Do not modify the 00_mod_security.conf file. There is no need to do so. aum will copy in only the rulesets you have enabled. That configuration file will then load them in.
Second question, is there any capability to exclude rule sets?
Yes, change /etc/asl/config to whichever rulesets you want to include or exclude, thats all you need to do and aum will take care of it for you. Those options are documented here:

https://www.atomicorp.com/wiki/index.ph ... t_Settings

Please let us know if you have any other questions.
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Re: Managing Rules with AUM for rules only accounts

Unread post by kirkre »

Thanks! I knew I was missing something. Since I'm used to updating rule sets manually, I didn't realize this should be done through the config. Going over the rest of the rule sets, I have a few more questions.

00_asl_z_antievasion.conf
Since our newer mod sec version does not support this rule set as described in the family wiki, is there any reason to keep this enabled in the config? If this rule set for instance might in the future be enabled to work with newer versions I don't want to disable it, but if it will never be used, then I'd rather turn it off, just to make it easier to remember it's not in use.

MODSEC_12_ADV_XSS_RULES
This looks like it could be useful for us, but am I risking anything drastic if I turn this on? The settings wiki says this requires EL 6 and above. I guess this refers to the mod sec release version such as in 25.el6.art?

MODSEC_12_BRUTE
The family wiki says ASL is required for active response. Is there any way to get this to work outside ASL similar to loading mod sed for redactor?

MODSEC_99_SCANNER
Any way to get this to work outside ASL?

I do plan on trying ASL again when I get a chance. I haven't tried it in four years, so a lot could have changed.

Thanks again!

Kirk
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Managing Rules with AUM for rules only accounts

Unread post by mikeshinn »

00_asl_z_antievasion.conf
Since our newer mod sec version does not support this rule set as described in the family wiki, is there any reason to keep this enabled in the config? If this rule set for instance might in the future be enabled to work with newer versions I don't want to disable it, but if it will never be used, then I'd rather turn it off, just to make it easier to remember it's not in use.
Those are minimum versions required to use that ruleset. So you want to use them with newer versions. You do not want to disable this ruleset, it protects the WAF itself.
MODSEC_12_ADV_XSS_RULES
This looks like it could be useful for us, but am I risking anything drastic if I turn this on? The settings wiki says this requires EL 6 and above. I guess this refers to the mod sec release version such as in 25.el6.art?
Correct. This requires libraries that dont exist on el5, so modsecurity itself on el5 does not support this ruleset. El6 and up includes those libraries, and if modsecurity is built correctly these rules will work on el6. An rpm like this will work with those rules:

mod_security-2.9.0-25.el6.art.x86_64

"el6" means this is an rpm build for EL6 systems.
MODSEC_12_BRUTE
The family wiki says ASL is required for active response. Is there any way to get this to work outside ASL similar to loading mod sed for redactor?
No. Modsecurity has a collections system that some people have tried to use for for tracking events, but its buggy, and does not work well for brute force detection. So we do not support any of its mechanisms for accomplishing this. You need an external system to track the events over time (in some cases over hours or even days to catch "low and slow" brute force attacks, or polymorphic attackers that change IP addresses).
MODSEC_99_SCANNER
Any way to get this to work outside ASL?
This requires a bunch of external dependencies and software, so it is not supported without ASL. ASL includes this software and it is supported with ASL.
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Re: Managing Rules with AUM for rules only accounts

Unread post by kirkre »

Thanks Michael. I'm glad to see there is an option to upgrade from a rules account to ASL. Not only do I see more and more what ASL can do by looking at the rule sets, but when I find I am reading things backwards, I have to wonder if it's wise to configure my security solutions by hand! I will definitely take a hard look at ASL when I get a chance.

Now I discover something I never realized, the real time rules apparently include rules for clamav. I have installed clamav and clamd from the Atomic yum archive and got it working, but as far as I can see, aum is not getting rules for clam.

If I run aum -uf I get this:

Malware/Rootkit rules updates are available: 201508211303 [INFO]

If I check the time stamps in /var/clamav before and after running aum, there is no change.

It's up to me to configure clam and aum, and it's entirely possible that's where the issue lies, but if you have any suggestions I would appreciate it.

Thanks,

Kirk
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Managing Rules with AUM for rules only accounts

Unread post by mikeshinn »

With clamav this is another one of those cases with external dependencies. Without ASL, we dont have any control over clamav, and cant know for sure how its built or what version(s) are installed (you'd be surprised how many products install clamav in weird non-standard places, and do strange things to do it). So we dont install the clamav signatures, because they may not work with the version installed on the system.

With ASL, we do control all of that so we can install and manage clamav and its signatures without those risks. So on non-ASL systems you'll have to manually install the clamav signatures, and check to make sure they work with your version of clamav.
kirkre
Forum User
Forum User
Posts: 16
Joined: Mon Oct 31, 2011 5:34 am
Location: United States

Re: Managing Rules with AUM for rules only accounts

Unread post by kirkre »

Thanks, that makes sense, although I do hope aum has the capability to update clam some day, subject of course to the users setup.

I notice the rules only clam signatures license states:

The Real Time Atomic CLAMAV Signatures are licensed by the server. For each license you can also run the rules on one Development and one QA server.

Is this also true for the rules only mod security signatures? It would be nice to use this on our development server as well as the live server. The test server is not publicly accessible, so we hardly need mod security or clam, but we ideally like this server to be identical in every way to the live server. In an emergency we might switch the live site to the development server, but only one is live at a time.

Thanks,

Kirk
Post Reply