Enforcing Security in Web App Firewalls using Wazuh Active Response

Intro

Web Application Firewalls (WAF) filter, monitor, and block HTTP traffic to a web application. They use a combination of rule-based logic and signatures to detect and prevent attacks.

  • Host-based WAF (fully integrated into an application’s software — Apache, NGINX or IIS).
  • Cloud-based WAFs, such as Cloudflare.

Build your own WAF.

WAF = Apache Reverse Proxy + ModSec + OWASP CRS
  • Apache Web Server working as a reverse proxy.
  • GeoIP integrated in Apache.
  • Anti Malbots and Bad Referrers integrated in Apache.
  • Apache ModSecurity Module: Security Engine.
  • OWASP Core Rule Set (CRS): Rule Logic and signatures.
  • AWS WAF.
  • Cloudflare.
  • Google Cloud Armor.
  • Trustwave.
  • F5 BIGIP WAF.
  • Fortinet WAF.
  • Citrix WAF.
  • ……
pkg install geoipupdate
pkg install ap24-mod_maxminddb
# GeoIP.conf file for `geoipupdate` program, for versions >= 3.1.1.# Used to update GeoIP databases from https://www.maxmind.com.# For more information about this config file, visit the docs at# https://dev.maxmind.com/geoip/geoipupdate/.# `AccountID` is from your MaxMind account.AccountID account_id# `LicenseKey` is from your MaxMind accountLicenseKey key# `EditionIDs` is from your MaxMind account.EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country
/usr/local/bin/geoipupdate
ls -lrt /usr/local/share/GeoIP/total 62058-rw-------  1 root  wheel         0 Dec  2 02:56 .geoipupdate.lock-rw-r--r--  1 root  wheel   7537328 Dec  2 02:56 GeoLite2-ASN.mmdb-rw-r--r--  1 root  wheel  73640335 Dec  2 02:56 GeoLite2-City.mmdb-rw-r--r--  1 root  wheel   6618745 Dec  2 02:56 GeoLite2-Country.mmdb
# Third party modules### maxminddb module addLoadModule maxminddb_module   libexec/apache24//mod_maxminddb.so<IfModule maxminddb_module>MaxMindDBEnable OnMaxMindDBFile CITY_DB /usr/local/share/GeoIP/GeoLite2-City.mmdbMaxMindDBFile COUNTRY_DB /usr/local/share/GeoIP/GeoLite2-Country.mmdbMaxMindDBEnv MM_CONTINENT_CODE          COUNTRY_DB/continent/codeMaxMindDBEnv MM_CONTINENT_NAME          COUNTRY_DB/continent/names/enMaxMindDBEnv MM_COUNTRY_CODE            COUNTRY_DB/country/iso_codeMaxMindDBEnv MM_COUNTRY_NAME            COUNTRY_DB/country/names/en</IfModule>
<Proxy *>SetEnvIf MM_COUNTRY_CODE COUNTRY_CODE_1 AllowedCountrySetEnvIf MM_COUNTRY_CODE COUNTRY_CODE_2 AllowedCountryorder deny,allowdeny from allallow from env=AllowedCountry</Proxy>

Apache Reverse Proxy + ModSec + OWASP CRS

ModSec

pkg install ap24-mod_security
cd /usr/local/etc/modsecuritygit clone https://github.com/coreruleset/coreruleset.gitcd corerulesetcp crs-setup.conf.example /usr/local/etc/modsecurity/crs-setup.conf
LoadModule unique_id_module libexec/apache24/mod_unique_id.soLoadModule security2_module libexec/apache24/mod_security2.soInclude /usr/local/etc/modsecurity/*.confInclude /usr/local/etc/modsecurity/coreruleset/rules/*.conf
SecRuleEngine OnSecDebugLogLevel 0SecPcreMatchLimit 150000SecPcreMatchLimitRecursion 150000
SecAction \"id:900000,\phase:1,\nolog,\pass,\t:none,\setvar:tx.paranoia_level=2
SecDefaultAction "phase:1,log,auditlog,deny"
SecDefaultAction "phase:2,log,auditlog,deny"
SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" \"id:920350,\phase:1,\deny,\t:none,\msg:'Host header is a numeric IP address',\logdata:'%{MATCHED_VAR}',\tag:'application-multi',\tag:'language-multi',\tag:'platform-multi',\tag:'attack-protocol',\tag:'paranoia-level/1',\tag:'OWASP_CRS',\tag:'capec/1000/210/272',\tag:'PCI/6.5.10',\ver:'OWASP_CRS/3.4.0-dev',\severity:'WARNING',\setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"

Wazuh Active Response + PF in action.

Kernel Filter for Blocked Requests.

table <ossec_fwtable> persist #ossec_fwtableblock in on vtnet0 from <ossec_fwtable>
pf_enable="YES"pf_rules="/etc/pf.conf"pflog_enable="YES"pflog_logfile="/var/log/pflog"
service pf start
<command><name>pf_block_ip</name><executable>pf.sh</executable><expect>srcip</expect><timeout_allowed>yes</timeout_allowed></command>----------------------------------------------<!-- WAF Active Response --><active-response><disabled>no</disabled><command>pf_block_ip</command><location>local</location><timeout>600</timeout><rules_id>30411</rules_id></active-response>
Wazuh Active Response after ModSec Events

--

--

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).