Working in an IDS mode

The Nemesida WAF software can work in IDS mode, which uses the principle of traffic mirroring. This makes it possible to train the Nemesida AI system before running Nemesida WAF in the standard mode (IPS), to check the system performance, to monitor the attacks of the web application in the passive mode.

Using the Nemesida WAF in IDS mode is necessary for customization under a complex web-application without probable false positive blocking of site visitors. In this mode, a copy of incoming traffic with the record of status codes of responses (200 or 403) is processed - registration of events for setting up the Nemesida WAF software for a specific web-application. Blocking of illegitimate requests is not carried out.

Example of setting up an IDS mode:

1. On the main server (without the Nemesida WAF module installed), configure traffic mirroring according to the guidelines of the installed web server (Nginx, Apache2, Microsoft IIS and others).

An example of Nginx setting for traffic mirroring

If using the Nginx web server, make the necessary changes to the virtual host file:

location / {
    mirror /mirror;
    ...
}

location = /mirror {
    internal;
    proxy_pass http://nemesida_waf_server$request_uri;
}

where nemesida_waf_server is the address of the server with the Nemesida WAF module installed, to which duplicate traffic will be transmitted.

2. On the server with the installed Nemesida WAF module, bring the configuration file of the virtual host Nginx to the form:

server {
        listen  80;
        index   index.html;
        root    /var/www/html;
        try_files $uri $uri/ /index.html;
}

3. On the server with the Nemesida WAF module installed, create the /var/www/html directory and place an empty index.html file in it.

4. On the server with the Nemesida WAF module installed, bring the /etc/nginx/nwaf/conf/global/nwaf.conf file to the form:

...
nwaf_limit rate=5r/m block_time=0;
...

5. After changing restart the Nginx on every server.

Working in alternative IDS mode (LM mode)

While working in alternative IDS mode, suspicious requests are recorded without further blocking. To activate it, the /etc/nginx/nwaf/conf/global/nwaf.conf file provides the following options:

  • nwaf_ip_lm - configuring the pass of all occurrences of the rules for a specific IP-address or subnet with the event recorded in the DBMS;
  • nwaf_host_lm - configuring the pass of all occurrences of the rules for a specific virtual host with the event captured in the DBMS.

More information is available in the manual.