The installation and setup guide of the Nemesida WAF software main components.

General information

The Nemesida WAF software includes modules: Nemesida WAF, Nemesida AI and Nemesida WAF Scanner.

All servers in which the Nemesida WAF modules are installed must allow access to nemesida-security.com:443 for WAF operation.

By default, Nemesida WAF does not transfer confidential information outside of self-hosted infrastructure.

The software Nemesida WAF is intended for use on a server that has the following technical characteristics:
– CPU: Intel Core i3 or higher;
– RAM: 2 GB for the server with the installed Nemesida WAF and 32 GB for the server with the installed Nemesida AI MLC;
– available disk space: 5 GB.

The domain name example.com together with the subdomains in the guide is used as an example. The domain name *.example.com includes the domain and its subdomains.

The Nemesida WAF software packages description
nwaf-dyn – package with the Nemesida WAF dynamic module for «Nginx» software and Nemesida AI MLC – an agent for processing behavioral models.
nwaf-mlc – a package with the Nemesida AI MLC machine learning module designed to build behavioral models and identify other anomalies (for example, brute force attacks).
nwaf-scanner – Nemesida WAF Scanner, a vulnerability scanner.

It is prohibited to use one license key on two or more instances of the “nwaf-dyn” component.

Before installing the Nemesida WAF add repository information to the system:

Debian 9Ubuntu 18.04CentOS 7
# apt install apt-transport-https
# echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install apt-transport-https
# echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
Instal a file /etc/yum file.repos.d/NemesidaWAF.repo with the following repository information:

[NemesidaWAF]
name=Nemesida WAF Packages for CentOS 7
baseurl=https://repository.pentestit.ru/nw/centos/7/$basearch
gpgkey=https://repository.pentestit.ru/nw/gpg.key
enabled=1
gpgcheck=1

Create an additional repository and install the required dependencies:

# yum install epel-release
RabbitMQ software settings

The module is not used in Nemesida WAF Free.

RabbitMQ is used for interaction between modules Nemesida WAF and Nemesida AI MLC (detection of anomalies and brute-force attacks, traffic collection, behavioral modeling). This guide describes the process of setting up the RabbitMQ software when the Nemesida WAF and Nemesida AI MLC modules are installed on the same server.

RabbitMQ software must be located on every server where the Nemesida WAF or Nemesida AI MLC modules are installed.

1. Install package:

Debian 9, Ubuntu 18.04CentOS 7
# apt install rabbitmq-server
# yum install rabbitmq-server

2. Edit the file /etc/rabbitmq/rabbitmq.config:

[
    {rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]},
    {kernel, [
        {inet_dist_use_interface,{127,0,0,1}}
    ]}
].

3. Edit the file /etc/rabbitmq/rabbitmq-env.conf:

export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
export ERL_EPMD_ADDRESS=127.0.0.1

4. Complete the «RabbitMQ» software setup:

# chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config
# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status
Installing Nemesida WAF

The dynamic module Nemesida WAF is available for the «nginx» software of stable versions starting with 1.12.

Debian 9 Ubuntu 18.04CentOS 7

Add the «nginx» repository and make the installation:

# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install nginx
# apt install librabbitmq4 libcurl4-openssl-dev python-pip gcc libc6-dev python-dev python-setuptools python-levenshtein dmidecode
# pip2 install pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch
# apt install nwaf-dyn-1.14

where «1.14» is the version of the installed «nginx» software. For example, the «nwaf-dyn-1.12» dynamic module package is designed to work with «nginx» version 1.12.

Add the «nginx» repository and make the installation:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install nginx
# apt install librabbitmq4 libcurl4-openssl-dev python-pip gcc libc6-dev python-dev python-setuptools python-levenshtein dmidecode
# pip2 install pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch
# apt install nwaf-dyn-1.14

where «1.14» is the version of the installed «nginx» software. For example, the «nwaf-dyn-1.12» dynamic module package is designed to work with «nginx» version 1.12.

Create a repository file /etc/yum.repos.d/nginx.repo as follows and make the installation:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
# yum update
# yum install nginx
# yum install python2-pip python-devel gcc libcurl-devel libcurl-devel openssl python-Levenshtein dmidecode
# pip2 install pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch
# yum install nwaf-dyn-1.14

where «1.14» is the version of the installed «nginx» software. For example, the «nwaf-dyn-1.12» dynamic module package is designed to work with «nginx» version 1.12.

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled 
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Add the file path with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
...
    ##
    # Nemesida WAF
    ##

    ## Request body too large fix
    client_body_buffer_size 25M;

    include /etc/nginx/nwaf/conf/global/*.conf;
    include /etc/nginx/nwaf/conf/vhosts/*.conf;
...
}
Setting up the Nemesida WAF module

/etc/nginx/nwaf/conf/global/nwaf.conf – the main configuration file of the Nemesida WAF module.

Parameters nwaf.conf for Nemesida WAF Free

For Nemesida WAF Free use the default value of the license key parameter (nwaf_license_key none;) in file nwaf.conf.

To update signatures, provide access to https://nemesida-security.com. When using a proxy server, specify it in the sys_proxy option of the nwaf_api_conf parameter (for example, sys_proxy=proxy.example.com:3128).

nwaf.conf
Default setting
Description of the parameter
nwaf_license_key
The installation parameter of the license key software Nemesida WAF. The key is also used by the Nemesida AI and Nemesida Scanner modules, if they are located on the same server.
With the specified invalid license key (including the default value of none), Nemesida WAF will continue working with the Nemesida WAF Free functionality.
nwaf_limit
Setting the limit of blocked requests, if exceeded, the IP address will be blocked for the time (in seconds) specified in the block_time. To set the limit for blocked requests for a specific one, set the parameter to the form nwaf_limit rate=... block_time=... domain=example.com;. For the domain option it is allowed to use a wildcard value.
nwaf_api_conf
Set up interaction with the Nemesida WAF API and other related parameters, where:

host is the address of the Nemesida WAF API server for sending information about the attacks, the results of the Nemesida WAF Scanner and Nemesida AI. To use the cloud personal account, use the host=https://nemesida-security.com. With the host=none option, no data will be transferred to the API.

store_count is an option that determines the number of records, upon reaching which events will be sent to the Nemesida WAF API.

delay_time is the period of time after which the events will be forcibly sent to the Nemesida WAF API.

api_proxy is the proxy server address for accessing the Nemesida WAF API.
Example: api_proxy=proxy.example.com:3128.

sys_proxy proxy server address for checking the validity period of the Nemesida WAF license key, Nemesida WAF Cabinet, as well as accessing the Nemesida WAF service API, (obtaining signatures, behavioral models, etc.).
Example: sys_proxy=proxy.example.com:3128.

nwaf_mla
Settings of interaction with the Nemesida AI module, where:
3000 is the maximum waiting time for a response from the Nemesida AI MLA module in milliseconds, after which Nemesida WAF will make a decision based on signature analysis,
mla_score – threshold option, upon reaching which the decision to block the request is transmitted to the Nemesida AI MLA module.

For some signatures, the flag of forced blocking of the request is set without sending to the Nemesida AI MLA module.

nwaf_rmq
Configuring the interaction subsystem with Nemesida AI using RabbitMQ software.

The ai_extra option is responsible for additional processing of the query analysis results from the Nemesida AI MLC module. Processing of the results (anomalies) received from Nemesida AI MLC occurs without direct intervention in the request (the request is not blocked), but it allows detecting missed attacks and temporarily blocking their source by IP address.

The ai_extra option can take the following values:

off – with this value, attacks detected by the Nemesida AI MLC module are ignored;

on – with this attack value, detected by the Nemesida AI MLC module, are fixed, and the rate counter from the nwaf_limit parameter for the IP address is reduced. When the counter reaches zero, the address will be blocked for the period specified in the block_time option.

lm – with this value, the attacks detected by the Nemesida AI MLC module are fixed, but the counter value from the nwaf_limit parameter for the IP address does not decrease (LM mode), that is, the address blocking is not performed.

Regardless of the use of the ai_extra option, with the nwaf_rmq brute-force parameter active, the attacks detected by the Nemesida AI MLC module will be blocked.

nwaf_clamav
Transferring the file contents of POST requests to the ClamAV module. To send To send the entire POST request, remove the FILE_ONLY option.
nwaf_ip_wl
Deactivation of the request analysis mechanism by means of the Nemesida WAF software for a specific IP address or subnet. With the parameter nwaf_ip_wl x.x.x.x domain=example.com; the analysis mechanism will be deactivated only when accessing a specific IP address to a specific virtual host. For the domain option it is allowed to use a wildcard value.

To reduce false positives, it is recommended to specify the static IP address of specialized users (administrators, content managers, editors) to add nwaf_ip_wl or nwaf_ip_lm the parameter.

nwaf_ip_lm
Configure the skip of all occurrences of the rules for a specific IP address or subnet with the event recorded in the DBMS (IDS mode). With the nwaf_ip_lm x.x.x.x domain=example.com; pass will be made only when contacting a specific IP address to a specific domain. For the domain option it is allowed to use a wildcard value.
nwaf_host_lm
Configure the skip of all occurrences of the rules for a specific virtual host with the event captured in the DBMS (IDS mode). With the parameter nwaf_host_lm *; the pass will be made for all virtual hosts.
nwaf_clamav_wl
Configuring the blocking exclusion list for the contents of the request body or downloadable file by the md5 amount (the md5 amount is contained in the error.log log of the «nginx» software).
Lock example:
Nemesida WAF: blocked by ClamAV, stream: Eicar-Test-Signature FOUND, md5: 44d88612fea8a8f36de82e1278a-bb02f, ....
Example of an exception rule for blocking:
nwaf_clamav_wl 44d88612fea8a8f36de82e1278a-bb02f.
nwaf_log_mr_all;
Activation of the parameter for recording information about all occurrences of blocking rules (attack signatures) in the nginx software error log. By default, the parameter is deactivated (commented out). When a parameter is deactivated, only the signature is written to the error log of the «nginx» software, which led to blocking the request or fixing the signature without further blocking (in the «LM» mode).

After making changes, restart the server or restart services and check its:

# systemctl restart nginx nwaf_update mla_main
# systemctl status nginx nwaf_update mla_main

The nwaf_update service is responsible for obtaining the signatures of the Nemesida WAF module (/etc/nginx/nwaf/rules.bin). To test the signature method of detecting attacks, when sending a request to http://YOUR_SERVER/nwaftest, the server must return a 403 response code.

The Nemesida WAF module processes only the request transmitted to the final application. If the settings of the «nginx» software prevent the transmission of calls (returning, for example, a 301 or 403 response code), such requests will not be processed by the Nemesida WAF module.

Setting up the Nemesida AI module

The module is not used in Nemesida WAF Free.

The Nemesida AI module consists of the Nemesida AI MLA modules (included in the installation package of the Nemesida WAF module) and the Nemesida AI MLA modules, which can be interconnected (the modules operate on the same server) and distributed (the Nemesida AI MLC operates on a dedicated server) modes. The distributed mode of operation of the Nemesida AI module is designed to save hardware resources, for example, with cluster interaction (several servers with the Nemesida WAF software installed use a common server with the Nemesida AI MLC module installed).

Nemesida AI MLA

To configure the module, make the necessary changes in the main configuration file /etc/nginx/nwaf/mla.conf.

mla.conf
Default paramete
Parameter description

[main]
Section responsible for the general settings Nemesida AI MLA.
tcp_socket
IP-address and port are used to interaction with Nemesida WAF.

[mgmt]
Section responsible for interaction with the management console Nemesida AI.
send_attacks
Sending disputed requests to the Nemesida WAF Signtest server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLA module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLA module was defined as illegitimate.

st_uri
Server URI for sending data to the Nemesida AI results processing server.

[api]
Section responsible for setting up interaction with the local API Nemesida WAF.
cab_status_post
Nemesida WAF API URL. With ccab_status_post = none, no data will be sent to the API.

Nemesida AI MLC

Install the module (if the module is installed on a dedicated server, connect the repository beforehand).

Debian 9, Ubuntu 18.04CentOS 7
# apt install python-pip gcc libc6-dev python-dev python-setuptools python-levenshtein dmidecode
# pip2 install pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config
# apt install nwaf-mlc
# yum install python2-pip gcc python-devel python-setuptools python-setuptools python-Levenshtein dmidecode
# pip2 install pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config
# yum install nwaf-mlc

Regardless of the operation mode, install the RabbitMQ software on the server with the «MLС» module installed.

The Nemesida AI MLC module collects requests ofr three days for training after that the process of behavioral models building is started.

To configure the module, make the necessary changes to the configuration file /opt/mlc/mlc.conf.

mlc.conf to operate in normal mode
Default parameter
Parameter description

[main]
Section is responsible for the general settings Nemesida AI MLA.
vhosts_list
A list of domain names used as virtual hosts for which behavioral models need to be created («*» means all domain names). For example: vhosts_list = example.com, 1.example.com, 2.example.com,*.
ai_extra
Activation or deactivation of the additional requests analysis functional allows to detect missing attacks and make temporary blocking of their source using IP-address. The result of the reaction on the detected attack depends on the setting ai_extra of the file nwaf.conf.
uri_list
The parameter that determines the path by which the Nemesida AI MLC module will create and update (as new data is received) the sitemap file (sitemap), which will later be used by the Nemesida WAF Scanner module. To deactivate this functionality, you must delete or comment out the line with the parameter.
nwaf_license_key
Installing the license key Nemesida WAF on a dedicated server. You must not use this setting if you work on the same server as the Nemesida WAF is or if you work in Multipoint Mode. Example: key = 1234567890.

[run]
Section responsible for the parameters of the connection to RabbitMQ local server.
rmq_host = username:password@mlc_remote_server
Settings for the connection with the local service RabbitMQ

[proxy]
Section responsible for the settings of the connection to proxy server.
sys_proxy
api_proxy
Settings of the connection to proxy server, where:
sys_proxy – proxy server address for request to nemesida-security.com:443 (check of license key, loading of behavioral model). For example:sys_proxy = proxy.example.com:3128.
api_proxy – proxy server address for request to «Nemesida WAF API» and Nemesida WAF Signtest. For example: api_proxy = proxy.example.com:3128.
If the parameters have no values, the module will try to use the parameters from the nwaf.conf file.

[trunk]
Section is responsible for transmitting traffic to a remote server for the purpose of further analysis and building behavioral models. To use this functionality, please contact technical support.
send_data
Activation of the mechanism for transmitting the analyzed traffic to the Nemesida WAF MLS server. By default, the functionality is deactivated.

[mtp]
Section is responsible for module’s work settings module «Point-to-Multipoint». This mode is used to save hardware resources, allows to use one server with installed Nemesida AI MLC for interaction with many servers with installed modules of Nemesida WAF.
mtp_multiblock
Functional activation or deactivation of transmission of information about detected brute-force attacks and attacks which were detected by subsystem of additional analysis on all Nemesida WAF modules.
mtp_conf_1
mtp_conf_2
Settings for connection to remote RabbitMQ services. Use postfix _X (where «X» is numerical identifier of every instance of RabbitMQ service) for working with several instances of service.
Parameter directives:
rmq_user:rmq_password@remotehost — login, password and remote service RabbitMQ connection address;
lickey —Nemesida WAF license key from setting nwaf_license_key in file nwaf.conf.
The domane names’ list, which are used as virtual hosts (require behavioral models’ creating), will be used from setting vhosts_list.

[brute]
The section responsible for the brute-force detection function. Revealing of values ​​is performed in the ARGS and / or BODY areas.
brute_enable
Activation / deactivation of the functional.
brute_wl
The parameter that allows you to deactivate the brute-force attack detection functionality for specific virtual hosts.
Examples:
brute_wl = example.com – deactivation of the functional for example.com;
brute_wl = example.com, m.example.com – deactivation of functionality for example.com and m.example.com;
brute_wl = example.com, * .example.com – deactivation of functionality for example.com and its subdomains.
intervale
The time interval of the segment (window) during which the analysis of requests is performed.
max_val
The number of requests that, when reached, block the source(s) of the attack.
similarity
A measure of the proximity of requests in percent.
mconf
File for the manual entry of the information on authorization of the protected Web application to block brute force attacks.
For example:
urilist :
[
  {
    vhost : 'example.com'
    uri   : '/login.php'
    type  : 'POST'
  }
  {
    vhost : '*.example.com'
    uri   : '/new-login.php'
    type  : 'POST'
  }
  {
    vhost : '*.example.com'
    uri   : '/new-login.php'
    type  : 'GET,POST'
  }
]
distributed
Protection against distributed brute force attack (disabled by default). With a value of distributed false attack detection is calculated for a single IP-address.

[mgmt]
Section responsible for the interaction with Nemesida AI management console.
send_attacks
Sending disputed requests received from the Nemesida WAF module using RabbitMQ to the Nemesida WAF Signtest server for post-processing. Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLA module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLA module was defined as illegitimate.
st_uri
The URI of the Nemesida WAF Signtest server for sending disputed requests. When using the local version of Nemesida WAF Signtest, change the URI of the parameter.

[api]
Section responsible for setting up interaction with the local API Nemesida WAF.
learn_status
The address is Nemesida WAF API for sending information about the training status of models. With the parameter learn_status = none information will not be sent.
aconf

File generated by «emesida WAF Scanner module containing forms of authorization of the protected web application to block brute force attacks (the installation of the Nemesida WAF Scanner on the current server is required).

distributed
Protection against distributed brute force attack (disabled by default). With a value of

distributed = false

attack detection is calculated for a single IP-address.


[mgmt]
Section responsible for the interaction with Nemesida AI management console.
send_attacks
Sending disputed requests received from the Nemesida WAF module using RabbitMQ to the Nemesida WAF Signtest server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLA module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLA module was defined as illegitimate.

send_stat
stat_int
Parameters of sending statistics on the work of Nemesida AI.
st_uri
The URI of the Nemesida WAF Signtest server for sending disputed requests. When using the local version of Nemesida WAF Signtest, change the URI of the parameter.

[api]
Section responsible for setting up interaction with the local API Nemesida WAF.
learn_status
The address is Nemesida WAF API for sending information about the training status of models. With the parameter learn_status = none information will not be sent.
Multipoint Mode using
Nemesida AI MLC is required to 32 GB of free RAM. If you use several services with Nemesida WAF module you are able to save hardware resources using «Point-to-Multipoint» scheme (one server with installed Nemesida AI MLA module interacts with servers with installed Nemesida WAF module).

Components are used in Multipoint Mode:
- Servers with installed Nemesida WAF and RabbitMQ, which have 2-4 GB of RAM for every of them;
- Servers with installed Nemesida AI MLA and RabbitMQ, which have 2-4 GB of RAM for every of them;

On the server with installed Nemesida WAF

- Create service’s user RabbitMQ:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

- Change the configuration file /etc/rabbitmq/rabbitmq.config:

[
    {rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]},
    {kernel, [
        {inet_dist_use_interface,{127,0,0,1}}
    ]}
].

- Change the configuration file /etc/rabbitmq/rabbitmq-env.conf:

NODE_PORT=5672
export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=0.0.0.0
export ERL_EPMD_ADDRESS=127.0.0.1

- Permit accesses from the server where Nemesida AI MLA installed to the port 5672 (TCP).
- Complete settings of RabbitMQ:

# chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config
# service rabbitmq-server restart

On the server with installed Nemesida AI MLC

- Change configuration file /opt/mlc/mlc.conf (including [mtp] section settings)

# service mlc_main restart
# service mlc_main status

Using RabbitMQ's mode services Nemesida AI MLC will collect requests with following models' training as if it worked in normal mode.

Using the Nemesida AI cloud server
The cloud server Nemesida AI, located in the Pentestit infrastructure, is designed to generate behavioral models based on a copy of traffic received from remote servers. The cloud server is used in cases when the user of the Nemesida WAF software does not have enough RAM for the Nemesida AI MLC module (it requires up to 32 GB). To use the capabilities of the cloud server Nemesida AI, contact technical support.

After making the changes, restart the service:

# service mlc_main restart
# service mlc_main status

Models retraining

To improve the accuracy of attack detection, it is recommended to re-train models once a week. For that you need to add the «^» symbol to virtual host. For example: vhosts_list = *^, or vhosts_list = example.com^.

Restart the service after changes:

# service mlc_main restart
Nemesida WAF Scanner

The module isn’t used in Nemesida WAF Free.

The Nemesida WAF Scanner module is designed to detect web vulnerabilities in protected web applications. Information about detected vulnerabilities is available in your account.

Before installing and using the Nemesida WAF Scanner, read the documentation carefully.

During it’s work the module makes requests to the nemesida-security.com to get information about vulnerabilities by Nemesida Vulnerability API and transmits the information about detected vulnerabilities into your account by Nemesida WAF API.

Information transmitted by the Nemesida WAF Scanner when accessing the Nemesida Vulnerability API can be transferred to third-party vulnerability databases.

Module installation on the server:

Debian 9, Ubuntu 18.04CentOS 7
# apt install python3-bs4 python3-yaml python3-pip
# apt install nwaf-scanner
# yum install python34 python34-pip python34-requests python34-PyYAML
# yum install nwaf-scanner

Add the necessary changes to the main configuration file /opt/nws/main.conf to set up the module.

main.conf settings
Default parameters
Parameter description

[main]
Main section.
nwaf_license_key
Parameter for specifying the license key of the Nemesida WAF Scanner module. If the parameter is not specified, the module will try to use the license key from the /etc/nginx/nwaf/conf/global/nwaf.conf file. In case the license key is not detected or is invalid, the module launch will end with the corresponding error.

sys_proxy
Proxy settings for accessing the Nemesida Vulnerability API and Nemesida WAF API. Example: sys_proxy = proxy.example.com.06128/.
api_proxy
Proxy settings for accessing the Nemesida WAF API. Example: api_proxy = proxy.example.com:3128.
api_host
Setting of API for sending scanning results into Nemesida WAF API. Example: api_host = http://localhost:8080.
verbose
The activation / deactivation parameter for displaying error information in the console.

[recheck]
Check vulnerabilities using Personal Account Nemesida WAF.
enable
The activation or deactivation parameter.
db_name
db_user
db_pass
db_host
Parameters of connecting to Personal Account Nemesida WAF database.

For setting scanning parameters in directory /opt/nws/conf/ create file(s) with extension conf. For every web-application it is necessary to create individual configuration file.

example.conf
Default parameters
Parameter description

[scan]
Main section.
target
Web-application address. For example: target = example.com
ssl
Connection activation / deactivation with using SSL/TLS request to the web-application. For example: ssl = false.
scan_proxy
Proxy server address for requests to the web-application. For example: scan_proxy = example.com:1111.
uri_list
File path uri.list, contains URI List, which was generated by Nemesidia AI MLC. For example: uri_list = /opt/mlc/bf/uri.list.

[auth]
Authorization section.
auth_uri
Address of the web-application page for making authorization procedure. For example: auth_uri = /login.
login
password
User’s name and password for authorization. For example: login = user and password = pass.
Configuring interaction with ClamAV software

After installing Nemesida WAF package the functionality of interaction with ClamAV software is disabled by default, since it can be a source of false blocking of some requests to the Web application (depending on the current state of the ClamAV signature analysis database). Use this functionality at your discretion.

To activate antivirus protection, install ClamAV software on the server with the configured Nemesida WAF software, if it has not done yet.

Installation example for Debian 9 OS:

# apt install clamav-daemon

The interaction with the ClamAV software is enabled by activating the nwaf_clamav configuration parameter in the /etc/nginx/nwaf/conf/global/nwaf.conf file and reduction of the /etc/clamav/clamd.conf file to a look:

...
TCPSocket 3310
TCPAddr   127.0.0.1
... 

After changing restart the «nginx» software.

Using Nemesida WAF in IDS mode

It is necessary to set up traffic mirroring from the main web server (through which calls to the web application are made)to the server with the installed Nemesida WAF software, to working Nemesida WAF in IDS mode. You must change the file’s configuration on every server:

1. On the main server (without the Nemesida WAF module installed), configure traffic mirroring according to the guidelines of the installed web server («nginx», «Apache2», «Microsoft IIS» and others).

An example of «nginx» setting for traffic mirroring

If using the «nginx» web server, make the necessary changes to the virtual host file:

location / {
    mirror /mirror;
    ...
}

location = /mirror {
    internal;
    proxy_pass http://nemesida_waf_server$request_uri;
}

where nemesida_waf_server is the address of the server with the Nemesida WAF module installed, to which duplicate traffic will be transmitted.

2. On the server with the installed Nemesida WAF module, bring the configuration file of the virtual host «nginx» to the form:

server {
        listen  80;
        index   index.html;
        root    /var/www/html;
        try_files $uri $uri/ /index.html;
}

3. On the server with the Nemesida WAF module installed, create the /var/www/html directory and place an empty index.html file in it.

4. On the server with the Nemesida WAF module installed, bring the /etc/nginx/nwaf/conf/global/nwaf.conf file to the form:

...
nwaf_limit rate=5r/m block_time=0;
...

5. After changing restart the «nginx» on every server.

The validity check of modules functioning

After installing and configuring the Nemesida WAF modules, restart the operating system and check the operation of all modules:

# systemctl status nginx nwaf_update mla_main mlc_main rabbitmq-server

If modules’ operation is correct there is a inscription: Active: active (running).

When the license key expires, the software works in the Nemesida WAF Free mode.

Signature management

There is a support of custom set of signatures rules (signature, RL) and signature exception rules (exclusion rule,WL) in Nemesida WAF and Nemesida WAF Free.

Zones, subzones and refinements

During the creation of RL/WL rules special parameters can be used:

  • zones: URL, ARGS, BODY or HEADERS;
  • subzones (header field HEADERS): $HEADERS_VAR:Cookie, $HEADERS_VAR:User-Agent, $HEADERS_VAR:Content-Type etc;
  • conditions of using the rule (zone refinements): $URL, $ARGS, $BODY and $HEADERS.

Using zones, subzones and refinements allows to concretize maximally the creating rule.

It’s possible to use regular expressions during the refinement. This requires to add to the refinement postfix _X. For example: "Z:ARGS|$URL_X:/\w+". To using the separator (as a metacharacter of a regular expression )in refinements, it is necessary to escape the character. For example: rule ... "Z:...|$URL_X:/(a\|b)/"; will be used to URL, which contains /a/ or /b/.

Several parameters (zones, subzones, refinements) in one rule must be separated the character | , the following principle of interaction will be used:

  • zones or subzones interact using the logical principle OR;
  • refinements interact using the logical principle OR;
  • zones or subzones interact with refinements using the logical principle AND.

Signature creation

The rules for determining the sign of an attack can be placed in the main configuration file Nemesida WAF (nwaf.conf) or in a self-created file of the form * .conf located in the /etc/nginx/nwaf/conf/vhosts directory. The signature rule is determined by the RL parameter and can take the following form:

RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50004 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\|dev)";
Signature options
ID
The unique identifier for the rule. A range from 50000 to 59999 is available for creating your own rules. Required.
domain
Set the ownership of the rule to the domain. For the domain option it is allowed to use a wildcard value.
P/PX
Option defining the entry pattern (option P is used to denote a simple entry, option PX is a regular expression). Required.
SC
Setting the rule tag (SQL, XSS or Other) and the numerical value indicator (from 1 to 12). Required.

Requests that fall within the scope of the rules with an indicator value of 12 are blocked without being sent to other analysis subsystems. More information is available in the corresponding section.

Z
Area of ​​application of the rule: URL, ARGS, BODY, HEADERS. To apply a signature to all zones, use the empty "Z:" parameter. Required.

To apply a signature to multiple zones, use the delimiter "Z:URL|BODY".

To clarify the zone, you can use additional options. For "Z:ARGS|$URL:/templates" the rule will work only in the ARGS zone for для URL /templates. To specify a value, use the start ^ and end characters of the $ string. In the area of ​​refinement, it is permissible to use regular expressions, for example: "Z:ARGS|$URL:/\w+". To use the separator as a special character of a regular expression, produce its escape: (pattern 1\|pattern 2). For example: $URL:/(admin\|dev).

Creating a signature exclusion rule

In case the inquiry falls under action of a signature, in addition to sending the incident to the Nemesida WAF API, the following line will be displayed in the error log of the «nginx» software:

Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...

or, if the request contains a signature with a maximum allowable digital indicator of significance (score = 12):

Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...

where:

1 – attack signature ID;
HEADERS – signature entry area.

To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the nwaf_log_mr_all; parameter, in the main configuration file Nemesida WAF.

Examples of creating attack signature exception rules

WL ID:1 "Z:"; – – using these parameters, the entry of the rule with the identifier 1 will be excluded from all zones for all virtual hosts.

WL ID:1 "Z:ARGS|HEADERS"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the ARGS and HEADERS zones for all virtual hosts.

WL ID:1 "Z:ARGS|$HEADERS_VAR:Cookie"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the ARGS zone and Cookie subzone for all virtual hosts.

WL ID:1 domain=*.example.com "Z:URL"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com and its subdomains.

WL ID:1 domain=example.com "Z:URL|$URL:/index/index.php"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com for URI http://example.com/index/index.php.

WL ID:* domain=example.com "Z:ARGS"; – using these parameters the entry of the rule ARGS zone of all requests to the virtual host example.com > will be excluded from the signature analysis processing.

WL ID:* domain=example.com "Z:$URL:/test"; – using these parameters the entry of the rule all requests to example.com/test will be excluded from the signature analysis processing.

For parameter ID:* it’s possible to use any of zones as a refinement, but as a condition of using the rule – only parameter $URL.

When creating exclusion rules it is allowed to use:
– zone refinement (URL, ARGS, BODY or HEADERS) or the condition for applying the rule (for example, the rule WL ID:1 "Z:ARGS|$URL:/index.php" will be used only if the signature with the identifier 1 is contained in the ARGS zone, and the request URL must /index.php).
– regular expressions to refine the zone (for this, you need to add _X to the zone name, for example:WL ID:1 "Z:URL|$URL_X:^/\S+/index.php";). If you use the | symbol as a metacharacter of a regular expression, it must be escaped (example: the rule ... "Z:...|$URL_X:/(a\|b)/";
will apply to a URL that contains /a/ or /b/;

– wildcard value for the domain option (for example, domain=*.example.com).

For security reasons, when creating exclusion rules, you need to specify them as much as possible (specify the URL and the zone of entry of the request).

Error messages sources

During the Nemesida WAF operation the information about errors can be contained in:
— system log;
— run-time journal of the «Nginx» software;
— run-time journal of the RabbitMQ software;
— run-time journal of the Nemesida WAF modules (/var/log/nwaf/*.log).

Technical support

For users of Nemesida WAF Free , technical support is provided only by email.

In case of unforeseen errors in the operation of the Nemesida WAF software, contact technical support.

On working days from 10:00 to 19:00 (GMT+3) time:
– by phone +7 (495) 204-19-72;
– by email.

.