«Nemesida WAF» software installation and setup guide.

General information
The «Nemesida WAF» software includes modules: «Nemesida WAF», «Nemesida AI» and «Nemesida WAF Scanner».

For the operation of WAF software, it is necessary that all servers in which the «Nemesida WAF» modules are installed allow access to nemesida-security.com:443.

The software «Nemesida WAF» is intended for use on a server that has the following technical characteristics:
– CPU: Intel Core i3 or higher;
– RAM: 2 GB for the server with the installed «Nemesida WAF» and 32 GB for the server with the installed «Nemesida AI MLC»;
– available disk space: 5 GB.

The domain name example.com together with the subdomains in the guide is used as an example.

The «Nemesida WAF» software packages description
nwaf-dyn – package with the «Nemesida WAF» dynamic module for «Nginx» software and «Nemesida AI MLC» – an agent for processing behavioral models.
nwaf-mlc- a package with the «Nemesida AI MLC» machine learning module designed to build behavioral models and identify other anomalies (for example, brute force attacks).
nwaf-scanner – «Nemesida WAF Scanner», a vulnerability scanner.

It is prohibited to use one license key on two or more instances of the “nwaf-dyn” component.

Before installing the «Nemesida WAF» add repository information to the system:

Debian 9Ubuntu 18.04CentOS 7
# apt install apt-transport-https
# echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install apt-transport-https
# echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
Instal a file /etc/yum file.repos.d/NemesidaWAF.repo with the following repository information:

[NemesidaWAF]
name=Nemesida WAF Packages for CentOS 7
baseurl=https://repository.pentestit.ru/nw/centos/7/$basearch
gpgkey=https://repository.pentestit.ru/nw/gpg.key
enabled=1
gpgcheck=1

Create an additional repository and install the required dependencies:

# yum install epel-release

«RabbitMQ» software settings

The module is not used in «Nemesida WAF Free».

«RabbitMQ» is used for interaction between modules «Nemesida WAF» and «Nemesida AI MLC» (detection of anomalies and brute-force attacks, traffic collection, behavioral modeling). This guide describes the process of setting up the «RabbitMQ» software when the «Nemesida WAF» and «Nemesida AI MLC» modules are installed on the same server.

«RabbitMQ» software must be located on each server with installed «Nemesida WAF» or «Nemesida AI MLC» modules.

1. Install package:

Debian 9, Ubuntu 18.04CentOS 7
# apt install rabbitmq-server
# yum install rabbitmq-server

2. Edit the file /etc/rabbitmq/rabbitmq.config:

[
    {rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]},
    {kernel, [
        {inet_dist_use_interface,{127,0,0,1}}
    ]}
].

3. Edit the file /etc/rabbitmq/rabbitmq-env.conf:

export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
export ERL_EPMD_ADDRESS=127.0.0.1

4. Complete the «RabbitMQ» software setup:

# chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config
# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Installing «Nemesida WAF»

The dynamic module «Nemesida WAF» is available for the «nginx» software of stable versions starting with 1.12.

Debian 9 Ubuntu 18.04CentOS 7

Add the «nginx» repository and make the installation:

# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install nginx
# apt install librabbitmq4 libcurl4-openssl-dev python-pip gcc libc6-dev python-dev python-setuptools
# pip2 install pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch
# apt install nwaf-dyn-1.14

where «1.14» is the version of the installed «nginx» software. For example, the «nwaf-dyn-1.12» dynamic module package is designed to work with «nginx» version 1.12.

Add the «nginx» repository and make the installation:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# apt update && apt upgrade
# apt install nginx
# apt install librabbitmq4 libcurl4-openssl-dev python-pip gcc libc6-dev python-dev python-setuptools
# pip2 install pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch
# apt install nwaf-dyn-1.14

where «1.14» is the version of the installed «nginx» software. For example, the «nwaf-dyn-1.12» dynamic module package is designed to work with «nginx» version 1.12.

Create a repository file /etc/yum.repos.d/nginx.repo as follows and make the installation:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
# yum update
# yum install nginx
# yum install python2-pip python-devel gcc libcurl-devel libcurl-devel openssl
# pip2 install pandas requests psutil sklearn schedule simple-crypt fuzzywuzzy levmatch
# yum install nwaf-dyn-1.14

where «1.14» is the version of the installed «nginx» software. For example, the «nwaf-dyn-1.12» dynamic module package is designed to work with «nginx» version 1.12.

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled 
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Add the path to the file with the dynamic module «Nemesida WAF» and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
...
    ##
    # Nemesida WAF
    ##

    ## Request body too large fix
    client_body_buffer_size 25M;

    include /etc/nginx/nwaf/conf/global/*.conf;
    include /etc/nginx/nwaf/conf/vhosts/*.conf;
...
}

Setting up the «Nemesida WAF»
/etc/nginx/nwaf/conf/global/nwaf.conf – the main configuration file of «Nemesida WAF» module.

Tuning the «Nemesida WAF Free»

For «Nemesida WAF Free» use the default value of the license key parameter (nwaf_license_key none;) in file nwaf.conf.

To update signatures, provide access to https://nemesida-security.com. When using a proxy server, specify it in the sys_proxy option of the nwaf_api_conf parameter (for example, sys_proxy=proxy.example.com:3128).

nwaf.conf
Default setting
Description of the parameter
nwaf_license_key
The installation parameter of the license key software «Nemesida WAF». The key is also used by the «Nemesida AI» and «Nemesida Scanner» modules, if they are located on the same server.
With the specified invalid license key (including the default value of none), «Nemesida WAF» will continue working with the «Nemesida WAF Free» functionality.
nwaf_limit
Setting the limit of blocked requests, if exceeded, the IP address will be blocked for the time (in seconds) specified in the block_time. To set the limit for blocked requests for a specific one, set the parameter to the form nwaf_limit rate=... block_time=... domain=example.com;. For the domain option it is allowed to use a wildcard value.
nwaf_api_conf
Set up interaction with the «Nemesida WAF API» and other related parameters, where:

host is the address of the «Nemesida WAF API» server for sending information about the attacks, the results of the «Nemesida WAF Scanner» and «Nemesida AI». To use the cloud personal account, use the host=https://nemesida-security.com. With the host=none option, no data will be transferred to the API.

api_path «Nemesida WAF API» URL.

store_count is an option that determines the number of records, upon reaching which events will be sent to the «Nemesida WAF API».

delay_time is the time after which the events will be forcibly sent to the «Nemesida WAF API».

api_proxy is the proxy server address for accessing the «Nemesida WAF API».
Example: api_proxy=proxy.example.com:3128.

sys_proxy
proxy server address for checking the validity period of the «Nemesida WAF» license key, «Nemesida WAF Cabinet», as well as accessing the «Nemesida WAF» service API, (obtaining signatures, behavioral models, etc.).
Example: sys_proxy=proxy.example.com:3128.

nwaf_mla
Settings of interaction with the «Nemesida AI» module, where:
1000 is the maximum waiting time for a response from the «Nemesida AI MLA» module in milliseconds, after which «Nemesida WAF» will make a decision based on signature analysis,
MAX_SCORE – threshold option, upon reaching which the decision to block the request is transmitted to the «Nemesida AI MLA» module,
DROP_SIGNATURE_BLOCK – the option to activate the attack detection mechanism only on the basis of the decision of the «Nemesida AI» module (after its training is completed). In the absence of an option, the blocking decision will be made based on the decisions of the «Nemesida AI» module and the signature analysis together.
For some signatures, the flag of forced blocking of the request is set without sending to the «Nemesida AI MLA» module.
nwaf_rmq
Configuring the interaction subsystem with «Nemesida AI» using «RabbitMQ» software.

The ai_extra option is responsible for additional processing of the query analysis results from the «Nemesida AI MLC» module. Processing of the results (anomalies) received from «Nemesida AI MLC» occurs without direct intervention in the request (the request is not blocked), but it allows detecting missed attacks and temporarily blocking their source by IP address.

The ai_extra option can take the following values:

off – with this value, attacks detected by the «Nemesida AI MLC» module are ignored;

on – with this attack value, detected by the «Nemesida AI MLC» module, are fixed, and the rate counter from the nwaf_limit parameter for the IP address is reduced. When the counter reaches zero, the address will be blocked for the period specified in the block_time option.

lm – with this value, the attacks detected by the «Nemesida AI MLC» module are fixed, but the counter value from the nwaf_limit parameter for the IP address does not decrease (LM mode), that is, the address blocking is not performed.

Regardless of the use of the ai_extra option, with the nwaf_rmqFILE_ONLY option.

nwaf_ip_wl
Deactivation of the request analysis mechanism by means of the «Nemesida WAF» software for a specific IP address or subnet. With the parameter nwaf_ip_wl x.x.x.x domain=example.com; the analysis mechanism will be deactivated only when accessing a specific IP address to a specific virtual host. For the domain option it is allowed to use a wildcard value.

To reduce false positives, it is recommended to specify the static IP address of specialized users (administrators, content managers, editors) to add nwaf_ip_wl or nwaf_ip_lm the parameter.

nwaf_ip_lm
Configure the skip of all occurrences of the rules for a specific IP address or subnet with the event recorded in the DBMS (IDS mode). With the nwaf_ip_lm x.x.x.x domain=example.com; pass will be made only when contacting a specific IP address to a specific domain. For the domain option it is allowed to use a wildcard value.
nwaf_host_lm
Configure the skip of all occurrences of the rules for a specific virtual host with the event captured in the DBMS (IDS mode). With the parameter nwaf_host_lm *; the pass will be made for all virtual hosts.
nwaf_clamav_wl
Configuring the blocking exclusion list for the contents of the request body or downloadable file by the md5 amount (the md5 amount is contained in the error.log log of the «nginx» software).
Lock example:
Nemesida WAF: blocked by ClamAV, stream: Eicar-Test-Signature FOUND, md5: 44d88612fea8a8f36de82e1278a-bb02f, ....
Example of an exception rule for blocking:
nwaf_clamav_wl 44d88612fea8a8f36de82e1278a-bb02f.
nwaf_log_mr_all;
Activation of the parameter for recording information about all occurrences of blocking rules (attack signatures) in the nginx software error log. By default, the parameter is deactivated (commented out). When a parameter is deactivated, only the signature is written to the error log of the «nginx» software, which led to blocking the request or fixing the signature without further blocking (in the «LM» mode).

After making changes, restart the server or restart services and check its:

# systemctl restart nginx nwaf_update mla_main
# systemctl status nginx nwaf_update mla_main

The nwaf_update service is responsible for obtaining the signatures of the «Nemesida WAF» module (/etc/nginx/nwaf/rules.bin). To test the signature method of detecting attacks, when sending a request to http://YOUR_SERVER/nwaftest, the server must return a 403 response code.

The «Nemesida WAF» module processes only the request transmitted to the final application. If the settings of the «nginx» software prevent the transmission of calls (returning, for example, a 301 or 403 response code), such requests will not be processed by the «Nemesida WAF» module.

«Nemesida AI»

The module is not used in «Nemesida WAF Free».

The «Nemesida AI» module consists of the «Nemesida AI MLA» modules (included in the installation package of the «Nemesida WAF» module) and the «Nemesida AI MLA» modules, which can be interconnected (the modules operate on the same server) and distributed (the «Nemesida AI MLC» operates on a dedicated server) modes. The distributed mode of operation of the «Nemesida AI» module is designed to save hardware resources, for example, with cluster interaction (several servers with the «Nemesida WAF» software installed use a common server with the «Nemesida AI MLC» module installed).

«Nemesida AI MLA»

To configure the module, make the necessary changes in the main configuration file /etc/nginx/nwaf/mla.conf.

mla.conf
Default paramete
Parameter description

[learn]
Section responsible for the parameters of learning «Nemesida AI».
nwaf_conf_file
Path to the configuration file «Nemesida WAF».
models_path
Paths to the behavioral models of the protected web application created by the «Nemesida AI» module. Models are files with the extension «.ml»

[main]
Секция, отвечающая за общие настройки модуля «Nemesida AI MLA».
logrotate
The autorotation parameters of the logs of the «Nemesida AI MLA» module, where «5» is the maximum number of journals in rotation, and «20» is their maximum size in megabytes. Work logs are placed in the /var/log/nwaf/ directory.
tcp_socket
The IP address and port used to communicate with the «Nemesida WAF» module.
base_api_uri
The address «Nemesida WAF API» for transmitting information about the operation of the module «Nemesida AI».

[mgmt]
Section responsible for interaction with the management console «Nemesida AI».
send_attacks
Sending disputed requests to the «Nemesida WAF Signtest» server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the «Nemesida AI MLA» module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the «Nemesida AI MLA» module was defined as illegitimate.

post_st_uri
Server URI for sending data to the «Nemesida AI» results processing server.
params_uri
command_uri
get_models_uri
Server URI to interact with the control console «Nemesida AI».

[api]
Section responsible for setting up interaction with the local API «Nemesida WAF».
cab_status_post
«Nemesida WAF API» URL. With ccab_status_post = none, no data will be sent to the API.

«Nemesida AI MLC»

Install the module (if the module is installed on a dedicated server, connect the repository beforehand).

Debian 9, Ubuntu 18.04CentOS 7
# apt install python-pip gcc libc6-dev python-dev python-setuptools
# pip2 install pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config
# apt install nwaf-mlc
# yum install gcc python2-pip python-devel python-setuptools python-setuptools
# pip2 install pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config
# yum install nwaf-mlc

Regardless of the operation mode, install the «RabbitMQ» software on the server with the «MLС» module installed.

For training, the «Nemesida AI MLC» module collects requests for three days, after which behavioral models are built.

The module «Nemesida AI MLC» checks the availability of models in accordance with the value of the parameter «vhost_list». In case of their absence, the module proceeds to the training of models, which are later automatically transferred to the «Nemesida AI MLA» module. To configure the module, make the necessary changes to the configuration file /opt/mlc/mlc.conf.

mlc.conf to operate in normal mode
Default parameter
Parameter description

[learn]
Section responsible for the learning parameter of «Nemesida AI».
nwaf_conf_file
Path to Nemesida WAF configuration file to obtain Nemesida WAF license key.
models_path
Paths to the behavioral models of the protected Web application created by «Nemesida AI» module.

[run]
Section responsible for the parameters of the connection to «Nemesida AI MLC» remote server (in distributed mode).
rmq_host = username:password@mlc_remote_server
Parameters of the connection to «Nemesida AI MLC» remote server.

[proxy]
Section responsible for the settings of the connection to proxy server.
sys_proxy
api_proxy
Settings of the connection to proxy server, where:
sys_proxy – proxy server address for «Nemesida WAF» system API addressing;
api_proxy – proxy server address for «Nemesida WAF» local API addressing.
If the parameters have no values, the module will try to use the parameters from the nwaf.conf file.

[main]
Section responsible for the general settings of the module «Nemesida AI MLC».
vhosts_list
A list of domain names used as virtual hosts for which behavioral models need to be created («*» means all domain names). For example: vhosts_list = example.com, 1.example.com, 2.example.com,*.
Option :400000 («fix_num») determines the number of requests to the server that will be trained.

In cases where traffic rate for virtual hosts varies significantly, it is required to set the optimal number of requests for a specific host, for example:
vhosts_list = example.com, 1.example.com:5000, 2.example.com:10000,*:10000, where «5000» and «10000» – is a number of requests to create behavioral models. (* – except *.example.com, as this host will include all subdomains).

If the «fix_num» option is not specified, the module will automatically calculate the value based on the amount of free RAM. To build models with a «fix_num» value of 400,000, you will need up to 32 GB of RAM.

uri_list
The parameter that determines the path by which the «Nemesida AI MLC» module will create and update (as new data is received) the sitemap file (sitemap), which will later be used by the «Nemesida WAF Scanner» module. To deactivate this functionality, you must delete or comment out the line with the parameter.
logrotate
The autorotation parameters of the work logs of the «Nemesida AI MLC», where «5» is the maximum number of journals in rotation, and «20» is their maximum size in megabytes. Work logs are placed in the /var/log/nwaf/ directory.
base_api_uri
The address «Nemesida WAF API» for transmitting information about the operation of the module «Nemesida AI».
key
Installing the license key «Nemesida WAF» (used when used on a dedicated server).
Example: key = 1234567890.

[trunk]
Section responsible for transmitting traffic to a remote server for the purpose of further analysis and building behavioral models. To use this functionality, please contact technical support.
send_data
Activation of the mechanism for transmitting the analyzed traffic to the «Nemesida WAF MLS» server. By default, the functionality is deactivated.
mls_reciever_uri
The address is «Nemesida WAF MLS» that receives traffic for analysis and then generates behavioral models.

[brute]
The section responsible for the brute-force detection function. Revealing of values ​​is performed in the ARGS and / or BODY areas.
brute_enable
Activation\deactivation of the functional.
brute_wl
The parameter that allows you to deactivate the brute-force attack detection functionality for specific virtual hosts.
Examples:
brute_wl = example.com – deactivation of the functional for example.com;
brute_wl = example.com, m.example.com – deactivation of functionality for example.com and m.example.com;
brute_wl = example.com, * .example.com – deactivation of functionality for example.com and its subdomains.
intervale
The time interval of the segment (window) during which the analysis of requests is performed.
max_val
The number of requests that, when reached, block the source(s) of the attack.
similarity
A measure of the proximity of requests in percent.
mconf
File for the manual entry of the information on authorization of the protected Web application to block brute force attacks. An example:

urilist :
[
  {
    vhost : 'example.com'
    uri   : '/login.php'
    type  : 'POST'
  }
  {
    vhost : '*.example.com'
    uri   : '/new-login.php'
    type  : 'POST'
  }
  {
    vhost : '*.example.com'
    uri   : '/new-login.php'
    type  : 'GET,POST'
  }
]
aconf

File generated by «Nemesida WAF Scanner» module containing forms of authorization of the protected web application to block brute force attacks (the installation of the «Nemesida WAF Scanner» on the current server is required).

distributed
Protection against distributed brute force attack (disabled by default). With a value of

distributed = false

attack detection is calculated for a single IP-address.


[mgmt]
Section responsible for the interaction with «Nemesida AI» management console.
send_attacks
Sending disputed requests received from the «Nemesida WAF» module using «RabbitMQ» to the «Nemesida WAF Signtest» server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the «Nemesida AI MLA» module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the «Nemesida AI MLA» module was defined as illegitimate.

send_stat
stat_int
Parameters of sending statistics on the work of «Nemesida AI».
st_uri
The URI of the «Nemesida WAF Signtest» server for sending disputed requests. When using the local version of «Nemesida WAF Signtest», change the URI of the parameter.

[api]
Section responsible for setting up interaction with the local API «Nemesida WAF».
learn_status
The address is «Nemesida WAF API» for sending information about the training status of models. With the parameter learn_status = none information will not be sent.
Using the «Nemesida AI» cloud server
The cloud server «Nemesida AI», located in the Pentestit infrastructure, is designed to generate behavioral models based on a copy of traffic received from remote servers. The cloud server is used in cases when the user of the «Nemesida WAF» software does not have enough RAM for the «Nemesida AI MLC» module (it requires up to 32 GB). To use the capabilities of the cloud server «Nemesida AI», contact technical support.

After making the changes, restart the service:

# service mlc_main restart
# service mlc_main status

Models retraining

To improve the accuracy of attack detection, it is recommended to re-train models once a week. For that you need to add the «^» symbol to virtual host. For example: vhosts_list = *^, or vhosts_list = example.com^.

Restart the service after changes:

# service mlc_main restart

«Nemesida WAF Scanner»

The module isn’t used in «Nemesida WAF Free».

The «Nemesida WAF Scanner» module is designed to detect web vulnerabilities in protected web applications. Information about detected vulnerabilities is available in your account.

Before installing and using «Nemesida WAF Scanner», read the documentation carefully.

The «Nemesida WAF Scanner» module collects information about virtual hosts «nginx» (address, port, schema) and searches for vulnerabilities on detected hosts. During operation, the module contacts https://nemesida-security.com for information about vulnerabilities through the «Nemesida Vulnerability API», and also transmits information about detected vulnerabilities to the personal account via the «Nemesida WAF API». If you have direct access (without using a proxy server) to the https://nemesida-security.com server and protected web applications, no additional settings are required; if you access the proxy server, you need to make changes to the module configuration file.

Module installation on the server:

Debian 9CentOS 7
# apt install nwaf-scanner
Information is updated and will be available soon.

Add the necessary changes to the main configuration file /opt/nws/nws.conf to set up the module.

nws.conf
Default parameters
Parameter description

[main]
Main section.
nwaf_license_key
Parameter for specifying the license key of the «Nemesida WAF Scanner» module. If the parameter is not specified, the module will try to use the license key from the /etc/nginx/nwaf/conf/global/nwaf.conf file. In case the license key is not detected or is invalid, the module launch will end with the corresponding error.

uri_list
A file containing a sitemap generated by the «Nemesida AI MLC» module (in case the module is located on the same server as the «NWS» module). To deactivate this functionality, you must delete or comment out the line with the parameter.

sites_list
A list of web application addresses to scan. Example: sites_list = https://m.example.com, https://example.com.
sys_proxy
Proxy settings for accessing the «Nemesida Vulnerability API» and «Nemesida WAF API». Example: sys_proxy = proxy.example.com.06128/.
scan_proxy
Proxy settings used when detecting vulnerabilities in protected web applications. It is used in cases when scanning cannot be performed directly from the server on which the module is installed, for example, when translating requests to an internal «upstream» server. Example: scan_proxy = proxy.example.

Important. If a proxy server is used, its address must be added to the «nwaf_ip_wl» parameter of the «nwaf.conf» configuration file. When adding an IP address to «nwaf_ip_wl», requests from this address will not be blocked, be extremely careful.

base_api_uri
Setting an API address for sending scan results to your personal account.
logrotate
The autorotation parameters of the «Nemesida WAF Scanner» journals, where «5» is the maximum number of journals in rotation, and «20» is their maximum size in megabytes. Work logs are placed in the /var/log/nwaf/ directory.
verbose
The activation / deactivation parameter for displaying error information in the console. If verbose = 1, output is activated.

[optional]
Additional section.
login_uri
Login page. Example: login_uri = / auth.
login
Username. Example: login = administrator
password
User Password. Example: password = 123456.
parameter1
parameter2
Optional parameters added to the POST request on the authorization form. An example of sending a request that includes additional parameters:
login=user&password=1234&form=submit.

Configuring interaction with «ClamAV» software
After installing «Nemesida WAF» package the functionality of interaction with «ClamAV» software is disabled by default, since it can be a source of false blocking of some requests to the Web application (depending on the current state of the «ClamAV» signature analysis database). Use this functionality at your discretion.

To activate antivirus protection, install «ClamAV» software on the server with the configured «Nemesida WAF» software, if it was not already done.

Installation example for Debian 9 OS:

# apt install clamav-daemon

The interaction with the «ClamAV» software is enabled by activating the nwaf_clamav configuration parameter in the /etc/nginx/nwaf/conf/global/nwaf.conf file and reduction of the /etc/clamav/clamd.conf file to a look:

...
TCPSocket 3310
TCPAddr   127.0.0.1
... 

After the changes are made restart the «nginx» software.

Using «Nemesida WAF» in IDS mode
In order for the «Nemesida WAF» to function in IDS mode, it is necessary to configure traffic duplication from the main web server (through which calls to the web application are made) to the server with the installed «Nemesida WAF» software. To do this, make the necessary changes to the configuration files on each of the servers:

1. On the main server (without the «Nemesida WAF» module installed), configure traffic mirroring according to the guidelines of the installed web server («nginx», «Apache2», «Microsoft IIS» and others).

An example of «nginx» setting for traffic mirroring

If using the «nginx» web server, make the necessary changes to the virtual host file:

location / {
    mirror /mirror;
    ...
}

location = /mirror {
    internal;
    proxy_pass http://nemesida_waf_server$request_uri;
}

where nemesida_waf_server is the address of the server with the «Nemesida WAF» module installed, to which duplicate traffic will be transmitted.

2. On the server with the installed «Nemesida WAF» module, bring the configuration file of the virtual host «nginx» to the form:

server {
        listen  80;
        index   index.html;
        root    /var/www/html;
        try_files $uri $uri/ /index.html;
}

3. On the server with the «Nemesida WAF» module installed, create the /var/www/html directory and place an empty index.html file in it.

4. On the server with the «Nemesida WAF» module installed, bring the /etc/nginx/nwaf/conf/global/nwaf.conf file to the form:

...
nwaf_limit rate=5r/m block_time=0;
...

5. After making the changes, you must restart «nginx» on each of the servers.

Procedure of checking the correctness of modules operation
After installing and configuring the «Nemesida WAF» modules, restart the operating system and check the operation of all modules:

# systemctl status nginx nwaf_update mla_main mlc_main rabbitmq-server

On the normal operation module indicates the inscription: Active: active (running).

When the license key expires, the software is switched to the «Nemesida WAF Free» mode.

Signature management

«Nemesida WAF» and «Nemesida WAF Free» featured support for a custom signature set for detecting attacks (signature, RL), as well as creating signature exception rules (exclusion rule,WL).

Signature creation

The rules for determining the sign of an attack can be placed in the main configuration file «Nemesida WAF» (nwaf.conf) or in a self-created file of the form * .conf located in the /etc/nginx/nwaf/conf/vhosts directory. The signature rule is determined by the RL parameter and can take the following form:

RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50004 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\|dev)";
Signature options
ID
The unique identifier for the rule. A range from 50000 to 59999 is available for creating your own rules. Required.
domain
Set the ownership of the rule to the domain. For the domain option it is allowed to use a wildcard value.
P/PX
Option defining the entry pattern (option P is used to denote a simple entry, option PX is a regular expression). Required.
SC
Setting the rule tag (SQL, XSS or Other) and the numerical value indicator (from 1 to 12). Required.

Requests that fall within the scope of the rules with an indicator value of 12 are blocked without being sent to other analysis subsystems. More information is available in the corresponding section.

Z
Area of ​​application of the rule: URL, ARGS, BODY, HEADERS. To apply a signature to all zones, use the empty "Z:" parameter. Required.

To apply a signature to multiple zones, use the delimiter "Z:URL|BODY".

To clarify the zone, you can use additional options. For "Z:ARGS|$URL:/templates" the rule will work only in the ARGS zone for для URL /templates. To specify a value, use the start ^ and end characters of the $ string. In the area of ​​refinement, it is permissible to use regular expressions, for example: "Z:ARGS|$URL:/\w+". To use the separator as a special character of a regular expression, produce its escape: (pattern 1\|pattern 2). Пример: $URL:/(admin\|dev).

Creating a signature exclusion rule

In case the inquiry falls under action of a signature, in addition to sending the incident to the «Nemesida WAF API», the following line will be displayed in the error log of the «nginx» software:

Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...

or, if the request contains a signature with a maximum allowable digital indicator of significance (score = 12):

Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...

where:

1 – attack signature ID;
HEADERS – signature entry area;
... – other information about the request.

To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the nwaf_log_mr_all; parameter, in the main configuration file «Nemesida WAF».

Examples of creating attack signature exception rules

WL ID:10 "Z:ARGS|HEADERS"; – with such parameters, the entry of the rule with the identifier 10 will be excluded from the ARGS and HEADERS zones for all virtual hosts.

WL ID:1 "Z:URL" domain=example.com; – with such parameters, the occurrence of the rule with ID 1 will be excluded from the URL zone for the example.com virtual host.

WL ID:1 "Z:URL|$URL:/index/index.php" domain=example.com; – with such parameters, the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com for the URI http://example.com/index/index.php.

WL domain = example.com "P:format=feed&type=rss" "Z:ARGS"; – with such parameters, the contents of the format=feed&type=rss of the ARGS zone for the virtual host example.com will be excluded from processing by signature analysis. To use regular expressions, replace the parameter P with PX.

When creating exclusion rules it is allowed to use:
– zone refinement (URL, ARGS, BODY or HEADERS) or the condition for applying the rule (for example, the rule WL ID:1 "Z:ARGS|$URL:/index.php" will be used only if the signature with the identifier 1 is contained in the ARGS zone, and the request URL must /index.php).
– regular expressions to refine the zone (for this, you need to add _X to the zone name, for example:WL ID:1 "Z:URL|$URL_X:^/\S+/index.php";). If you use the | symbol as a metacharacter of a regular expression, it must be escaped (example: the rule ... "Z:...|$URL_X:/(a\|b)/";
will apply to a URL that contains /a/ или /b/;

– wildcard value for the domain option (for example, domain=*.example.com).

For security reasons, when creating exclusion rules, you need to specify them as much as possible (specify the URL and the zone of entry of the request).

Technical support

For users of «Nemesida WAF Free» , technical support is provided only on the forum or by e-mail.

In case of unforeseen errors in the operation of the «Nemesida WAF» software, contact technical support.

On working days from 10:00 to 19:00 MSK time:
– by phone +7 (495) 204-19-72;
– by email.