The installation and setup guide of Nemesida WAF Signtest module, which is intended to manage of Nemesida AI machine learning.
1. Install and set packages:
Install and set PostgreSQL:
# apt install postgresql # su - postgres -c "psql -c \"CREATE DATABASE signtest;\"" # su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\"" # su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\"" # su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;\""
Connect the repository:
# apt install apt-transport-https
Install the packages:
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add - # apt update && apt upgrade # apt install python3 python3-pip python3-venv python3-dev nginx memcached build-essential libpcre3-dev gcc postgresql-server-dev-all # apt install nwaf-st
Install and set PostgreSQL:
# apt install postgresql # su - postgres -c "psql -c \"CREATE DATABASE signtest;\"" # su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\"" # su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\"" # su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;\""
# apt install apt-transport-https
Install Nemesida WAF Signtest:
# apt install nwaf-st
# setenforce 0
then bring the file /etc/selinux/config
to the form:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
2. Make changes to the file /var/www/signtest/settings.py
3. Allow access:
– to the server https://ip.pentestit.ru/
;
– to the server https://nemesida-security.com
;
– to the server Memcached 127.0.0.1:11211
;
– to the server with PostgreSQL.
4. After changing make migrations:
# cd /var/www/signtest/app/ && . venv/bin/activate && python3 manage.py migrate && deactivate
5. For authorization you should create user by command:
# cd /var/www/signtest/app/ && . venv/bin/activate && python3 manage.py createsuperuser
For possibility of password reset you should enter Email.
6. Activate the virtual host:
# mv /etc/nginx/conf.d/signtest.conf.disabled /etc/nginx/conf.d/signtest.conf # nginx -t && service nginx reload
7. In firewall settings allow the requests to 80 port (is set by default in the file /etc/nginx/conf.d/signtest.conf
).
8. Make server’s reboot or services’ restart and check their work:
# systemctl restart signtest_ipinfo signtest_rlupd signtest_web signtest_api # systemctl status signtest_ipinfo signtest_rlupd signtest_web signtest_api
To integrate Nemesida WAF Signtest with Nemesida WAF software follow these steps:
1. On the server with installed Nemesida WAF module change the configure file /etc/nginx/nwaf/mla.conf
, bring the parameter to the form:
st_uri = http://localhost:8088/nw/st/
where localhost:8088
is the address and port of the server where the Nemesida WAF Signtest module is installed.
2. On the server with installed Nemesida AI MLC module change the configure file /opt/mlc/mlc.conf
, bring the parameter to the form:
st_uri = http://localhost:8088/nw/st/
3. After making changes, you must restart the services or restart the server.
Other information
During the Nemesida WAF Signtest operation the information about errors is contained in the run-time journals of the module /var/log/uwsgi/signtest/*.log
.
There are following events, which were got from API and machine learning module on the main page:
BT 11 — the request was detected by signature method as an attack, but according to the Nemesida AI module’s decision was unblocked.
BT 12 — the request was blocked by Nemesida AI module and wasn’t detected as an attack by signature method.
BT 13 — the request was blocked by Nemesida AI module and signature method.
Events of type BT 11 and BT 13 are not passed to the Nemesida AI MLC module.
Exported requests «False Negative» will be taken into account by Nemesida AI as an example of illegitimate request and «False Positive» requests – as an example of legitimate request. Exported requests are applied «on the fly».
The main page
All events from Nemesida AI are rendered on the main page («Attack») for the next processing.
The search field is available for requests’ filtering. It allows to select requests using occurrence of word(s) and using special operators.