Nemesida WAF Signtest

«Nemesida WAF Signtest» module installation guide.

Content

«Nemesida WAF Signtest» is in API and web-application forms. Used to proof «Nemesida AI» module’s operation.

«Nemesida WAF Signtest» installation
«Nemesida WAF Signtest» exploitation

«Nemesida WAF Signtest» installation

1. Install and set DBMS «PostgreSQL»:

Debian 9Ubuntu 18.04CentOS 7

# apt install postgresql 
# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;;\""

Connect the repository and install the «Nemesida WAF Signtest»:

# echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt install nginx postgresql memcached python3 python3-pip python3-venv python3-dev build-essential libpcre3-dev gcc 
# apt install nwaf-st

# apt install postgresql 
# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;;\""

Connect the repository and install the «Nemesida WAF Signtest»:

# apt install apt-transport-https
# echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt install nginx postgresql memcached python3 python3-pip python3-venv python3-dev build-essential libpcre3-dev gcc 
# apt install nwaf-st

# yum install postgresql-server

# postgresql-setup initdb
# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/data/pg_hba.conf
# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/data/pg_hba.conf
# systemctl start postgresql.service
# systemctl enable postgresql.service

# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;;\""

Create file /etc/yum.repos.d/NemesidaWAF.repo with information about repository:

[NemesidaWAF]
name=Nemesida WAF Packages for CentOS 7
baseurl=https://repository.pentestit.ru/nw/centos/7/$basearch
gpgkey=https://repository.pentestit.ru/nw/gpg.key
enabled=1
gpgcheck=1

Create file /etc/yum.repos.d/nginx.repo with information about repository:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1

Install «Nemesida WAF Signtest»:

# yum update && yum install python36 gcc nginx memcached python36-devel pcre pcre-devel
# yum install nwaf-st

2. Change file /var/www/signtest/settings.py

«settings.py»

Default Parameters

Description

SECRET_KEY

Security key (automatically generated during the installation).

HTTP_PROXY

Proxy-server address for connection.

RULES_PATH

Path to the file rules.bin.

DB_HOST
DB_PORT
DB_NAME
DB_USER
DB_PASS

Parameters for connection to DBMS.

SMTP_SERVER
SMTP_PORT
SMTP_LOGIN
SMTP_PASSWORD

Parameters for connection to SMTP server.

SMTP_TO

Address for sending messages.

3. After changing make migrations:

# cd /var/www/signtest/app/ && . venv/bin/activate && python3 manage.py migrate && deactivate

4. Activate the virtual host:

# mv /etc/nginx/conf.d/signtest.conf.disabled /etc/nginx/conf.d/signtest.conf
# nginx -t & service nginx reload

5. Make server’s reboot or services’ restart and check their work:

# systemctl restart signtest_ipinfo signtest_rlupd signtest_web signtest_api
# systemctl status signtest_ipinfo signtest_rlupd signtest_web signtest_api

Exploitation of «Nemesida WAF Signtest» module

There are «False Positive» and «False Negative» events which were got from API from «Nemesida AI» on the main page.

«False Negative», «BT 11» — the request contains attack signature, but isn’t blocked by «Nemesida AI».
«False Positive», «BT 12» — the request is blocked by «Nemesida AI», but doesn’t contain attack signature.

Exported events correct the «Nemesida AI’s» operation process:

after the export «False Negative» events will be taken into account as examples of illegitimate request during the current and next training. If the training was finished before the export, it is necessary to make retraining;
after the export «False Negative» events are taken into account for the current models and the models which will be trained in the future.

If you delete some events, it is necessary to make models’ retraining.

The main page

All events from «Nemesida AI» are rendered on the main page («Attack») for the next processing.

The main page

The search field is available for requests’ filtering. It allows to select requests using occurrence of word(s) and using special operators.

Examples of requests

Display requests with detected vulnerability into the field Body:

status:body

Display requests are contained IP-address 127.0.0.1 and request protocol HTTPS:

ip:127.0.0.1 and schema:HTTPS

Display requests are contained domain example.com and the type of request Post:

host: example.com or req_t:POST

Display requests are contained value name=a in Args and value /test in URL:

args:name=a and uri:/test - field uri (uri request)

Display requests are contained the protocol HTTP/1.1:

req_p:http/1.1

Display requests are contained value csrf=1 in Cookie:

cookie:csrf=1

Display requests are contained value mozilla in field User-Agent:

ua:mozilla

Display requests with the type «BT 11» are contained example.com in field Reference:

ref:example.com and bt:11

Display requests are contained value 661 in field Content-Length:

cont_l:661

Display requests are contained value urlencoded in field Content-Type:

cont_t:urlencoded

Display requests are contained value test in field Body:

body:test

Display requests with the identifier 0a509eae749e62f2fe5c84:

id:0a509eae749e62f2fe5c84

Display requests since 2019th year:

date:2019

Navigation bar functions

	Delete of the tagged records (or all records, if no record was chosen).
	Tables switching («Attack», «False Positive», «False Negative»).
	File-status indicator of the file «rules.bin».

Record management of the main page functions

	Request export into the table.
	Delete request.
	Request contain editing with next export into the table.
	Display of extended information about the request.
	Checking the request using signature method.