Nemesida WAF API installation and setup guide.

The domain name example.com and subdomains in the guide is used as an example.

Nemesida WAF API installation and setup

The local version of Nemesida WAF API is designed to transfer information about blocked requests from the Nemesida WAF modules to a local database, which can be used to integrate into local visualization services, such as the Nemesida WAF Cabinet. This interaction scheme allows not to transmit data on attacks outside the client’s infrastructure. Below is a brief guide to the commissioning of the local version of the Nemesida WAF API on servers running Linux.

To install the local version of the Nemesida WAF API, you must perform the following steps:

1. Allow access to https://nemesida-security.com.
2. Install the module:

DebianUbuntuCentOS 7
# apt install apt-transport-https
Debian 9
# echo "deb https://repository.pentestit.ru/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 10
# echo "deb https://repository.pentestit.ru/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3-pip python3-dev python3-venv nginx postgresql-server-dev-all
# apt install nwaf-api

Installation of niginx will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file nwaf-api.conf.disabledin nwaf-api.conf and restart nginx.

Install and configure the PostgreSQL DBMS:

# apt install postgresql

Create database, user and password to connect Nemesida WAF API module:

# su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\"" 
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""

Create database, user and password to connect Nemesida WAF Cabinet module:

# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
# apt install apt-transport-https
16.04
Connect the repository:

# echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu xenial non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -

Connect Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa

Install the packages:

# apt update && apt upgrade
# apt install python3.6-dev python3.6-venv nginx postgresql-server-dev-all
# curl https://bootstrap.pypa.io/get-pip.py | python3.6
18.04
Connect the repository and install the packages:

# echo "deb [arch=amd64] https://repository.pentestit.ru/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://repository.pentestit.ru/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3-pip python3-dev python3-venv nginx postgresql-server-dev-all 
 # apt install nwaf-api

Installation of niginx will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file nwaf-api.conf.disabledin nwaf-api.conf and restart nginx.

Install and configure the PostgreSQL DBMS:

# apt install postgresql

Create database, user and password to connect Nemesida WAF API module:

# su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\"" 
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""

Create database, user and password to connect Nemesida WAF Cabinet module:

# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""

Connect additional repositories and install the necessary dependencies:

# rpm -Uvh https://repository.pentestit.ru/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# rpm -Uvh https://yum.postgresql.org/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm
# rpm -Uvh https://nginx.org/packages/rhel/7/noarch/RPMS/nginx-release-rhel-7-0.el7.ngx.noarch.rpm
# yum install python36 python36-pip python36-devel nginx postgresql11-devel gcc
# yum install nwaf-api

Installation of niginx will be done automatically with the creation of a virtual host in the /etc/nginx/conf.d/ directory. Upon completion of the installation, rename the virtual host configuration file nwaf-api.conf.disabledin nwaf-api.conf and restart nginx.

Install and configure the PostgreSQL DBMS:

# yum install postgresql11-server
# /usr/pgsql-11/bin/postgresql-11-setup initdb
# sed -i "s|host    all             all 127.0.0.1/32            ident|host    all all             127.0.0.1/32            md5|" /var/lib/pgsql/11/data/pg_hba.conf
# sed -i "s|host    all             all ::1/128                 ident|host    all all             ::1/128                 md5|" /var/lib/pgsql/11/data/pg_hba.conf 
# systemctl start postgresql-11.service
# systemctl enable postgresql-11.service

Create database, user and password to connect Nemesida WAF API module:

# su - postgres -c "psql -c \"CREATE DATABASE waf;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_api PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE waf to nw_api;\"" 
# su - postgres -c "psql -c \"ALTER ROLE nw_api WITH LOGIN;\""

Create database, user and password to connect Nemesida WAF Cabinet module:

# su - postgres -c "psql -c \"CREATE DATABASE cabinet;\""
# su - postgres -c "psql -c \"CREATE ROLE nw_cabinet PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE cabinet to nw_cabinet;\""
# su - postgres -c "psql -c \"ALTER ROLE nw_cabinet WITH LOGIN;\""
3. Create a database structure:

# cat /var/www/nw-api/api.sql | su postgres -c "psql waf"

Make the necessary changes to the /var/www/nw-api/settings.py file to connect to the PostgreSQL DBMS, where:
DB_HOST – is the DBMS address;
DB_PASS – is the nw_api user password specified in claim 1 for connecting to the DBMS;
PROXY – proxy server address (if used) to connect to nemesida-secuirty.com.

4. Restart the server and test the module:

# systemctl status nw-api

Nemesida WAF API integration
To integrate the local version of the Nemesida WAF API with the Nemesida WAF software, follow these steps:

1. On the server with the Nemesida WAF module installed, change the configuration file /etc/nginx/nwaf/conf/global/nwaf.conf, bring the parameter to the form:

nwaf_api_conf host=http://nwaf-api.example.com:8080 ...

2. On the server with the Nemesida AI MLC module installed, change the configuration file /opt/mlc/mlc.conf, bring the parameter to the form:

api_host = http://nwaf-api.example.com:8080/

3. After making changes, you must restart the services or restart the server.

nwaf-api.example.com:8080 is the address and port of the server where the Nemesida WAF API module is installed.

Nemesida WAF API database structure

Information about events entering the Nemesida WAF API module is placed in the waf database in the attack, ml and scan_report tables.

attack

The attack table is intended for placement in the DBMS of information on the detected anomalies of the operation of the Nemesida WAF and Nemesida AI modules.

Parameter
Description
timestamp
Date of the anomaly fixation.
ip
Address of the request source.
rule_id
The identifier of the rule used to fix the anomaly.
bt
Digital ID of the method for determining anomalies (signature analysis, machine learning, etc.).
mz
Anomaly area (URL, Args, Body, etc.).
method
Type of HTTP request (GET, POST и etc).
uri
Request URI.
ua
referer
cookie
HTTP request headers.
vhost
Virtual host’s address
content
Body request or a content of other headers (depends on the content of mz).
bot
Reserved parameter.
description
Description of the anomaly.
lm
A parameter that determines whether the request is subject to the LM mode.
waf_id
Identifier of the module Nemesida WAF.
request_id
Request ID.
ml

Table ml is intended for placing in the DBMS information about the training status of the Nemesida AI module.

Parameter
Description
waf_id
Identifier of the module Nemesida WAF.
ml_status
The status of the work of the module Nemesida AI (0 – not active, 1 – active).
ml_learning_progress
The training status of the module Nemesida AI in percent.
vhost
Virtual host.
scan_report

The scan_report table is intended for placing in the DBMS information about the status of the work of the Nemesida WAF Scanner module.

Parameter
Description
id
Record ID.
scan_date
Scan date.
content
Critical level of the detected vulnerability.
domain
Virtual host.
method
Type of HTTP request (GET, POST, etc.).
param
Query arguments.
payload
The content of the payload request.
type
The type of vulnerability detected (SQLi, XSS, etc.).
url
Request URI.
data
Request body (for POST requests).
waf_id
Identifier of the module Nemesida WAF.