Difference between revisions of "Downloading Rules"

From Atomicorp Wiki
Jump to: navigation, search
m (Automated Method)
m (IIS)
(36 intermediate revisions by 3 users not shown)
Line 11: Line 11:
 
=== Subscription ===
 
=== Subscription ===
  
If you have not already setup a subscription to the '''Real Time rules''' (only $14.95 a month, or $99.95 a year), you can do so here:
+
If you have not already setup a subscription to the '''Real Time rules''' you can do so here:
  
[https://www.atomicorp.com/acshop.html Real Time Feed Signup]
+
[https://www.atomicorp.com/amember/cart/index/product/id/9/c/ Real Time Feed Signup]
  
 
=== Download ===
 
=== Download ===
Line 23: Line 23:
 
===== Full Management Suite =====
 
===== Full Management Suite =====
  
Install [[ASL]].  ASL will automatically download and keep your rules up to date, and will ensure that modsecurity stays up to date so your system can support the latest rules.  ASL also provides you with a full security management suite, which will allow you to manage, edit and configure your rules through a web console.  A full list of ASLs features is available at the URL below:
+
Install [[ASL]].   
 +
 
 +
ASL will automatically download and keep your rules up to date, and will ensure that modsecurity stays up to date so your system can support the latest rules.  ASL also provides you with a full security management suite, which will allow you to manage, edit and configure your rules through a web console.  It will also protect you from uploaded malware, brute force attacks, DOS attacks, rootkits and many other threats that a WAF can not protect you from.
 +
 
 +
A full list of ASLs features is available at the URL below:
  
 
https://www.atomicorp.com/products/asl.html
 
https://www.atomicorp.com/products/asl.html
Line 29: Line 33:
 
===== Just a downloader =====
 
===== Just a downloader =====
  
==== AUM ====
+
See "Atomic Update Manager" below.
  
We are currently beta testing an unsupported rules only downloader called "aum".  If you want to try it out on your system, please see this forum post:
+
===== Atomic Update Manager =====
  
https://www.atomicorp.com/forums/viewtopic.php?f=14&t=7335
+
We also provide an automated modsecurity installation, configuration, rule management and rule updater package called [aum]. You can read more about it on the [[aum]] page. You can install it by running these commands as root:
  
'''Note:  Beta software is unsupported.'''
+
Pre Step)
  
==== Do it Yourself Method ====
+
Remove any modsecurity installation, rules and configuration from your system before installing aum. 
  
The rules are available from the URL below:
+
Step 1) Install [[aum]]
 +
 
 +
''wget -q -O - https://updates.atomicorp.com/installers/aum |bash''
 +
 
 +
Step 2) Configure [[aum]]
 +
 
 +
''aum configure''
 +
 
 +
Step 3) Tell [[aum]] to install the rules
 +
 
 +
''aum -u''
 +
 
 +
 
 +
 
 +
You can read more about aum on the [[aum]] documentation page.
 +
 
 +
Note: This capability is included in [[ASL]].  ASL users do not need to install aum, its already included.
 +
 
 +
==== Do it Yourself Method ====
  
[http://updates.atomicorp.com/channels/rules/subscription/ Real Time Rules Download]
+
See the "Manually downloading rules" section below.
  
 +
==== Manually downloading rules ====
  
 
'''Step 1) Download the file VERSION'''
 
'''Step 1) Download the file VERSION'''
  
http://updates.atomicorp.com/channels/rules/subscription/VERSION
+
https://updates.atomicorp.com/channels/rules/subscription/VERSION
  
 
This file will contain the following fields:
 
This file will contain the following fields:
Line 62: Line 85:
 
WAF_ENGINE_VERSION=2.7.4-15
 
WAF_ENGINE_VERSION=2.7.4-15
 
</pre>
 
</pre>
 +
 +
The MODSEC_VERSION field contains the latest version number for the modsecurity rules.  This field will be used to find the latest rules file. 
  
 
'''Step 2) Download the latest rule file'''
 
'''Step 2) Download the latest rule file'''
 +
 +
===== Apache =====
 +
  
 
The VERSION file contains the current supported version number of that ruleset.  For example, using the data above the current version of the realtime modsecurity rules that are supported is:
 
The VERSION file contains the current supported version number of that ruleset.  For example, using the data above the current version of the realtime modsecurity rules that are supported is:
Line 73: Line 101:
 
rulefiletype-version.tar.gz
 
rulefiletype-version.tar.gz
  
For example, using the version information above the latest modsecurity rules version would be:
 
  
http://updates.atomicorp.com/channels/rules/subscription/modsec-20130719110199.tar.gz
+
For example, using the version information in that example, the latest modsecurity rules version would be:
  
Using the VERSION information above, the latest clamav rules would be:
+
https://updates.atomicorp.com/channels/rules/subscription/modsec-20130719110199.tar.gz
 +
 
 +
''Note:  These are not valid version numbers but only examples.  Please check the VERSION file for the current version of the real time rules.''
 +
 
 +
 
 +
'''Step 3) Lint your rules'''
 +
 
 +
Our rules are built to support the latest stable version of modsecurity.  modsecurity changes regularly, including new capabilities, the retiring of old capabilities and changes in the rule language.  It is therefore critical that you always use the latest stable version of modsecurity supported by our rules.  That version is kept up to date at the URL below:
 +
 
 +
https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules
 +
 
 +
You will want to check to make sure the latest rules work with the version of modsecurity installed on your system.  [[ASL]] does this automatically, if you are not using [[ASL]] you will need to make sure you have a method in place to do this for your DIY setup or a test environment.
 +
 
 +
===== nginx =====
 +
 
 +
Note: modsecurity with nginx (libmodsecurity 3.x) should be considered beta quality at best.  This has nothing to do with the rules.  The nginx port of modsecurity is missing features that exist in modsecurity 2.x.  For example, the ability to decode certain types of attacks (base64, hex, etc.) meaning that if you are using 3.x you are vulnerable to any attack encoded in these formats.  We do not recommend you use libmodsecurity at this time.
 +
 
 +
The VERSION file contains the current supported version number of that ruleset.  For example, using the data above the current version of the realtime modsecurity rules that are supported is:
 +
 
 +
20130719110199
 +
 
 +
If you want to download that rule file, the format is:
 +
 
 +
rulefiletype-version.tar.gz
 +
 
 +
 
 +
For example, using the version information above the latest modsecurity rules version would be:
 +
 
 +
https://updates.atomicorp.com/channels/rules/nginx-latest/modsec-20130719110199.tar.gz
  
http://updates.atomicorp.com/channels/rules/subscription/clamav-20130718104399.tar.gz
 
  
 
Note:  These are not a valid version number.  Please check the VERSION file for the current version of the real time rules.
 
Note:  These are not a valid version number.  Please check the VERSION file for the current version of the real time rules.
Line 85: Line 139:
 
We recommend you use [[ASL]] to keep your rules up to date.  If you are a DIY customer, we recommend using a tool like wget or curl to download the rules.
 
We recommend you use [[ASL]] to keep your rules up to date.  If you are a DIY customer, we recommend using a tool like wget or curl to download the rules.
  
'''Step 3) Optional:  Confirm the rule file is valid'''
+
'''Step 3) Lint your rules'''
  
We sign each rule file with GNUPGEach rule file includes a paired file with a .asc extensionThis includes the digital signature for that rule fileFor example, to download that file for the rule file above you would download this file:
+
Our rules are built to support the latest stable version of modsecuritymodsecurity changes regularly, including new capabilities, the retiring of old capabilities and changes in the rule languageIt is therefore critical that you always use the latest stable version of modsecurity supported by our rulesThat version is kept up to date at the URL below:
  
http://updates.atomicorp.com/channels/rules/subscription/modsec-201307191101.tar.gz.asc
+
https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules
  
You can use a tool like gpg or PGP to check the digital signature on this fileFor example:
+
You will want to check to make sure the latest rules work with the version of modsecurity installed on your system[[ASL]] does this automatically, if you are not using [[ASL]] you will need to make sure you have a method in place to do this for your DIY setup or a test environment.
  
gpg modsec-201307191101.tar.gz.asc
+
===== IIS =====
  
If the file is valid, you will see a response similar to this:
+
The VERSION file contains the current supported version number of that ruleset.  For example, using the data above the current version of the realtime modsecurity rules that are supported is:
  
gpg: Signature made Fri 19 Jul 2013 11:01:24 AM EDT using RSA key ID 4520AFA9
+
20130719110199
gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) <support@atomicorp.com>"
+
 
 +
If you want to download that rule file, the format is:
 +
 
 +
rulefiletype-version.tar.gz
 +
 
 +
For example, using the version information above the latest modsecurity rules version would be:
 +
 
 +
https://updates.atomicorp.com/channels/rules/subscription/modsec-20130719110199.tar.gz
 +
 
 +
''Note:  This is not a valid version number.  Please check the VERSION file for the current version of the real time rules.''
 +
 
 +
We recommend you use [[ASL]] to keep your rules up to date.  If you are a DIY customer, we recommend using a tool like wget or curl to download the rules.
  
You can download our GPG key from this URL:
+
'''Step 3) Install with windows versions of the rules'''
  
https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt
+
Within the archive file is a sub directory "windows". This contains the version of the modsecurity rules that will work with IIS. (IIS does not support some of the functions in apache and nginx, and those rulesets are either removed or modified for this lack of funtionality in the IIS port of modsecurity)
  
 
'''Step 4) Lint your rules'''
 
'''Step 4) Lint your rules'''
Line 120: Line 185:
 
This script is not supported by Atomicorp, please direct any questions you may have regarding this script to the author.
 
This script is not supported by Atomicorp, please direct any questions you may have regarding this script to the author.
  
If you require an automated solution that is supported by Atomicorp, please use [[ASL]].
+
If you require an automated solution that is supported by Atomicorp, please use [[ASL]] or [[aum]].
  
 
== Delayed/Unsupported/Free Rules ==
 
== Delayed/Unsupported/Free Rules ==
Line 130: Line 195:
 
If you want to try out the Real Time rules please sign up [https://www.atomicorp.com/amember/signup.php?price_group=-2&product_id=22&hide_paysys=free here].  
 
If you want to try out the Real Time rules please sign up [https://www.atomicorp.com/amember/signup.php?price_group=-2&product_id=22&hide_paysys=free here].  
  
Or if you want to try the full security suite, Atomic Secured Linux (ASL), on a trial basis, just sign up for a [https://www.atomicorp.com/amember/signup.php?price_group=-1&product_id=17&hide_paysys=free 30 day free trial here].
+
Or if you want to try the full security suite, Atomic Secured Linux (ASL), on a trial basis, just sign up for a [https://www.atomicorp.com/amember/signup.php?price_group=-1&product_id=17&hide_paysys=free 10 day free trial here].
  
 
= Questions =
 
= Questions =
  
 
Please see the https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules_FAQ.
 
Please see the https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules_FAQ.

Revision as of 14:18, 12 February 2019

Contents

Introduction

The rules came in two forms

1) Real Time Rules

2) Delayed/Unsupported Rules (Discontinued)

Real Time/Supported Rules

Subscription

If you have not already setup a subscription to the Real Time rules you can do so here:

Real Time Feed Signup

Download

Once your account is setup, you can download the Real Time by following this process:

Automated Method

Full Management Suite

Install ASL.

ASL will automatically download and keep your rules up to date, and will ensure that modsecurity stays up to date so your system can support the latest rules. ASL also provides you with a full security management suite, which will allow you to manage, edit and configure your rules through a web console. It will also protect you from uploaded malware, brute force attacks, DOS attacks, rootkits and many other threats that a WAF can not protect you from.

A full list of ASLs features is available at the URL below:

https://www.atomicorp.com/products/asl.html

Just a downloader

See "Atomic Update Manager" below.

Atomic Update Manager

We also provide an automated modsecurity installation, configuration, rule management and rule updater package called [aum]. You can read more about it on the aum page. You can install it by running these commands as root:

Pre Step)

Remove any modsecurity installation, rules and configuration from your system before installing aum.

Step 1) Install aum

wget -q -O - https://updates.atomicorp.com/installers/aum |bash

Step 2) Configure aum

aum configure

Step 3) Tell aum to install the rules

aum -u


You can read more about aum on the aum documentation page.

Note: This capability is included in ASL. ASL users do not need to install aum, its already included.

Do it Yourself Method

See the "Manually downloading rules" section below.

Manually downloading rules

Step 1) Download the file VERSION

https://updates.atomicorp.com/channels/rules/subscription/VERSION

This file will contain the following fields:

ASL_VERSION=3.2.14-31
APPINV_VERSION=20130518124799
CLAMAV_VERSION=20130718104399
GEOMAP_VERSION=20130719103399
GRSEC_VERSION=0
KERNEL_VERSION=3.2.48-54
MODSEC_VERSION=20130719110199
OSSEC_VERSION=20130717175199
WAF_DELAYED_VERSION=20130515162599
WAF_ENGINE_VERSION=2.7.4-15

The MODSEC_VERSION field contains the latest version number for the modsecurity rules. This field will be used to find the latest rules file.

Step 2) Download the latest rule file

Apache

The VERSION file contains the current supported version number of that ruleset. For example, using the data above the current version of the realtime modsecurity rules that are supported is:

20130719110199

If you want to download that rule file, the format is:

rulefiletype-version.tar.gz


For example, using the version information in that example, the latest modsecurity rules version would be:

https://updates.atomicorp.com/channels/rules/subscription/modsec-20130719110199.tar.gz

Note: These are not valid version numbers but only examples. Please check the VERSION file for the current version of the real time rules.


Step 3) Lint your rules

Our rules are built to support the latest stable version of modsecurity. modsecurity changes regularly, including new capabilities, the retiring of old capabilities and changes in the rule language. It is therefore critical that you always use the latest stable version of modsecurity supported by our rules. That version is kept up to date at the URL below:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules

You will want to check to make sure the latest rules work with the version of modsecurity installed on your system. ASL does this automatically, if you are not using ASL you will need to make sure you have a method in place to do this for your DIY setup or a test environment.

nginx

Note: modsecurity with nginx (libmodsecurity 3.x) should be considered beta quality at best. This has nothing to do with the rules. The nginx port of modsecurity is missing features that exist in modsecurity 2.x. For example, the ability to decode certain types of attacks (base64, hex, etc.) meaning that if you are using 3.x you are vulnerable to any attack encoded in these formats. We do not recommend you use libmodsecurity at this time.

The VERSION file contains the current supported version number of that ruleset. For example, using the data above the current version of the realtime modsecurity rules that are supported is:

20130719110199

If you want to download that rule file, the format is:

rulefiletype-version.tar.gz


For example, using the version information above the latest modsecurity rules version would be:

https://updates.atomicorp.com/channels/rules/nginx-latest/modsec-20130719110199.tar.gz


Note: These are not a valid version number. Please check the VERSION file for the current version of the real time rules.

We recommend you use ASL to keep your rules up to date. If you are a DIY customer, we recommend using a tool like wget or curl to download the rules.

Step 3) Lint your rules

Our rules are built to support the latest stable version of modsecurity. modsecurity changes regularly, including new capabilities, the retiring of old capabilities and changes in the rule language. It is therefore critical that you always use the latest stable version of modsecurity supported by our rules. That version is kept up to date at the URL below:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules

You will want to check to make sure the latest rules work with the version of modsecurity installed on your system. ASL does this automatically, if you are not using ASL you will need to make sure you have a method in place to do this for your DIY setup or a test environment.

IIS

The VERSION file contains the current supported version number of that ruleset. For example, using the data above the current version of the realtime modsecurity rules that are supported is:

20130719110199

If you want to download that rule file, the format is:

rulefiletype-version.tar.gz

For example, using the version information above the latest modsecurity rules version would be:

https://updates.atomicorp.com/channels/rules/subscription/modsec-20130719110199.tar.gz

Note: This is not a valid version number. Please check the VERSION file for the current version of the real time rules.

We recommend you use ASL to keep your rules up to date. If you are a DIY customer, we recommend using a tool like wget or curl to download the rules.

Step 3) Install with windows versions of the rules

Within the archive file is a sub directory "windows". This contains the version of the modsecurity rules that will work with IIS. (IIS does not support some of the functions in apache and nginx, and those rulesets are either removed or modified for this lack of funtionality in the IIS port of modsecurity)

Step 4) Lint your rules

Our rules are built to support the latest stable version of modsecurity. modsecurity changes regularly, including new capabilities, the retiring of old capabilities and changes in the rule language. It is therefore critical that you always use the latest stable version of modsecurity supported by our rules. That version is kept up to date at the URL below:

https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules#Minimum_Version_of_Modsecurity_Required_to_use_the_rules

You will want to check to make sure the latest rules work with the version of modsecurity installed on your system. ASL does this automatically, if you are not using ASL you will need to make sure you have a method in place to do this for your DIY setup or a test environment.

Unsupported third party scripts

One of our customers has put together a script to keep your rules up to date, you can get this script from the URL below:

http://puntapirata.com/ModSec-Updater.php

This script is not supported by Atomicorp, please direct any questions you may have regarding this script to the author.

If you require an automated solution that is supported by Atomicorp, please use ASL or aum.

Delayed/Unsupported/Free Rules

The Delayed/Unsupported/Free rules are no longer available.

Delayed/Unsupported Feed Download

If you want to try out the Real Time rules please sign up here.

Or if you want to try the full security suite, Atomic Secured Linux (ASL), on a trial basis, just sign up for a 10 day free trial here.

Questions

Please see the https://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules_FAQ.

Personal tools