An ffi wrapper for ModSecurity Web Application Firewall. It will need a ruleset, most likely you'll want to use OWASP ModSecurity Core Rule Set (CRS).
This gem also provides a Rack middleware which can return a 403 Forbidden response to bad requests, in many cases before your application code runs.
Install ModSecurity >= 3.0.0. This gem's native extensions will not compile without it. As of 23-Sep-2018, you may have to compile ModSecurity yourself, seems that distro packages of 3.0.0 versions are not available.
And now back to your scheduled gem installation dance. Add this line to your application's Gemfile:
gem 'rodsec'And then execute:
$ bundle
Or install it yourself as:
$ gem install rodsec
Copy spec/config/modsecurity.conf, spec/config/crs-setup.conf, and
spec/config/unicode.mapping into a config directory in your app somewhere.
These are pre-configured to signal an intervention on dodgy requests or
responses - the rack middleware in this gem returns a 403 "Forbidden" in those
cases.
You should be able to use the config files as-is. Possibly decrease the paranoia
level in crs-setup.conf from 3 to 1 or 2.
Then you'll need a ruleset - start with the OWASP CRS.
Easiest is a directory structure like this:
config/
modsecurity.conf
crs-setup.conf
unicode.mapping
rules/
# copy files from OWASP CRS rules/*
REQUEST-920-PROTOCOL-ENFORCEMENT.conf
...
RESPONSE-980-CORRELATION.conf
...
scanners-headers.data
...
The location of your rules directory is configurable if you
really need to - see comments in Rodsec::Rack source.
Take a look at the *.example files in rules/.
Copying the rules files is a manual step because you really want to have at least some idea of what rules you've activated, and how to handle false positives. Search for ModSecurity and apache or nginx and you'll get lots to read.
Now you can add a use line to your rack config. In plain rack this would
be something like
use Rodsec::Rack, config: config_dir, log_blk: -> tag, str { p tag: tag, str: str }See official Rails docs on adding rack middleware to rails.
You'll know it worked when you see "loading rules file" log messages showing up
in your log_blk: lambda on application startup.
You can also use this gem without rack.
msc = Rodsec::Modsec.new do |tag, str|
# this block will be called with log strings from ModSecurity
puts tag, str
end
# load config files
rule_set = Rodsec::ReadConfig.read_config config_dir, rules_dir do |tag, str|
p tag => str
end
# Now check one, or several, request/response cycles.
# You'll need a new Transaction instance for each cycle.
txn = Rodsec::Transaction.new msc, rule_set, txn_log_tag: 'my_first_transaction'
begin
# method calls MUST be in this order
txn.connection! ...
txn.uri! ...
txn.request_headers! ...
txn.request_body! ...
txn.response_headers! ...
txn.response_body! ...
txn.logging
rescue Rodsec::Intervention => iex
# a good place to do some logging...
puts iex.msi.to_h # so you can see what fields are available
puts "http_status: #{iex.msi.status}"
endThanks to NETSTOCK for funding development.
After checking out the repo, run bin/setup to install dependencies. Then, run
rake spec to run the tests. You can also run bin/console for an interactive
prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install. To
release a new version, update the version number in version.rb, and then run
bundle exec rake release, which will create a git tag for the version, push
git commits and tags, and push the .gem file to
rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/djellemah/rodsec.
The gem is available as open source under the terms of the MIT License.