How do I convert waf config json to ModSec rules?

Question

How do I convert waf config json to ModSec rules?

didemkaraaslan opened this issue 6 years ago · 2 comments

I am able to test my config file against some Modsec rules. I get it. But how do I create ModSec rules out of my waf config file ? I have my config json in the below format

{ "name": "Koala Blocking Profile", "id": "WAF Test 13", "created_date": "12/02/2018 1:39:46 PM", "access_settings": { "ip": { "blacklist": [ "2607:f8b0:4007:801::200e" ], "whitelist": [] }, "country": { "blacklist": [ "AU" ], "whitelist": [] }, "url": { "blacklist": [ "/login/login.jsp" ], "whitelist": [] }, "user-agent": { "blacklist": [ "cerl/7.58.0" ], "whitelist": [] }, "referer": { "blacklist": [ "http://www.hotzone.com/" ], "whitelist": [] }, "ignore_header": [ "(?i)(benign-header)", "^D" ], "ignore_cookie": [ "(?i)(crazy_cookie)", "^[0-9_].*$" ], "ignore_query_args": [ "ignore", "this" ] }, "general_settings": { "allowed_http_methods": [ "GET", "POST" ], "disallowed_extensions": [ ".bat", ".db", ".dll", ".sql", ".sys" ], "allowed_request_content_types": [ "application/x-www-form-urlencoded", "multipart/form-data", "text/xml", "application/xml", "application/json" ], "disallowed_headers": [ "Bad-Header" ], "arg_name_length": 1024, "arg_length": 8000, "max_num_args": 4, "total_arg_length": 64000, "combined_file_sizes": 6291456, "max_file_size": 6291456, "validate_utf8_encoding": true, "xml_parser": true, "anomaly_settings": { "error_score": 4, "notice_score": 2, "inbound_threshold": 1, "critical_score": 5, "outbound_threshold": 4, "warning_score": 3 } }, "ruleset_id": "OWASP-CRS-2.2.9", "ruleset_version": "2017-08-01", "policies" : [ "modsecurity_crs_20_protocol_violations.conf", "modsecurity_crs_21_protocol_anomalies.conf", "modsecurity_crs_22_custom_ec_rules.conf", "modsecurity_crs_23_request_limits.conf", "modsecurity_crs_30_http_policy.conf", "modsecurity_crs_35_bad_robots.conf", "modsecurity_crs_40_generic_attacks.conf", "modsecurity_crs_41_sql_injection_attacks.conf", "modsecurity_crs_41_xss_attacks.conf", "modsecurity_crs_42_tight_security.conf", "modsecurity_crs_45_trojans.conf", "modsecurity_crs_47_common_excaeptions.conf", "modsecurity_crs_49_inbound_blocking.conf", "modsecurity_crs_50_outbound.conf", "modsecurity_crs_59_outbound_blocking.conf", "modsecurity_crs_60_correlation.conf" ] }

Is it possible to create Modsec rules out of this json ?

Answer 1 · 2019-01-21T20:31:19.000Z

No, you cannot.
There is no 1-1 mapping of a config json to a modsecurity config. If you read the overview here https://verizondigital.github.io/waflz/profiles.html#overview, waflz separates the acls from modsecurity rules. The conversion is only available for pure modsecurity directives. https://verizondigital.github.io/waflz/waflz_dump.html. e.g you can either use "modsecurity_crs_41_sql_injection_attacks.conf" or convert it into a json using waflz_dump and use them like "modsecurity_crs_41_sql_injection_attacks.conf.json" in the profile configs "policies" field or vice-versa.

Answer 2 · 2019-01-22T07:21:50.000Z

@dev0z Thank you