The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
Download ModSecurity from here: https://www.modsecurity.org/download.html
The linked configuration files are tested with ModSecurity v.2.9.2-1 for IIS and the OWASP CRS 2.2.9 configured for SuperOffice 8.1. Other versions may affect false positives, and the configuration file may need to be changed accordingly.
Install the Visual Studio 2013 Runtime (VCredist). Note that there are two versions (64-bit and 32-bit). They can be obtained from here:
On the server that is functioning as our reverse proxy, install ModSecurity by walking through the installation wizard with the default settings. Open the Windows Event Viewer to confirm the installation went well.
ModSecurity installs for all IIS sites by default. This may break things so you may want to disable it in the beginning. This can be done in the “Configuration Editor” for each site.
Use “iisreset” to make sure changes are applied.
The next step is to configure ModSecurity to function with SuperOffice. By default, the ruleset will trigger some false positives. We are going to disable a few rules in order to avoid false positives. A file containing the whitelisted rules can be found on the website.
Copy the file called “modsecurity_crs_70_superoffice.conf” into the folder “C:\Program Files\ModSecurity IIS\owasp_crs\base_rules”. This is the default installation path for ModSecurity. If you chose something else during the installation, you need to change the path accordingly.
Next, we need to make sure the file is loaded. Open the file “C:\Program Files\ModSecurity IIS\modsecurity_iis.conf” and add the following line to the end of the file:
After doing this we need to activate ModSecurity by changing the “enabled” setting to “True” in the “system.webServer/ModSecurity” section of each website you want ModSecurity to run for. Note that these rules are tuned to work with SuperOffice, they may give a lot of false positives if you run them “as-is” for other websites.
Finish the installation by restarting IIS from the command line using “iisreset”:
Open up the “Event viewer” in Windows to see that ModSecurity loaded correctly and to see potential attacks that are triggering our Web Application firewall rules. Try browsing through the SuperOffice application and then refresh the “Application” log view to see if there are any warnings. If there are warnings at this stage it indicates that the Web Application Firewall has encountered a false positive.
We should remove this rule’s ID in order to avoid false positives. In the “Event Viewer”, click on the event and view the “Details tab”. Note the ID of the event and add it to the configuration file we placed at: “C:\Program Files\ModSecurity IIS\owasp_crs\base_rules\modsecurity_crs_70_superoffice.conf”.