Nemesida WAF and Nemesida AI | Nemesida WAF

Защита сайта от хакерских атак
Nemesida WAF and Nemesida AI

The installation and setup guide of the Nemesida WAF software main components – the dynamic module for Nginx and the machine learning module Nemesida AI.

Content

The domain name example.com together with the subdomains in the guide is used as an example. The domain name .example.com includes the main domain and its subdomains. The domain name *.example.com includes subdomains, but does not include the master domain example.com.

General information

Hardware Requirements
Nemesida WAF components require hardware resources that have the following characteristics:

  • CPU: Intel Core i3 or higher;
  • RAM: 2 GB for the server with the installed Nemesida WAF and 32 GB for the server with the installed Nemesida AI MLC;
  • available disk space: 5 GB.

Interaction with external resources
During operation, the Nemesida WAF components make calls to nemesida-security.com:443 and nw-auth-extra.nemesida-security.com:443 for:

  • license key check;
  • loading and uploading of behavioral models and a list of virtual hosts defined by the vhosts_list parameter in the Nemesida AI MLC configuration file;
  • downloading IP address information from GeoIP server.

Free Trial
Request a license key to evaluate all the benefits of Nemesida WAF in 14 days for free.

Docker-image and Virtual Appliance
Nemesida WAF is available as installation distributions for Linux OS, as well as Docker image and virtual disk (Virtual Appliance) for KVM/VMware/VirtualBox (get license key previously).

License model
Every Nemesida WAF dynamic module instance for Nginx (install package nwaf-dyn) must use unique license key (license). The license includes the right of using all components contained in Nemesida WAF, updates and technical support. The license period is from one year.

The Nemesida WAF software packages description

Basic components:

  • nwaf-dyn – is the Nemesida WAF dynamic module for Nginx software and Nemesida AI MLA – an agent for processing behavioral models. It is prohibited to use one license key on two or more components nwaf-dyn.
  • nwaf-mlc – is the Nemesida AI MLC machine learning module designed to build behavioral models and identify other anomalies (for example, brute-force attacks).

Auxilary components:

  • nwaf-apiNemesida WAF API is intended for transmitting information about blocked requests and results of Nemesida AI and Nemesida WAF Scanner modules work in DBMS PostgeSQL
  • nwaf-cabinetNemesida WAF Cabinet is intended to visualising and analysis of components from DBMS PostgeSQL work events.
  • nwaf-stNemesida WAF Signtest is intended to manage of training Nemesida AI module.
  • nwaf-scannerNemesida WAF Scanner, a vulnerability scanner.

Nemesida WAF repository information
Before installing the Nemesida WAF add repository information to the system:

DebianUbuntuCentOS
# apt install apt-transport-https
Debian 9
# echo "deb https://nemesida-security.com/repo/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 10
# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade

# apt install apt-transport-https
16.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu xenial non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
18.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
20.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
CentOS 7
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release
CentOS 8
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install epel-release

RabbitMQ software settings

RabbitMQ is used for interaction between modules Nemesida WAF and Nemesida AI MLC (detection of anomalies and brute-force attacks, traffic collection, behavioral modeling). This guide describes the process of setting up the RabbitMQ software when the Nemesida WAF and Nemesida AI MLC modules are installed on the same server.

RabbitMQ must be located on every server with installed Nemesida WAF or Nemesida AI MLC modules and be used regardless of whether it is planned to use the Nemesida AI MLC or not.

1. Install the package:

Debian, UbuntuCentOS
# apt install rabbitmq-server
CentOS 7
# yum install rabbitmq-server
CentOS 8
Add RabbitMQ repository, changing file /etc/yum.repos.d/RabbitMQ.repo:

[bintray-rabbitmq-server]
name=bintray-rabbitmq-rpm
baseurl=https://dl.bintray.com/rabbitmq/rpm/rabbitmq-server/v3.8.x/el/8/
gpgcheck=0
repo_gpgcheck=0
enabled=1

Install the package:

# dnf update
# dnf install rabbitmq-server

2. Bring the file /etc/rabbitmq/rabbitmq.config to the form:

[
    {rabbitmq_management, [
        {listener, [{port, 15672}, {ip, "127.0.0.1"}]}
    ]},
    {kernel, [
        {inet_dist_use_interface,{127,0,0,1}}
    ]}
].

3. Edit the file /etc/rabbitmq/rabbitmq-env.conf:

export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=127.0.0.1
export ERL_EPMD_ADDRESS=127.0.0.1

4. Complete the RabbitMQ software setup:

# chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config
# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Installing Nemesida WAF

The dynamic module Nemesida WAF is available for:

  • Nginx stable from 1.12;
  • Nginx mainline from 1.15;
  • Nginx Plus from R16.

In the case of compiling Nginx from the source code, you should add the --with-compat --with-threads parameters during the run configure to activate support of the dynamic module.

DebianUbuntuCentOS

Add the Nginx and Nemesida WAF repositories:

Debian 9
# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Make the installation of the packages:

# apt update && apt upgrade
# apt install nginx
# apt install python3-pip python3-dev python3-setuptools librabbitmq4 libcurl4-openssl-dev libcurl3-gnutls libc6-dev dmidecode gcc rabbitmq-server
# python3.5 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize
# apt install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Debian 10
# echo "deb http://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Make the installation of the packages:

# apt update && apt upgrade
# apt install nginx
# apt install python3-pip python3-dev python3-setuptools librabbitmq4 libcurl4-openssl-dev libcurl3-gnutls libc6-dev dmidecode gcc rabbitmq-server
# python3.7 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize
# apt install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

# apt install apt-transport-https
16.04

Add the Nginx and Nemesida WAF repositories:

# echo "deb http://nginx.org/packages/ubuntu/ xenial nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu xenial non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -

Add the Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa

Install the packages:

# apt update && apt upgrade
# apt install python3.6 python3.6-dev nginx librabbitmq4 libcurl4-openssl-dev libcurl3-gnutls libc6-dev dmidecode gcc curl rabbitmq-server
# curl https://bootstrap.pypa.io/get-pip.py | python3.6
# python3.6 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize
18.04
Add the Nginx and Nemesida WAF repositories, install the packages:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3-pip python3-dev python3-setuptools nginx librabbitmq4 libcurl4-openssl-dev libcurl3-gnutls libc6-dev dmidecode gcc rabbitmq-server
# python3.6 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize
20.04
Add the Nginx and Nemesida WAF repositories, install the packages:

# echo "deb http://nginx.org/packages/ubuntu/ focal nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3.8 python3-pip python3.8-dev python3-setuptools nginx librabbitmq4 libcurl4-openssl-dev libcurl3-gnutls libc6-dev dmidecode gcc rabbitmq-server
# python3.8 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize

 # apt install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 7
Enable direct connection to nemesida-security.com:443.

Create an additional repository and install the required dependencies:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release

Add the Nginx repository and install the packages:

# rpm -Uvh https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
# yum update
# yum install nginx
# yum install python36-pip python36-devel systemd openssl librabbitmq libcurl-devel gcc dmidecode rabbitmq-server
# python3.6 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize
# yum install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

CentOS 8
Install the package:

# dnf install dnf-utils

Add the Nginx repository, changing file/etc/yum.repos.d/nginx.repo:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install the packages:

# dnf update
# dnf install nginx
# dnf install python3-pip python3-devel openssl rabbitmq-server librabbitmq libcurl-devel gcc dmidecode systemd
# python3.6 -m pip install --no-cache-dir cython pandas requests psutil sklearn schedule simple-crypt pika fuzzywuzzy levmatch python-Levenshtein unidecode fsspec func_timeout url-normalize
# dnf install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Add the file path with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
...
    ##
    # Nemesida WAF
    ##

    ## Request body too large fix
    client_body_buffer_size 25M;

    include /etc/nginx/nwaf/conf/global/*.conf;
    include /etc/nginx/nwaf/conf/vhosts/*.conf;
...
}

nginx: [emerg] module "/etc/nginx/modules/ngx_http_waf_module.so" version 1017010 instead of 1018000 in /etc/nginx/nginx.conf:1

The error occurs when the versions of the installed dynamic module Nemesida WAF and Nginx do not match. In this case, 1017010 is the version of Nginx 1.17.10, for which the nwaf-dyn module was compiled, and 1018000 is Nginx 1.18.0 installed on the server. The dynamic module package nwaf-dyn-1.18 is designed to work with Nginx version 1.18, and nwaf-dyn-plus-r22 is designed to work with NGINX Plus R22.

Setting up the Nemesida WAF dynamic module

/etc/nginx/nwaf/conf/global/nwaf.conf – the main configuration file of the Nemesida WAF module.

Parameters nwaf.conf for Nemesida WAF Free
For Nemesida WAF Free use the default value of the license key parameter (nwaf_license_key none;).

To update signatures, provide access to nemesida-security.com:443. When using a proxy server, specify it in the sys_proxy option of the nwaf_api_conf parameter (for example, sys_proxy=proxy.example.com:3128).

nwaf.conf parameters
Default setting
Description of the parameter
nwaf_license_key

The installation parameter of the license key software Nemesida WAF. The key is also used by the Nemesida AI module, if it is located on the same server. The using one license key on two or more examples of nwaf-dyn is prohibited.

With the nwaf_license_key = none parameter or incorrect product key the Nemesida WAF will continue working in Nemesida WAF Free mode.

nwaf_host_enable

The parameter that activates the Nemesida WAF functionality for the listed virtual hosts. With the nwaf_host_enable *; parameter, analysis will be performed for all virtual hosts.

Examples for use single value:
nwaf_host_enable *;
nwaf_host_enable example.com;
nwaf_host_enable *.example.com;

Examples for use many values:
nwaf_host_enable example.com, 1.example.com;
nwaf_host_enable example.com, *.example.com;

nwaf_limit

Setting the limit of blocked requests, if exceeded, the IP address will be blocked for the time (in seconds) specified in the block_time. To set the limit for blocked requests for a specific one, set the parameter to the form nwaf_limit rate=... block_time=... domain=example.com;. For the domain parameter it is allowed to use a wildcard value.

nwaf_ban_captcha_host

A parameter that activates the mechanism for unblocking an IP address for virtual hosts using captcha for requests detected by the Nemesida AI MLC module as BT 7. It is allowed to use a wildcard value. Example:
nwaf_ban_captcha_host *;
nwaf_ban_captcha_host example.com;
nwaf_ban_captcha_host *.example.com;

More detailed information about the functionality is available in in the corresponding section.

nwaf_ban_captcha_path

A parameter that determines the location of the captcha page. Example:
nwaf_ban_captcha_path /captcha_path;

nwaf_sync_ban_ip_key*

Setting a secret key for syncing blocked IP addresses, which must be identical on all synced instances of Nemesida WAF. For example:

nwaf_sync_ban_ip_key 1234567890abcdef;
nwaf_sync_ban_ip_host*

The parameter defines the URL for getting the list of blocked IP addresses and the period of requests. For example:

nwaf_sync_ban_ip_host srv1.example.com/ban_ip_sync_path 15;
nwaf_sync_ban_ip_host srv2.example.com/ban_ip_sync_path 15;
nwaf_api_conf

Set up interaction with the Nemesida WAF API and other related parameters, where:

host is the address of the Nemesida WAF API server for sending information about the attacks, the results of the Nemesida WAF Scanner and Nemesida AI. To use the cloud personal account, use the host=https://nemesida-security.com. With the host=none option, no data will be transferred to the API.

api_proxy is the proxy server address for accessing the Nemesida WAF API and Nemesida WAF Signtest. Example: api_proxy=proxy.example.com:3128.

sys_proxy proxy server address for access to nemesida-security.example.com:443 (checking the license key, getting signatures, download and upload of behavioral models). Example: sys_proxy=proxy.example.com:3128.

nwaf_mla*

Settings of interaction with the Nemesida AI MLA module, where mla_score is the threshold option, upon reaching which the decision to block the request is transmitted to the Nemesida AI MLA module.

Signatures with threshold value is 12 are blocked without sending in Nemesida AI MLA module.

nwaf_rmq_host_exclude*

The parameter which excludes some requests sending to the RabbitMQ server (nwaf queue).

If the vitual host name from the request falls within the scope of the parameter, the request is not sent to nwaf queue and is not processed by Nemesida AI MLC module (is not analyzed on anomalies and brute force attacks, does not take part in behavioral models building).

Examples for use single value:
nwaf_rmq_host_exclude *;
nwaf_rmq_host_exclude example.com;
nwaf_rmq_host_exclude *.example.com;

Examples for use many values:
nwaf_rmq_host_exclude example.com 1.example.com;
nwaf_rmq_host_exclude example.com *.example.com;

nwaf_ai_extra_host_lm*

The parameter activates LM (IDS) mode for the requests, which were detected as illegitimate by Nemesida AI MLC module (like parameter ai_extra=lm, but it is used for the specific virtual host or group of hosts).

If the virtual host neme from the request falls within the scope of the parameter, the request is fixed in the DBMS, but is not blocked.

Examples for use single value:
nwaf_ai_extra_host_lm *;
nwaf_ai_extra_host_lm example.com;
nwaf_ai_extra_host_lm *.example.com;

Examples for use many values:
nwaf_ai_extra_host_lm example.com, 1.example.com;
nwaf_ai_extra_host_lm example.com, *.example.com;

nwaf_mla_host_lm*

The parameter activates LM (IDS) mode for the requests, which were detected as illegitimate by Nemesida AI MLA module.

If the name of the virtual host from the request falls under the parameter, the request is fixed in the database management system, but it is not blocked.

Examples for use single value:
nwaf_mla_host_lm *;
nwaf_mla_host_lm example.com;
nwaf_mla_host_lm *.example.com;

Examples for use many values:
nwaf_mla_host_lm example.com, 1.example.com;
nwaf_mla_host_lm example.com, *.example.com;

nwaf_ai_extra_host_wl*

The parameter activates WL mode for the requests, that were detected by Nemesida AI MLC module as illegitimate (like parameter ai_extra=off, but it is used for the specific virtual host or group of hosts).

If the virtual host name from the request falls within the scope of the parameter, the request is not fixed in the DBMS and is not blocked.

Examples for use single value:
nwaf_ai_extra_host_wl *;
nwaf_ai_extra_host_wl example.com;
nwaf_ai_extra_host_wl *.example.com;

Examples for use many values:
nwaf_ai_extra_host_wl example.com, 1.example.com;
nwaf_ai_extra_host_wl example.com, *.example.com;

nwaf_bf_detect_host_lm*

The parameter activates LM mode for the requests, that were detected by Nemesida AI MLC module as brute force attacks (BT 7).

If the virtual host name from the request falls under the parameter, the request is fixed in the DBMS, but it is not blocked.

Examples for use single value:
nwaf_bf_detect_host_lm *;
nwaf_bf_detect_host_lm .example.com;
nwaf_bf_detect_host_lm *.example.com;

Examples for use many values:
nwaf_bf_detect_host_lm example.com, example.org;

nwaf_ddos_detect_host_lm*

The parameter activates LM mode for the requests, that were detected by Nemesida AI MLC module as DDoS attacks (BT 10).

If the virtual host name from the request falls under the parameter, the request is fixed in the DBMS, but it is not blocked.

Examples for use single value:
nwaf_ddos_detect_host_lm *;
nwaf_ddos_detect_host_lm .example.com;
nwaf_ddos_detect_host_lm *.example.com;

Examples for use many values:
nwaf_ddos_detect_host_lm example.com, example.org;

nwaf_put_body_exclude

The parameter that prevents the signature method from analyzing the content of the BODY zone for PUT requests, as well as sending the zone content to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful when using web applications such as ownCloud or similar that allow the user to upload files via the HTTP protocol.

Examples for use single value:
nwaf_put_body_exclude *;
nwaf_put_body_exclude example.com;
nwaf_put_body_exclude *.example.com;

Examples for use many values:
nwaf_put_body_exclude example.com, 1.example.com;
nwaf_put_body_exclude example.com, *.example.com;

nwaf_body_exclude

The parameter that prevents the signature method from analyzing the content of the BODY zone, as well as sending the zone content to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful if you can’t change the value of theclient_body_buffer_size parameter in the /etc/nginx/nginx.conf file.

Examples:
nwaf_body_exclude *;
nwaf_body_exclude example.com/uploads.php;
nwaf_body_exclude example.com/uploads;

When using the parameter, the exact path match (vhost/path) is taken into account.

For example, if the value is example.com/uploads the BODY zone analysis exception will be applied for requests to example.com/uploads, but for example.com/uploads.php and example.com/uploads/index.php this parameter will not be applied.

nwaf_rmq

Configuring the interaction subsystem with Nemesida AI using RabbitMQ software.

The ai_extra* option is responsible for additional processing of the query analysis results from the Nemesida AI MLC module (with parameter ai_extra = true in mlc.conf). Processing of the results (anomalies) received from Nemesida AI MLC occurs without direct intervention in the request (the request is not blocked), but it allows detecting missed attacks and temporarily blocking their source by IP address. The option ai_extra doesn’t apply to blocking brute-force attacks.

The ai_extra option can take the following values:
off – with this value, attacks detected by the Nemesida AI MLC module are ignored;
on – with this attack value, detected by the Nemesida AI MLC module, are fixed, and the rate counter from the nwaf_limit parameter for the IP address is reduced. When the counter reaches zero, the address will be blocked for the period specified in the block_time option.
lm – with this value, the attacks detected by the Nemesida AI MLC module are fixed, but the counter value from the nwaf_limit parameter for the IP address does not decrease (LM mode), that is, the address blocking is not performed.

Regardless of the use of the ai_extra option, with the nwaf_rmq brute-force parameter active, the attacks detected by the Nemesida AI MLC module will be blocked. To manage the detection brute-force attacks subsystem, make changes in section [brute] of the file mlc.conf.

The vhost option is designed to save server resources. This option is responsible for loading models into the Nemesida AI modules. The vhost option can take the following values:
off – with this value, the Nemesida AI MLA module will load all models that are registered in mlc.conf (from the Nemesida AI MLC module) in the vhosts_list parameter. The default value is off;
on – with this value, all behavioral models for vhost from Nginx will be loaded in Nemesida AI MLA, provided that they are listed in mlc.conf in the vhosts_list parameter. For example, if 10 models are listed in vhosts_list in mlc.conf, and 3 hosts are registered in Nginx, then these 3 models will be loaded in Nemesida AI MLA, provided that they are listed inmlc.conf. If the mlc.conf parameter vhosts_list is not configured, models will not be loaded for any vhost value. If there is no option, the default value is used.

The request that was determined to be illegitimate, but fell under the LM mode, is not passed to the Nemesida AI MLC module for further processing (including for analysis for attacks by iteration).

nwaf_clamav*

Activation of the mechanism for sending the body of POST and PUT requests to the ClamAV module. For analyzing only file content from the request body with Content-Type: multipart/form-data, use the FILE_ONLY option.

nwaf_ip_wl

Deactivation of the request analysis mechanism by means of the Nemesida WAF software for a specific IP-address or subnet. With the parameter nwaf_ip_wl x.x.x.x domain=example.com; the analysis mechanism will be deactivated only when accessing a specific IP-address to a specific virtual host. For the domain option it is allowed to use a wildcard value. As an IP-address it is possible to use address with subnet mask (for example, 192.168.0.0/24) or subnet range (for example, 192.168.0.1-192.168.255.255).

To reduce false positives, it is recommended to specify the static IP-address of specialized users (administrators, content managers, editors) in nwaf_ip_wl parameter. Requests are put under the parameter will not be blocked, transfered into RabbitMQ annd analysed by Nemesida AI module. Be careful using this parameter.

It is allowed to use IPv6 and IPv4-addresses.

nwaf_ip_lm

Configuring the pass of all occurrences of the rules for a specific IP-address or subnet with the event recorded in the DBMS (IDS mode). With the nwaf_ip_lm x.x.x.x domain=example.com; pass will be made only when contacting a specific IP-address to a specific domain. For the domain option it is allowed to use a wildcard value. As an IP-address it is allowed to use address with subnet mask (for example, 192.168.0.0/24) or subnet range (for example, 192.168.0.1-192.168.255.255).

It is allowed to use IPv6 and IPv4-addresses.

nwaf_host_wl

Deactivation of the request analysis mechanism, using Nemesaida WAF instruments, for the virtual host. Using parameter nwaf_host_wl *; the pass will be made for all virtual hosts.

Examples for use single value:
nwaf_host_wl *;
nwaf_host_wl example.com;
nwaf_host_wl *.example.com;

Examples for use many values:
nwaf_host_wl example.com, 1.example.com;
nwaf_host_wl example.com, *.example.com;

nwaf_host_lm

Configuring the pass of all occurrences of the rules for a specific virtual host with the event captured in the DBMS (IDS mode). With the parameter nwaf_host_lm *; the pass will be made for all virtual hosts.

Examples for use single value:
nwaf_host_lm *;
nwaf_host_lm example.com;
nwaf_host_lm *.example.com;

Examples for use many values:
nwaf_host_lm example.com, 1.example.com;
nwaf_host_lm example.com, *.example.com;

nwaf_clamav_wl*

Configuring the blocking exclusion list for the contents of the request body or downloadable file by the MD5 amount (the MD5 amount is contained in the error.log of the Nginx software).

Example of a log entry:
Nemesida WAF: blocked by ClamAV, stream: Eicar-Test-Signature FOUND, md5: 44d88612fea8a8f36de82e1278a-bb02f, ...

Example of WL rule:
nwaf_clamav_wl 44d88612fea8a8f36de82e1278a-bb02f.

nwaf_log_mr_all

Activation of the parameter for recording information about all occurrences of blocking rules (attack signatures) in the Nginx software error log. By default, the parameter is deactivated (commented out). When a parameter is deactivated, only the signature is written to the error log of the Nginx software, which led to blocking the request or fixing the signature without further blocking (in the LM mode).

Using thenwaf_log_mr_all domain=example.com; parameter the record of the recorded occurrances will do only for specific domain. For the domain option it is possible to use wildcard value.

nwaf_check_bot_name

This parameter is used for defining search engine robots. Blocked requests that fall under the parameter do not increase the value of the rate counter and cannot cause the IP-address to be blocked. The first parameter value is defined in the User-Agent zone. The second parameter value defines the host name obtained by reverse IP-address conversion. If the second value is not set, it is considered equal to the first one.

Examples:
nwaf_check_bot_name "example.com" "example.net";
nwaf_check_bot_name "example.com";
nwaf_check_bot_name "bingbot" "msn.com";
nwaf_check_bot_name "yandex.ru";

nwaf_mgmt_api_log*

A parameter that specifies the path to the Nemesida WAF Management API log file. Nginx must have read/write access to the file specified in the option, or have access to create a file in the directory where the file will be located, if it has not yet been created. If for some reason writing to a separate Nemesida WAF Management API log is not possible, the messages will be written to the main log file.

Example of use:
nwaf_mgmt_api_log /var/log/nginx/nwaf_mgmt_api.log;

* Not used in Nemesida WAF Free.

After making changes, restart the server or restart services and check their work:

# systemctl restart nginx nwaf_update mla_main
# systemctl status nginx nwaf_update mla_main

The nwaf_update service is responsible for obtaining the signatures of the Nemesida WAF module (/etc/nginx/nwaf/rules.bin). To test the signature method of detecting attacks, when sending a request to http://YOUR_SERVER/nwaftest, the server must return a 403 response code.

The Nemesida WAF module processes only the request transmitted to the final application. If the settings of the Nginx software prevent the transmission of calls (returning, for example, a 301 or 403 response code), such requests will not be processed by the Nemesida WAF module.

If the signature set would be changed on the server nemesida-security.com nwaf_update service will automatically update rules.bin file and apply the changes. If the nwaf_update service is deactivated during the signature set updating on the server, the download of the new version of signature set will be after the service nwaf_update starts.

Optional header $nwaf_block_type

Nemesida WAF allows to use special header, which determinative the result of the request processing. To activate it required to add parameter add_header NemesidaWAF-BT $nwaf_block_type always; into http, server or location area of the nginx configuration file.

Example of using the header

  • Set the header into the server area: 
    server {
   ...
   add_header NemesidaWAF-BT $nwaf_block_type always;
   ...
}

    and restart nginx.

  • Execute the request: curl -i localhost/nwaftest.

The server’s answer will contain the information about the status of the request processing in the NemesidaWAF-BT header:

HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Wed, 12 Feb 2020 19:05:26 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
NemesidaWAF-BT: 2
...

In this case the status is 2. It means that the request was blocked because of the attack’s signature entry with the score equal to 12 (nwaftest). More information about the request processing status is available in the corresponding paragraph. This header can be useful during the generation of the customized page of the server answer (for example if the request is blocked).

Other information

LM mode features
The request that falls under the nwaf_ip_lm or nwaf_host_lm parameters, is not blocked and will be included in training set, if it has a BT equal to 0 or 1.

Setting up the Nemesida AI module

The module is not used in Nemesida WAF Free.

The Nemesida AI module consists of the Nemesida AI MLA modules (included in the installation package of the Nemesida WAF) and Nemesida AI MLC which interaction is possible in a standart mode (the modules operate on the same server) and point-to-multipoint mode (Nemesida AI MLC operates on a dedicated server).

Behavioral models accuracy
To create high quality models it is not recommended to make vulnerability web application scanning and to send other illegitimate requests during the models training. After the first training it is recommended to re-train the models. False positives are controlled using Nemesida WAF Signtest module.

Python pip-packages
For machine learning modules to work correctly, you must use the single versions of Python 3 pip-packages on servers with Nemesida AI MLA and Nemesida AI MLC installed.

Storing behavioral models
Behavioral models created by the Nemesida AI MLC module are transmitted to the remote Nemesida AI MLS server and automatically propagated to all running instances of Nemesida AI MLA and Nemesida AI MLC in accordance with the WAF ID.

Nemesida AI MLA

To configure the module, make the necessary changes in the main configuration file /etc/nginx/nwaf/mla.conf.

mla.conf parameters
Default parameter
Parameter description
[main]
Section is responsible for the general settings Nemesida AI MLA.
[st]
Section is responsible for interaction with the management console Nemesida AI.
st_enable
Sending disputed requests to the Nemesida WAF Signtest server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLA module determined it as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLA module determined it as illegitimate.

st_uri
Nemesida WAF Signtest server URI for processing Nemesida AI results.
[deep_inspection]
Advanced request processing management section.
b64_decode_url
b64_decode_args
b64_decode_body
b64_decode_cookie
b64_decode_other_headers
Activate/deactivate of the Base64 decoding mechanism for a specific zone. For example:

b64_decode_args = true – Base64 decoding mechanism for ARGS zone is active;
b64_decode_args = false – Base64 decoding mechanism for ARGS zone is inactive.

The Nemesida AI MLA module loads models according to the list obtained from the Nemesida AI MLC module (vhosts_list parameter in the mlc.conf file) and the list from the vhost queue, if it is not empty (the vhost option of the nwaf_rmq parameter in the nwaf.conf file is responsible for this).

Nemesida AI MLC

Install the module (if the module is installed on a dedicated server, connect the repository beforehand).

DebianUbuntuCentOS
Debian 9
# apt install python3 python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
# python3.5 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache
Debian 10
# apt install python3 python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
# python3.7 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache

Install Nemesida WAF MLC:

# apt install nwaf-mlc
Ubuntu 16.04
Add and install the Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa
# apt update && apt upgrade
# apt install python3.6 python3.6-dev curl
# curl https://bootstrap.pypa.io/get-pip.py | python3.6
# apt install python3.6 python3.6-dev libc6-dev rabbitmq-server dmidecode gcc memcached
# python3.6 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache
Ubuntu 18.04
# apt install python python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
# python3.6 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache
Ubuntu 20.04
# apt install python3.8 python3-pip python3.8-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
# python3.8 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache

Install Nemesida WAF MLC:

# apt install nwaf-mlc
CentOS 7
# yum install python36-pip python36-devel python36-setuptools python36-pika gcc dmidecode rabbitmq-server memcached
# python3.6 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache
# yum install nwaf-mlc
CentOS 8
# dnf install gcc dmidecode rabbitmq-server python3-pip python3-devel python3-setuptools python3-pika memcached
# python3.6 -m pip install --no-cache-dir cython pandas simple-crypt pika logutils sklearn requests sqlalchemy fuzzywuzzy levmatch psutil config python-Levenshtein unidecode fsspec func_timeout url-normalize python-geoip-python3 python-geoip-geolite2 netaddr pymemcache
# dnf install nwaf-mlc

Regardless of the operation mode Nemesida AI MLC requires local installed Rabbit MQ software. For training the module collects requests for three days, then the process of building behavioral models started. Later the models will be transmitted to the Nemesida AI MLA module.

To configure the module, make the necessary changes to the configuration file /opt/mlc/mlc.conf.

mlc.conf parameters to operate in normal mode
Default parameter
Parameter description
[main]
Section is responsible for the general settings Nemesida AI MLC.
vhosts_list
A list of domain names used as virtual hosts for which behavioral models need to be created.

Wildcard values can be used. The model in the request is applied in the following order of priority from highest to lowest:

1. vhosts_list = example.com – building and applying a model for the certain domain;
2. .example.com – building and applying a model for the domain .example.com and its subdomains;
3. *.example.com – building and applying the model only for subdomains *.example.com, excepting the main domain example.com;
4. * – building and applying the model for the rest domains.

For example:
vhosts_list = example.com 1.example.com 2.example.com – building and applying models for the listed virtual hosts.

It is not allowed to use example.com and .example.com together. If you want to use one model for a domain and another for its subdomains, then use example.com and *.example.com. For example, vhosts_list = example.com *.example.com.

When applying behavioral models to a request, the domain level is taken into account: that is, the model corresponding to the virtual host from the request will be applied, and if it is absent – the closest model will be used in descending order of the domain name level.

That is, for a request with the domain name b.example.com, the model b.example.com will be applied; if it does not exist – the model .example.com will be aplied and if it does not exist – the model *.example.com will be aplied.

You can change the model training period by setting a list of domain names: x:example.com, where x is the training period in days. For example, 5:example.com – model training will last 5 days.

ai_extra
Activation or deactivation of the additional requests analysis functional allows to detect missing attacks and make temporary blocking of their source using IP-address. The result of the reaction on the detected attack depends on the setting ai_extra of the file nwaf.conf.
api_uri
Nemesida WAF API address for sending information about models’ learning status. With parameter api_uri = none the information will not be sent.
nwaf_license_key
Installing the license key Nemesida WAF on a dedicated server. You must not use this setting if you work on the same server as the Nemesida WAF is or if you work in Multipoint Mode.

Example: nwaf_license_key = 1234567890.

[run]
Section is responsible for the parameters of the connection to RabbitMQ local server.
rmq_host
Parameters for connecting to the RabbitMQ service. You can use multiple values separated by a space, for example:

rmq_host = guest:guest@192.168.0.1 guest:guest@192.168.0.2
rmq_host_local
Parameters for connecting to the RabbitMQ service for local queue placement, for example:

rmq_host_local = guest:guest@127.0.0.1

If this parameter is omitted, the following values will be used: guest:guest@127.0.0.1.

[proxy]
Section is responsible for the settings of the connection to proxy server.
sys_proxy

Configure of the proxy server address for request to nemesida-security.com:443 (check of license key, loading of behavioral models). For example:
sys_proxy = proxy.example.com:3128.

api_proxy
Configure of the proxy server address for request to Nemesida WAF API and Nemesida WAF Signtest. For example:
api_proxy = proxy.example.com:3128.

If the parameters have no values, the module will try to use the parameters from the nwaf.conf file.

[mls]
Section is responsible for transmitting traffic to a remote server for the purpose of further analysis and building behavioral models. To use this functionality, please contact technical support.
mls_enable
Activation of the mechanism for transmitting the analyzed traffic to the Nemesida WAF MLS server. By default, the functionality is deactivated.
[deep_inspection]
Section is responsible for advanced request processing management.
b64_decode_url
b64_decode_args
b64_decode_body
b64_decode_cookie
b64_decode_other_headers
Activation/deactivation of the Base64 decoding mechanism for a specific zone.
For example, b64_decode_args = true activates the Base64 decoding mechanism for the ARGS zone.
[ddos]
The section responsible for the functionality of detecting denial of service attacks (DDoS attacks) at the application level.
enable
Activation/deactivation of the DDoS attack detection functional.
wl_ip
The parameter that defines the path to a file in which IP addresses are specified in the 1.2.3.4 format, for which the DDoS detection functionality will be disabled. Each subsequent value is indicated with a new construction.

wl_url
The parameter defining the path to the file in which the addresses are specified both in the vhost format and in the vhost/path format, where:

vhost – the name of the virtual host for which the DDoS detection functionality will be disabled.
path – resource address entry.

For virtual host are allowed wildcard values. Example:

example.com
.example.com
*.example.com
example.com/auth
interval
The time interval of the segment (window) during which the analysis of requests is performed.
latest_only
Activation of sending only the last blocked request for each IP address to the Nemesida WAF API. If set to false, the Nemesida WAF API passes all blocked requests for each IP-address.
[brute]
The section responsible for the brute-force detection function. Revealing of values ​​is performed in the ARGS and / or BODY areas.
brute_enable
Activation/deactivation of the brute-force attack detection functional.
brute_wl
The parameter that allows you to deactivate the brute-force attack detection functionality for specific virtual hosts. You can use wildcard values.

Examples:
brute_wl = example.com .example.org *.example.us

interval
The time interval of the segment (window) during which the analysis of requests is performed.
max_val
The number of requests that, when reached, block the source(s) of the attack.
similarity
A measure of the proximity of requests in percent.
brute_detect
The parameter that defines the path to the file where user needs to set addresses for detection brute-force attacks in the format vhost/path, where path is the occurrence of the resource address on the web server. You can use wildcard values for a virtual host. For example:

example.com/auth
.example.com/auth
*.example.com/auth

Thus, when the value is set example.com/auth brute-force attacks will be monitored for both example.com/auth, and for example.com/auth/reset_password.

In authorization forms that are not described in the file, brute-force attacks are not detected.

flood_detect
The parameter that has similar functionality to the brute_detect parameter, but is designed to detect SMS flood attempts. The only difference is that when analyzing queries that fall under the flood_detect parameter, duplicates are not deleted.

Thus, in the case of repeated sending of identical requests (for example, multiple attempts to recover the password via SMS), requests that have similar content and fall under the action of the flood_detect parameter will not be deleted, unlike requests that have similar content but fall under the action of the brute_detect parameter.

distributed
Activation of the functionality for detecting distributed attacks by brute-force. If set to false, attacks are detected for each individual IP address.
latest_only
Activation of sending only the last blocked request for each IP address to the Nemesida WAF API. If set to false, the Nemesida WAF API passes all blocked requests for each IP-address.
[st]
Section responsible for the interaction with Nemesida WAF Signtest module of training management.
st_enable
Sending disputed requests received from the Nemesida WAF module using RabbitMQ to the Nemesida WAF Signtest server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLC module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLC module was defined as illegitimate.

st_uri
Nemesida WAF Signtest server URI for sending disputed requests. When using the local version of Nemesida WAF Signtest, change the URI of the parameter.
[training]
Learning process management section.
dataset_limit
Sets the maximum number of unique queries included in the training sample.
Multipoint Mode

Nemesida AI MLC is required to 32 GB of free RAM. If you use several services with Nemesida WAF module you are able to save hardware resources using Point-to-Multipoint scheme (one server with installed Nemesida AI MLC module interacts with servers with installed Nemesida WAF module).

Components are used in Multipoint Mode:

  • Servers with installed Nemesida WAF and RabbitMQ, which have 2-4 GB of RAM for every of them;
  • Server with installed Nemesida AI MLC and RabbitMQ, which have 32 GB of RAM.

On the server with installed Nemesida WAF

– Create service’s user RabbitMQ:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

where USER and PASSWORD are username and password to connect Nemesida AI MLC module.

– Make changes to the file /etc/rabbitmq/rabbitmq-env.conf:

NODE_PORT=5672
export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=0.0.0.0
export ERL_EPMD_ADDRESS=127.0.0.1

– Permit accesses from the server where Nemesida AI MLC installed to the port 5672 (TCP).
– Complete settings of RabbitMQ:

# chown rabbitmq:rabbitmq /etc/rabbitmq/rabbitmq.config
# service rabbitmq-server restart

On the server with installed Nemesida AI MLC

Create additional configuration files in the /opt/mac/conf/ directory by copying the /opt/mlc/mlc.conf file. Make changes to the new configuration files for working with the remote RabbitMQ server. After making the changes, restart the service:

# service mlc_main restart
# service mlc_main status

In additional configuration files, nwaf_license_key is a required parameter. The license key used in the Nemesida AIMLC settings and the deleted Nemesida WAV must have the same WAF ID. If you are using additional configuration files, we recommend deleting the /opt/mlc/mlc.conf file.

Using RabbitMQ’s mode services Nemesida AI MLC will collect requests with following models’ training as if it worked in normal mode.

Using the Nemesida AI MLS cloud server
The cloud server Nemesida AI, located in the Pentestit infrastructure, is designed to generate behavioral models based on a copy of traffic received from remote servers. The cloud server is used in cases when the user of the Nemesida WAF software does not have enough RAM for the Nemesida AI MLC module (it requires up to 32 GB). To use the capabilities of the cloud server Nemesida AI, contact technical support.

After making the changes, restart the service:

# service mlc_main restart
# service mlc_main status

Nemesida AI models retraining

To improve the accuracy of attack detection, it is recommended to re-train models once a week. For that you need to add the ^ symbol to virtual host. For example: vhosts_list = example.com^.

Restart the service after changes:

# service mlc_main restart

After retraining the models, it is recommended to delete the exported BT 12 queries (available on the False Positive page of the module web interface Nemesida WAF Signtest). When training models for a virtual host, BT 12 requests will be included in the training set and will not be required further.

Nemesida AI behavioral models training period increase

Main method

For the correct construction of models, about 400.000-800.000 unique requests are required. By default, the training period is limited to four days. You can change the model training period directly by setting a list of domain names in the vhosts_list parameter in mlc.conf: x:example.com, where x is the training period in days. For example, 5:example.com – model training will last 5 days.

Restart the service after changes:

# service mlc_main restart
Additional method

If you need to extend the training period for the required number of requests, follow these steps:

1. Stop the service Nemesida AI MLC:

# service mlc_main stop

2. Rename the file /opt/mlc/ml/[vhost]_[timestamp].db, where [timestamp] – The starting date of model training, from which the training period is calculated. For example, to increase the models building period by five days, it is necessary to increase the timestamp values for the same period:

# mv /opt/mlc/ml/example.com_1587416400.db /opt/mlc/ml/example.com_1587848400.db

3. Run the service Nemesida AI MLC:

# service mlc_main start

Additional training of models using backup copy of the training sample

For the correct construction of models, about 400.000-800.000 unique requests are required. If the number of requests was insufficient during training, then you can restart it and use the requests from the previous sample. To do this, follow these steps:

1. Stop the service Nemesida AI MLC:

# service mlc_main stop

2. Move the file /opt/mlc/ml/backup/[vhost].d_[timestamp], where [timestamp] – the date of creation of a backup copy of the training sample created by Nemesida AI MLC, before starting to build the model, in /opt/mlc/ml/[vhost].d. For example, for the model example.com:

# mv /opt/mlc/ml/backup/example.com.d_1613587613 /opt/mlc/ml/example.com.d

3. Start training. To do this, add the ^ symbol to the virtual host value. Example: vhosts_list = example.com^.

Run the service Nemesida AI MLC:

# service mlc_main start

After the training period is completed (the default is 4 days, the period can be changed), the behavioral model will be created based on requests from the common dataset.

Nemesida AI models removing

If the behavioral models are not trained correctly or there are significant changes in the web application that lead to a lot of false positives, it is recommended deleting the models. To do this, send a request to support@nemesida-security.com. In the request, specify the license key used in Nemesida WAF.

Training sample for building behavioral models

Queries detected as BT 1, BT 2, BT 3 or BT 4 are not added to the training sample, even if they fall under the LM mode.

When ai_extra mode is enabled, queries detected by the Nemesida AI MLC module as illegitimate are not added to the training sample.

Configuring interaction with ClamAV software
After installing Nemesida WAF package the functionality of interaction with ClamAV software is disabled by default, since it can be a source of false blocking of some requests to the Web application (depending on the current state of the ClamAV signature analysis database). Use this functionality at your discretion.

To activate antivirus protection, install ClamAV software on the server with the configured Nemesida WAF software, if it has not done yet.

Installation example for Debian 9 OS:

# apt install clamav-daemon

The interaction with the ClamAV software is enabled by activating the nwaf_clamav configuration parameter in the /etc/nginx/nwaf/conf/global/nwaf.conf file and reduction of the /etc/clamav/clamd.conf file to a look:

...
TCPSocket 3310
TCPAddr   127.0.0.1
...

After changing restart the Nginx software.

Using Nemesida WAF in IDS mode
It is necessary to set up traffic mirroring from the main web server (through which calls to the web application are made)to the server with the installed Nemesida WAF software, to working Nemesida WAF in IDS mode. You must make changes to the files on every server:

1. On the main server (without the Nemesida WAF module installed), configure traffic mirroring according to the guidelines of the installed web server (Nginx, Apache2, Microsoft IIS and others).

An example of Nginx setting for traffic mirroring

If using the Nginx web server, make the necessary changes to the virtual host file:

location / {
    mirror /mirror;
    ...
}

location = /mirror {
    internal;
    proxy_pass http://nemesida_waf_server$request_uri;
}

where nemesida_waf_server is the address of the server with the Nemesida WAF module installed, to which duplicate traffic will be transmitted.

2. On the server with the installed Nemesida WAF module, bring the configuration file of the virtual host Nginx to the form:

server {
        listen  80;
        index   index.html;
        root    /var/www/html;
        try_files $uri $uri/ /index.html;
}

3. On the server with the Nemesida WAF module installed, create the /var/www/html directory and place an empty index.html file in it.

4. On the server with the Nemesida WAF module installed, bring the /etc/nginx/nwaf/conf/global/nwaf.conf file to the form:

...
nwaf_limit rate=5r/m block_time=0;
...

5. After changing restart the Nginx on every server.

Using Nemesida WAF in reverse proxy mode

To use a web server with installed Nginx and Nemesida WAF as an intermediate server, you should create corresponding file of the virtual host (for example /etc/nginx/conf.d/example.com.conf).

Example of the virtual host file
server {
        server_name  site.example.com;
        listen 80;

        location / {
                proxy_pass http://192.168.0.1;
        }
}

where 192.168.0.1 is the address of destination server with the web application.

More information is available on the official page of the Nginx documentation.

Nemesida WAF work in cluster work (active/active)

For Nemesida WAF to work in a cluster, all license keys used must have a single WAF ID (identifier that allows to combine different license keys into a group). To group license keys into a single WAF ID, send a request to support@nemesida-security.com.

Behavioral models of machine training, as well as FP/FN requests exported via the Nemesida WAF Signtest functionality, will be automatically downloaded to all instances of the cluster in accordance with WAF ID. For a more accurate detection of attacks, it is recommended to use one installed instance of the Nemesida AI MLC module at one time.

When using Nemesida WAF as a cluster solution in active/active mode, you must:
1. Organize synchronization of Nemesida WAF configuration files (the /etc/nginx/nwaf/ directory by default, excluding the objects /etc/nginx/nwaf/rules.bin and /etc/nginx/nwaf/ml/) with all installation instances. Synchronization should be done after each modification implementation to the configuration files.

Example of synchronization using rsync utility:
# rsync -az --no-perms --no-owner --no-group --exclude "/ml/" --exclude "/rules.bin" /etc/nginx/nwaf/ root@%remote_server_address%:/etc/nginx/nwaf/

2. After synchronizing the objects, it is necessary to update the parameters in the /etc/nginx/nwaf/conf/global/nwaf.conf file on each installed instance of the Nemesida WAF dynamic module:

  • nwaf_license_key (necessarily);
  • api_proxy and sys_proxy (optionally).

3. After modifications, you must restart the services:

# nginx -t && systemctl reload nginx 
# systemctl restart nwaf_update mla_main

The validity check of modules functioning

After installing and configuring the Nemesida WAF modules, restart the operating system and check the operation of all modules:

# systemctl status nginx nwaf_update mla_main mlc_main rabbitmq-server

If modules’ operation is correct there is a inscription: Active: active (running).

When the license key expires, the software works in the Nemesida WAF Free mode.

Signature management

There is a support of custom set of signatures rules (signature, RL) and signature exception rules (exclusion rule, WL) in Nemesida WAF and Nemesida WAF Free.

Zones and additional conditions

During the creation of RL or WL rules special parameters can be used:

  • zones: URL, ARGS, BODY, HEADERS, Cookie, User-Agent, Content-Type, etc.;
  • conditions of using the rule (additional condition, specification of the zone): $URL, $ARGS, $BODY, $HEADERS, $Cookie, $User-Agent, etc.

Using zones and additional conditions allows to concretize maximally the creating rule. Additional conditions are set by adding prefix $ (for example: "Z:...|$URL:...").

An example of using the rule with zone and additional condition: WL ... "Z:ARGS|$URL:/123"; – the rule will work, if the entry zone of the RL rule will be ARGS zone and URL will contain an entry /123.

Several parameters (zones, additional conditions) in one rule must be separated with the character |, the following principle of interaction will be used:

  • zones interact using the logical principle OR, for example: Z:URL|ARGS;
  • zones interact with additional conditions using the logical principle AND, for example: Z:URL|$ARGS:123;
  • additional conditions interact using the logical principle AND, for example: Z:...|$ARGS:123|$BODY:123".

Regular expressions in the additional conditions

It’s possible to use regular expressions in the additional conditions. This requires to add to the additional condition postfix _X (for example: "Z:...|$URL_X:\w+").

If | is used as an ordinary character, it is necessary:

  • for an ordinary rule: to execute its dual shielding (for example: Z:...|$BODY:block\\|page – search for an entry block or page);
  • for the rule with the regular expression (with postfix _X): to execute its quad-shielding (for example: $BODY_X:block\\\\|page – search of an entry block|page).

If in the rule with the regular expression (with postfix _X) other characters from the set of regular expressions operator are used (/, ., *, ?, !, {, }, [, ], (, ), ^, $, :, \, etc.) as ordinary characters it requires to execute their dual shielding (for example: $BODY_X:data=\\(block-\\\a\\\-in-the-main\\) – search for the entry (block-\a\-in-the-main); $HEADERS_X:Accept\\: image\\/webp\\\\\* – search for the entry Accept: image/webp\*).

For use in additional conditions the separator as a metacharacter of a regular expression it is necessary to shield it twice. For example: the rule WL ... "Z:...|$URL_X:/(a\\|b)/"; will bring to URL which contains /a/ or /b/.

User-defined signature creation

The user-defined rules of detecting attack signs (user-defined RL) can be placed in the main configuration file Nemesida WAF (nwaf.conf) or in the self-created file of the form *.conf, located in the /etc/nginx/nwaf/conf/vhosts directory. User-defined signatures must be determined by the RL parameter and must have ID started from 50000 and take the following form:

RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50004 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50005 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\|dev)";

For signatures in the zone it is allowed to use the MLA value to force request sending into Nemesida AI MLA, that falls within the scope of the created signature if the score < 12 (by default requests with a score equal or greater than the value of the mla_score parameter are sent into Nemesida AI MLA).

Signature force sending into Nemesida AI MLA examples

Request contains an entry select from in any of four zones will be sent into Nemesida AI MLA:

RL ID:50005 "P:select from" "SC:SQL:1" "Z:MLA";

Request contains an entry select from in ARGS zone will be sent into Nemesida AI MLA:

RL ID:50006 "P:select from" "SC:SQL:1" "Z:ARGS|MLA";
Signature options
ID
The unique identifier for the rule. A range from 50000 to 59999 is available for creating your own rules. Required.
domain
Set the ownership of the rule to the domain. For the domain option it is allowed to use a wildcard value.
P/PX
Option defining the entry pattern (option P is used to denote a simple entry, option PX is a regular expression). Required.
SC
Setting the rule tag (Injection, XSS, UWA, Scanner, Evasion, Other or another) and the numerical value indicator (from 1 to 12). Required.

Requests that fall within the scope of the rules with an indicator value of 12 are blocked without being sent to other analysis subsystems. More information is available in the corresponding section.

Z

Zone application of the rule. To apply a signature to all zones, use the empty "Z:" parameter. Required.

To apply a signature to multiple zones, use the delimiter "Z:URL|BODY".

To force the request to the Nemesida AI MLA module use MLA value in rules application zone ("Z:MLA") while digital significance indicator (SC) must be less than 12.

To disable sending a request to the Nemesida AI MLA module, use the NoMLA value in the rule application area ("Z: NoMLA").

To disable IP-address blocking due to the occurrence of a signature that has score = 12, use the value NoBan in the rule area ("Z:NoBan"). Entering a signature with such a zone does not reduce the nwaf_limit counter, meaning it does not block the IP-address.

To clarify the zone, you can use additional options. For "Z:ARGS|$URL:/templates" the rule will work only in the ARGS zone with /templates parameter in URL.

For signatures in zone area, you can use the NoAPI value to disable sending a message to the Nemesida WAF API that falls under the action of the created signature. For all triggers of this signature, the message will not be sent to the Nemesida WAF API, but it will be blocked and written to the log file. This value is only used for signatures that have score = 12. For signatures with a different score, this value is ignored.

RL ID:50001 "P:select from" "SC:SQL:12" "Z:ARGS|URL|BODY|NoAPI";

For zone area you can use the LM value, which activates the LM mode for a request that falls under the action of the created signature. Each request that falls under the signature will not be blocked, but a corresponding message will be sent to the Nemesida WAF API about it, which is also recorded in the log file. The LM value is only used for signatures that have score = 12. For signatures with a different score, this value is ignored.

RL ID:50002 "P:select from" "SC:SQL:12" "Z:ARGS|URL|BODY|LM";

To reduce the number of false positives during the creation signature rules it is neсessary to specificate them maximally.

Creating a signature exclusion rule

In case the inquiry falls under action of a signature, in addition to sending the incident to the Nemesida WAF API, the following line will be displayed in the error log of the Nginx software:

Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...

or, if the request contains a signature with a maximum allowable digital indicator of significance (score = 12):

Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...

where:

  • 1 – attack signature ID;
  • HEADERS – signature entry zone.

To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the nwaf_log_mr_all; parameter, in the nwaf.conf file Nemesida WAF.

The information about current signature list is on the page rlinfo.nemesida-security.com.

Examples of creating attack signature exception rules

WL ID:1 "Z:"; – using these parameters, the entry of the rule with the identifier 1 will be excluded from all zones for all virtual hosts.

WL ID:1 "Z:ARGS|HEADERS"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the ARGS and HEADERS zones for all virtual hosts.

WL ID:1 "Z:ARGS|Cookie"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the ARGS and Cookie for all virtual hosts.

WL ID:1 domain=.example.com "Z:URL"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com and its subdomains.

WL ID:1 domain=example.com "Z:URL|$URL:/index/index.php"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com for URI http://example.com/index/index.php.

WL ID:* domain=example.com "Z:ARGS"; – with these parameters, the ARGS zone of all requests to the virtual host example.com will be excluded from the signature analysis processing.

WL ID:* domain=example.com "Z:$URL:/test"; – using these parameters the entry of the rule all requests to example.com/test will be excluded from the signature analysis processing.

For parameter ID:* it’s possible to use any of zones as a refinement, but as a condition of using the rule – only parameter $URL.

For security reasons, when creating exclusion rules, you need to specify them as much as possible.

Request processing statuses (BT)

Each request processed by the Nemesida WAF module is assigned a blocking identifier (BT – blocking type). The identifier can be assigned regardless of whether the request was blocked or not.

The pivot table shows the types of identifiers and their corresponding request processing status.

0 The request was not blocked.
1 The request is blocked by signature method and the request did not contain any signature with the score = 12.
2 The request is blocked by signature method and the request contained a signature which has the score = 12.
3 The request is blocked by Nemesida AI MLA.
4 The request is blocked by ClamAV module.
5 The request is blocked because of the internal error.
6 The request is blocked because of the oversubscription of blocked requests from one IP address. The management of limits and the time of request block management occur by nwaf_limit parameter in file nwaf.conf.
7 The request is detected like the brute-force attempt and blocked by Nemesida AI MLC. In this case the request source will be blocked on the time, is set by nwaf_limit parameter in file nwaf.conf.
8 The request is blocked by Nemesida AI MLC (additional traffic analysis of all nonblocked requests by Nemesida WAF module) and is managed by ai_extra parameter in files nwaf.conf and mlc.conf.
10 The request is detected like the DDoS attacks and blocked by Nemesida AI MLC. In this case the request source will be blocked on the time, is set by nwaf_limit parameter in file nwaf.conf.

Nemesida WAF Management API

The interface is not used in Nemesida WAF Free.

For the Nemesida WAF Management API to work correctly, you must place all managed Nemesida WAF parameters in the /etc/nginx/nginx/nwaf/conf/global/nwaf.conf file. Nemesida WAF managed parameters cannot be placed in other configuration files.

To activate the Nemesida WAF mgmt_api management interface, add the parameter nwaf_mgmt_api on; to the server section in the virtual host file, for example:

server {
    listen  80;
    server_name example.com;

    location /nwaf_mgmt_api_path {
    nwaf_mgmt_api on;
    }

    ...
}

After activating the parameter nwaf_mgmt_api on;, Nemesida WAF API becomes accessible by the target URI with the nwaf_mgmt_api option set, for example, example.com/nwaf_mgmt_api_path.

It is recommended to restrict access to the Nemesida WAF Management API through the list of allowed IP-addresses to prevent unauthorized users from managing the Nemesida WAF work processes.

API management commands
Default paremeters
Parameters description
get_params
Output Nemesida WAF configuration parameters, for example:

{"lic_key_sha1":"SHA1 of the lic. key","get_params":"nwaf_limit"}

Output all the parameters nwaf_limit, for example nwaf_limit rate=5r/m block_time=600.

Example cURL- request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","get_params":"nwaf_limit"}'
add_params
Setting Nemesida WAF configuration parameters, for example:

{"lic_key_sha1":"SHA1 of the lic. key","add_params":"base64(nwaf_limit rate=5r/m block_time=600)"}

Setting the parameter nwaf_limit rate=5r/m block_time=600.

Example cURL- request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","add_params":"base64(nwaf_limit rate=5r/m block_time=600)"}'
update_params
Updating Nemesida WAF configuration parameters, for example:

{"lic_key_sha1":"SHA1 of the lic. key","update_params":["base64(nwaf_limit rate=5r/m block_time=600)","base64(nwaf_limit rate=5r/m block_time=0)"]}

Replacing the existing parameter nwaf_limit rate = 5r / m block_time = 600 with the new one nwaf_limit rate = 5r / m block_time = 0 .

Example cURL- request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","update_params":["base64(nwaf_limit rate=5r/m block_time=600)",""base64(nwaf_limit rate=5r/m block_time=0)"]}'
delete_params
Removing Nemesida WAF configuration parameters, for example:

{"lic_key_sha1":"SHA1 of the lic. key","delete_params":"base64(nwaf_limit rate=5r/m block_time=600)"}

Removing the existing parameter nwaf_limit rate=5r/m block_time=600.

Example cURL- request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","delete_params":"base64(nwaf_limit rate=5r/m block_time=600)"}'
get_banned_ip
Output IP-addresses blocked by Nemesida WAF for the time specified in the block_time option:

{"lic_key_sha1":"SHA1 of the lic. key","get_banned_ip":""}

Example cURL- request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","get_banned_ip":""}'

[/su_column]

add_banned_ip
Adding an IP address to the list of blocked Nemesida WAF for the time specified in the block_time option, for example:

{"lic_key_sha1":"SHA1 of the lic. key","add_banned_ip":"10.0.10.10"}

Example cURL request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","add_banned_ip":["10.0.10.10"]}'
delete_banned_ip
Removing IP-address from the list of blocked Nemesida WAF for the time specified in the block_time option, for example:

{"lic_key_sha1":"SHA1 of the lic. key"," delete_banned_ip":"10.0.10.10"}

Removing all IP-addresses from the Nemesida WAF blocked list:

{"lic_key_sha1":"SHA1 of the lic. key"," delete_banned_ip":"*"}

Example cURL request:

curl "example.com/nwaf_mgmt_api_path" --data '{"lic_key_sha1":"SHA1 of the lic. key","delete_banned_ip":"10.0.10.10"}'
Managed parameters
  • all (only for get_params)
  • RL
  • WL
  • nwaf_mla
  • nwaf_rmq
  • nwaf_ip_lm
  • nwaf_ip_wl
  • nwaf_limit
  • nwaf_host_lm
  • nwaf_host_wl
  • nwaf_api_conf
  • nwaf_clamav
  • nwaf_clamav_wl
  • nwaf_license_key
  • nwaf_log_mr_all
  • nwaf_ai_extra_host_lm
  • nwaf_ai_extra_host_wl
  • nwaf_rmq_host_exclude
  • nwaf_put_body_exclude

Unblocking an IP-address using captcha
Nemesida WAF allows you to block an IP-address for a specified time (blocking duration is controlled by the nwaf_limit option in the configuration file nwaf.conf). If the IP-address has been block because it is the cause of the brute force attack (BT 7), Nemesida WAF allows you to unblock it using functional captcha.

To unblock an IP-address, which was identified by module Nemesida AI MLC as the BT 7 (brute force attack), the user will need to confirm that its actions are performed non-automatic. For this option to work, you need a configured and enabled Nemesida WAF Management API and a web application with configured captcha. If the answer is correct, the web application with captcha sends a request delete_banned_ip to the Nemesida WAF module to unblock the IP-address. The user will then be redirected to the original page.

Syncing the list of blocked IP-addresses

Not used in Nemesida WAF Free.

The Nemesida WAF functionality allows you to automatically synchronize blocked IP-addresses between servers. The IP-address blocking time is determined by the nwaf_limit option in the nwaf.conf configuration file. To activate synchronization of blocked IP-addresses on all servers that use this functionality, you must:

  • set the same values for the nwaf_limit and nwaf_sync_ban_ip_key parameters in the nwaf.conf file;
  • define the target URL for syncing using the nwaf_sync_ban_ip_host parameter in the nwaf.conf file.
  • define a path with the nwaf_ban_ip_sync on; parameter set in the virtual host file in the location section to get a list of blocked addresses, for example: 
    location /ban_ip_sync_path
{
    ...
    nwaf_ban_ip_sync on;
    ...
}

Error messages sources
During the Nemesida WAF operation the information about errors can be contained in:

  • system logs;
  • run-time journal of the Nginx software;
  • run-time journal of the RabbitMQ software;
  • run-time journal of the Nemesida WAF modules /var/log/nwaf/.
Technical support

Technical support of Nemesida WAF Free is on the forum only.

In case of unforeseen errors in the operation of the Nemesida WAF software, contact technical support by email (Mon-Fri from 10:00 to 19:00 time, GMT+3) or leave a message on the forum.