Nemesida WAF and Nemesida AI | Nemesida WAF

Защита сайта от хакерских атак
Nemesida WAF and Nemesida AI

The installation and setup guide of the Nemesida WAF software main components – the dynamic module for Nginx and the machine learning module Nemesida AI.

Content

The domain name example.com together with the subdomains in the guide is used as an example. The domain name .example.com includes the main domain and its subdomains. The domain name *.example.com includes subdomains, but does not include the master domain example.com.

General information

Hardware Requirements
Nemesida WAF components require hardware resources that have the following characteristics:

  • CPU: Intel Core i3 or higher;
  • RAM: 2 GB for the server with the installed Nemesida WAF and 32 GB for the server with the installed Nemesida AI MLC;
  • available disk space: 5 GB.

Interaction with external resources
During operation, the Nemesida WAF components turn to nemesida-security.com:443, *.nemesida-security.com:443 and geoip.nemesida-security.com:80/443.

Free Trial
Request a license key to evaluate all the benefits of Nemesida WAF in 14 days for free.

Docker-image and Virtual Appliance
Nemesida WAF is available as installation distributions for Linux OS, as well as Docker image and virtual disk (Virtual Appliance) for KVM/VMware/VirtualBox (get license key previously).

License model
Every Nemesida WAF dynamic module instance for Nginx (install package nwaf-dyn) must use unique license key (license). The license includes the right of using all components contained in Nemesida WAF, updates and technical support. The license period is from one year.

The Nemesida WAF software packages description

Basic components:

  • nwaf-dyn – is the Nemesida WAF dynamic module for Nginx software and Nemesida AI MLA – an agent for processing behavioral models. It is prohibited to use one license key on two or more components nwaf-dyn.
  • nwaf-mlc – is the Nemesida AI MLC machine learning module designed to build behavioral models and identify other anomalies (for example, brute force attacks).

Auxilary components:

  • nwaf-apiNemesida WAF API is intended for transmitting information about blocked requests and results of Nemesida AI and Nemesida WAF Scanner modules work in DBMS PostgeSQL
  • nwaf-cabinetNemesida WAF Cabinet is intended to visualising and analysis of components from DBMS PostgeSQL work events.
  • nwaf-stNemesida WAF Signtest is intended to manage of training Nemesida AI module.
  • nwaf-scannerNemesida WAF Scanner, a vulnerability scanner.

Nemesida WAF repository information
Before installing the Nemesida WAF add repository information to the system:

DebianUbuntuCentOS
# apt install apt-transport-https gnupg2
Debian 9
# echo "deb https://nemesida-security.com/repo/nw/debian stretch non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 10
# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 11
# echo "deb https://nemesida-security.com/repo/nw/debian bullseye non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade

# apt install apt-transport-https gnupg2
16.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu xenial non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
18.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu bionic non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
20.04
# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
CentOS 7
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release
CentOS 8
# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install epel-release

RabbitMQ installation

RabbitMQ is used for interaction between modules Nemesida WAF, Nemesida AI MLC (detection of anomalies and brute force attacks, traffic collection, behavioral modeling) and sending data to the Nemesida WAF API module. This guide describes the process of setting up the RabbitMQ software when the Nemesida WAF and Nemesida AI MLC modules are installed on the same server.

RabbitMQ must be located on every server with the Nemesida WAF and Nemesida AI MLC module installed.

1. Install the package:

Debian, UbuntuCentOS
# apt install rabbitmq-server
CentOS 7
# yum install rabbitmq-server
CentOS 8
Add RabbitMQ repository, changing file /etc/yum.repos.d/RabbitMQ.repo:

[rabbitmq_erlang]
name = rabbitmq_erlang
baseurl = https://packagecloud.io/rabbitmq/erlang/el/8/$basearch
repo_gpgcheck = 0
gpgcheck = 0
enabled = 1

[rabbitmq_server]
name = rabbitmq_server
baseurl = https://packagecloud.io/rabbitmq/rabbitmq-server/el/8/$basearch
repo_gpgcheck = 0
gpgcheck = 0
enabled = 1

Install the package:

# dnf update
# dnf install rabbitmq-server

2. Check the correctness of the service.

# systemctl enable rabbitmq-server
# service rabbitmq-server restart
# service rabbitmq-server status

Nemesida WAF dynamic module installation

The dynamic module Nemesida WAF is available for:

  • Nginx stable from 1.12;
  • Nginx mainline from 1.15;
  • Nginx Plus from R16.

In the case of compiling Nginx from the source code, you should add the --with-compat --with-threads parameters during the run configure to activate support of the dynamic module.

DebianUbuntuCentOS

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup
Debian 9
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ stretch nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
Debian 10
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ buster nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
Debian 11
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/debian/ bullseye nginx" > /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

# apt install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup
16.04
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ xenial nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Add the Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa

Install the packages:

# apt update && apt upgrade
# apt install nginx python3.6 python3.6-venv python3-pip python3.6-dev librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
18.04
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ bionic nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools librabbitmq4 libcurl3-gnutls libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached
20.04
Add the Nginx repositories:

# echo "deb http://nginx.org/packages/ubuntu/ focal nginx"> /etc/apt/sources.list.d/nginx.list
# wget -O- https://nginx.org/packages/keys/nginx_signing.key | apt-key add -

Install the packages:

# apt update && apt upgrade
# apt install nginx python3 python3-venv python3-pip python3-dev python3-setuptools libcurl3-gnutls librabbitmq4 libcurl4-openssl-dev libc6-dev gcc rabbitmq-server libmaxminddb0 g++ memcached

# apt install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Set the operating system ID:

# rm -f /etc/machine-id
# /bin/systemd-machine-id-setup

Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 7
Enable direct connection to nemesida-security.com:443.

Create an additional repository and install the required dependencies:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-7-1-6.noarch.rpm
# yum update
# yum install epel-release

Add the Nginx repository:

# rpm -Uvh https://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

Install the packages:

# yum update
# yum install nginx python36 python36-devel python36-setuptools python36-pip openssl librabbitmq libcurl-devel rabbitmq-server gcc libmaxminddb memcached
# yum install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

CentOS 8
Install the package:

# dnf install dnf-utils

Add the Nginx repository, changing file /etc/yum.repos.d/nginx.repo:

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install the packages:

# dnf update
# dnf install nginx python36 python36-devel python3-setuptools python3-pip openssl librabbitmq libcurl-devel rabbitmq-server gcc libmaxminddb memcached
# dnf install nwaf-dyn-1.18

where 1.18 is the version of the installed Nginx. For example, package of the dynamic module nwaf-dyn-1.12 is intended for work with Nginx version 1.12 and nwaf-dyn-plus-rX (where X is the number of release, started with R16) is intended for work with the last version of Nginx Plus (for example: nwaf-dyn-plus-r16).

Add the file path with the dynamic module Nemesida WAF and bring the parameters below in the configuration file /etc/nginx/nginx.conf to the form:

load_module /etc/nginx/modules/ngx_http_waf_module.so;
...
worker_processes auto;
...
http {
...
    ##
    # Nemesida WAF
    ##

    ## Request body is too large fix
    client_body_buffer_size 25M;

    include /etc/nginx/nwaf/conf/global/*.conf;
    include /etc/nginx/nwaf/conf/vhosts/*.conf;
...
}

nginx: [emerg] module "/etc/nginx/modules/ngx_http_waf_module.so" version 1017010 instead of 1018000 in /etc/nginx/nginx.conf:1

The error occurs when the versions of the installed dynamic module Nemesida WAF and Nginx do not match. In this case, 1017010 is the version of Nginx 1.17.10, for which the nwaf-dyn module was compiled, and 1018000 is Nginx 1.18.0 installed on the server. The dynamic module package nwaf-dyn-1.18 is designed to work with Nginx version 1.18, and nwaf-dyn-plus-r22 is designed to work with NGINX Plus R22.

Nemesida AI module installation

Not used in Nemesida WAF Free.

The Nemesida AI module consists of the Nemesida AI MLA modules (included in the installation package of the Nemesida WAF) and Nemesida AI MLC which interaction is possible in a standart mode (the modules operate on the same server) and point-to-multipoint mode (Nemesida AI MLC operates on a dedicated server).

Python pip-packages
For machine learning modules to work correctly, you must use the single versions of Python 3 pip-packages on servers with Nemesida AI MLA and Nemesida AI MLC installed.

Nemesida AI MLC

Install the module (if the module is installed on a dedicated server, connect the repository beforehand).

DebianUbuntuCentOS
Debian 9
# apt install python3 python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
Debian 10
# apt install python3 python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
Debian 11
# apt install python3 python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached

Install Nemesida AI MLC:

# apt install nwaf-mlc
Ubuntu 16.04
Add and install the Python 3.6 repository:

# apt install software-properties-common
# add-apt-repository ppa:deadsnakes/ppa
# apt update && apt upgrade
# apt install curl python3.6 python3.6-dev libc6-dev rabbitmq-server dmidecode gcc memcached
Ubuntu 18.04
# apt install python python3-pip python3-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached
Ubuntu 20.04
# apt install python3.8 python3-pip python3.8-dev python3-setuptools libc6-dev rabbitmq-server dmidecode gcc memcached

Install Nemesida AI MLC:

# apt install nwaf-mlc
CentOS 7
# yum install python36-pip python36-devel python36-setuptools python36-pika gcc dmidecode rabbitmq-server memcached
# yum install nwaf-mlc
CentOS 8
# dnf install gcc dmidecode rabbitmq-server python3-pip python3-devel python3-setuptools python3-pika memcached
# dnf install nwaf-mlc

Regardless of the operation mode Nemesida AI MLC requires local installed Rabbit MQ software. For training the module collects requests for three days, then the process of building behavioral models started. Later the models will be transmitted to the Nemesida AI MLA module.

Manage settings using the cloud web interface

Not used in Nemesida WAF Free.

To configure Nemesida WAF, you can use the cloud web interface, access details to which are provided upon receipt of the license key.

The settings management functionality is enabled by default, but it can be disabled by sending an email request.

The cloud web interface allows to manage:

  • Nemesida WAF dynamic module settings;
  • Nemesida AI MLC settings;
  • behavioral models;
  • synchronization of the IP addresses blocked list;
  • signature exclusion rules and extended blocking rules.

For the functionality it is necessary:

Perform basic configuration of Nemesida WAF modules
  • Nemesida WAF dynamic module:
    • nwaf_license_key – Nemesida WAF license key;
    • nwaf_sys_proxy – proxy server(if used);
    • nwaf_api_proxy – proxy server (if used) for accessing the Nemesida WAF API and Nemesida WAF Signtest;
    • nwaf_api_conf – Nemesida WAF API server address for sending information about detected anomalies.
  • Nemesida AI MLA module:
    • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for processing;
    • st_uri – Nemesida WAF Signtest server address for processing results from Nemesida AI.
  • Nemesida AI MLC module :
    • nwaf_license_key – Nemesida WAF license key;
    • api_uri – Nemesida WAF API address for sending information about the models training status and information about detected anomalies;
    • sys_proxy – proxy server (if used);
    • api_proxy – proxy server (if used) for accessing the Nemesida WAF API and Nemesida WAF Signtest;
    • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for processing;
    • st_uri – Nemesida WAF Signtest server address for processing results from Nemesida AI.

If the Nemesida WAF API and Nemesida WAF Signtest modules are not configured yet, the parameters nwaf_api_conf,api_uri,st_enable,st_uri can be specified later.

Log in to the web interface and add the required number of Nemesida WAF license keys on the “Keys” page.

Complete the basic configuration of the modules using the web interface
  • Nemesida WAF dynamic module:
    • nwaf_limit – limit of blocked requests;
    • nwaf_ip_wl – deactivation the request analysis mechanism by Nemesida WAF for a specific IP address or subnet;
    • nwaf_host_wl – deactivation the request analysis mechanism by Nemesida WAF for virtual host.
  • Nemesida AI MLC module:
    • vhosts_list – domain names list to use as virtual hosts for which behavioral models need to be created and applied;
    • ai_extra – activation/deactivation of the additional query analysis functionality;
    • DDoS detection:
      • enable – activatе/deactivatе of DDoS attack detection;
      • wl_ip – IP addresses list for which the DDoS attack detection will be disabled;
      • wl_url – virtual hosts list for which the DDoS attack detection will be disabled.
    • Brute detection:
      • enable – activatе/deactivatе of brute force attack detection;
      • wl_host – virtual hosts list for which the brute force attack detection will be disabled;
      • brute_detect – list of addresses for detecting brute force attacks;
      • brute_detect – list of addresses for flood detection;
      • max_val – The number of requests, when the value of which is reached, the IP address of the source(s) of the attack is blocked.

Manage settings using the cloud API

Not used in Nemesida WAF Free.

General information

The cloud API allows managing Nemesida WAF settings.

The cloud API allows managing:

  • Nemesida WAF dynamic module settings;
  • Nemesida AI MLC settings;
  • behavioral models;
  • synchronization of the IP addresses blocked list;
  • signature exclusion rules and extended blocking rules.

Settings are managed using specially compiled queries. Each request must contain the license key of the installed copy of Nemesida WAF. It is allowed to transfer it SHA256 hash instead of the license key.

The settings management functionality is enabled by default, but it can be disabled by sending an email request.

Before using the functionality, it is necessary to make basic settings of Nemesida WAF modules on each server where they are installed:

Basic settings
  • Nemesida WAF dynamic module:
    • nwaf_license_key – Nemesida WAF license key;
    • nwaf_sys_proxy – proxy server(if used);
    • nwaf_api_proxy – proxy server (if used) for accessing the Nemesida WAF API and Nemesida WAF Signtest;
    • nwaf_api_conf – Nemesida WAF API server address for sending information about detected anomalies.
  • Nemesida AI MLA module:
    • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for processing;
    • st_uri – Nemesida WAF Signtest server address for processing results from Nemesida AI.
  • Nemesida AI MLC module :
    • nwaf_license_key – Nemesida WAF license key;
    • api_uri – Nemesida WAF API address for sending information about the models training status and information about detected anomalies;
    • sys_proxy – proxy server (if used);
    • api_proxy – proxy server (if used) for accessing the Nemesida WAF API and Nemesida WAF Signtest;
    • st_enable – activate the transfer of disputed requests to Nemesida WAF Signtest for processing;
    • st_uri – Nemesida WAF Signtest server address for processing results from Nemesida AI.

Management commands

Action log

The functionality is available only for the Enterprise tariff.

Get action log contents:

# curl https://nemesida-security.com/nw/agent/public/get_event_log --data 'key=%License key or SHA256 hash%'

If you use an invalid license key, the response will be returned with the 401 code.

Nemesida WAF dynamic module

The functionality is available only for the Enterprise tariff.

Allows managing the settings of the Nemesida WAF dynamic module. Supports the following control commands:

Management commands
Get Settings:

# curl https://nemesida-security.com/nw/agent/get_dyn_settings --data 'key=%License key or SHA256 hash%'

JSON format:

# curl https://nemesida-security.com/nw/agent/get_dyn_settings?format=json --data 'key=%License key or SHA256 hash%'

Get the settings hash sum:

# curl https://nemesida-security.com/nw/agent/get_dyn_settings_hash --data 'key=%License key or SHA256 hash%'

Receiving the hash amount is necessary to confirm the changes made.

Set settings:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_settings --header 'Content-type: application/json' --data '{"token": "%Identification token%", "set": {"nwaf_ip_wl": "127.0.0.1, 127.0.0.2", "nwaf_ai_extra_host_lm": "example.com", "active": "true"}}'

where:

  • set – settings parameters in JSON format.

Delete settings:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_settings --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": "nwaf_ip_wl"}'

where:

  • del – settings parameters in JSON format.

Identification token is available in the cloud web interface.

The following parameters are available for control:

Supported parameters
Parameter
Parameter description
nwaf_limit

Sets the limit of blocked requests. If the allowed number of requests specified by the rate option is exceeded, the IP address will be blocked for the time (in seconds) specified in block_time.

Example:

{... "nwaf_limit": "rate=5r/m block_time=600" ...}

The domain parameter is optional and is only required to set the limit of blocked requests for a specific domain. To do this, need to bring the parameter to the form: nwaf_limit rate=... block_time=... domain=.... Strict matching and wildcard values are allowed: *, example.com, .example.com, *.example.com.

Example:

{... "nwaf_limit": "domain=example.com rate=5r/m block_time=600" ...}

To set different limits for different domains, specify parameters for each of them.

Example:

{... "nwaf_limit": "domain=a.example.com rate=5r/m block_time=300, domain=example.com rate=5r/m block_time=300" ...}

or

{... "nwaf_limit": "rate=10r/m block_time=600, domain=example.com rate=5r/m block_time=300" ...}

In the last example, limits will be set for 5 requests per minute for the domainexample.com (followed by blocking the attacker’s IP address for 300 seconds), as well as limits on 10 requests per minute for all other domains (followed by blocking the attacker’s IP address for 600 seconds).

nwaf_ip_wl

Deactivation of the request analysis mechanism by Nemesida WAF for a specific IP address or subnet.

Example:

{... "nwaf_ip_wl": "127.0.0.1, 192.168.0.1" ...}
{... "nwaf_ip_wl": "127.0.0.1, 192.168.0.1" ...}

When using "nwaf_ip_wl": "domain=example.com 127.0.0.1" the analysis mechanism will be deactivated only when accessing from a specific IP address to a specific domain. The domain option is optional. It is allowed to use strict compliance and wildcard values: *, example.com , .example.com , *.example.com . An address with a subnet mask or a range of addresses can be used as an IP address.

Example:

{... "nwaf_ip_wl": "127.0.0.1, 192.168.61.0/24, 192.168.61.1-192.168.61.255" ...}

To reduce the number of false positives, it is recommended to specify the static IP address of users (administrators, content managers, editors) in the parameter nwaf_ip_wl. Requests that fall under the action of the parameter will not be blocked, passed to RabbitMQ, and, as a result, analyzed by the Nemesida AI module. Be extremely careful when using the parameter.

IPv6 and IPv4 addresses are allowed.

nwaf_ip_lm

Configuring request processing for a specific IP address or subnet with fixation in the DBMS, but without actual blocking (IDS mode).

Example:

{... "nwaf_ip_lm": "127.0.0.1, 192.168.0.1" ...}

When using "nwaf_ip_lm": "domain=example.com 127.0.0.1" the pass will be made only when accessing from a specific IP address to a specific domain. The domain option is optional. Strict matching and wild card values are allowed: *, example.com, .example.com, *.example.com. An address with a subnet mask or a range of addresses can be used as an IP address.
Example:

{... "nwaf_ip_wl": "127.0.0.1, 192.168.61.0/24, 192.168.61.1-192.168.61.255" ...}

IPv6 and IPv4 addresses are allowed.

nwaf_host_wl

Deactivation of the request analysis mechanism by Nemesida WAF for a virtual host. With the parameter nwaf_host_wl *, skipping will be performed for all virtual hosts.

Example of using a single value:

{... "nwaf_host_wl": "*" ...}

or

{... "nwaf_host_wl": "example.com" ...}

or

{... "nwaf_host_wl": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_host_wl": "example.com, a.example.com" ...}

or

{... "nwaf_host_wl": "example.com, *.example.com" ...}
nwaf_host_lm

Configuring request processing for a specific virtual host with a commit in the DBMS, but without actual blocking (IDS mode). With the parameter nwaf_host_lm *, skipping will be performed for all virtual hosts.

Example of using a single value:

{... "nwaf_host_lm": "*" ...}

or

{... "nwaf_host_lm": "example.com" ...}

or

{... "nwaf_host_lm": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_host_lm": "example.com, a.example.com" ...}

or

{... "nwaf_host_lm": "example.com, *.example.com" ...}
nwaf_mla_host_lm

The parameter that activates the LM mode (IDS) for requests defined by the Nemesida AI MLA module as illegitimate.

If the name of the virtual host from the request falls under the action of the parameter, then such a request is fixed in the database management system, but is not blocked.

Example of using a single value:

{... "nwaf_mla_host_lm": "*" ...}

or

{... "nwaf_mla_host_lm": "example.com" ...}

or

{... "nwaf_mla_host_lm": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_mla_host_lm": "example.com, a.example.com" ...}

or

{... "nwaf_mla_host_lm": "example.com, *.example.com" ...}
nwaf_ai_extra_host_wl

A parameter that activates the WL mode for requests defined by the Nemesida AI MLC module as illegitimate.

If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.

Example of using a single value:

{... "nwaf_ai_extra_host_wl": "*" ...}

or

{... "nwaf_ai_extra_host_wl": "example.com" ...}

or

{... "nwaf_ai_extra_host_wl": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_ai_extra_host_wl": "example.com, a.example.com" ...}

or

{... "nwaf_ai_extra_host_wl": "example.com, *.example.com" ...}
nwaf_ai_extra_host_lm

A parameter that activates LM mode (IDS) for requests defined by the Nemesida AI MLC module as illegitimate.

If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.

Example of using a single value:

{... "nwaf_ai_extra_host_lm": "*" ...}

or

{... "nwaf_ai_extra_host_lm": "example.com" ...}

or

{... "nwaf_ai_extra_host_lm": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_ai_extra_host_lm": "example.com, a.example.com" ...}

or

{... "nwaf_ai_extra_host_lm": "example.com, *.example.com" ...}
nwaf_bf_detect_host_lm

A parameter that activates the LM mode for requests defined by the Nemesida AI MLC module as brute force attacks (BT 7) and flood (BT 9).

If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.

Example of using a single value:

{... "nwaf_bf_detect_host_lm": "*" ...}

or

{... "nwaf_bf_detect_host_lm": ".example.com" ...}

or

{... "nwaf_bf_detect_host_lm": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_bf_detect_host_lm": "example.com, *.example.org" ...}
nwaf_ddos_detect_host_lm

A parameter that activates LM mode for requests defined by the Nemesida AI MLC module as DDoS attacks (BT 10).

If the name of the virtual host from the request falls under the action of the parameter, then such a request is not recorded in the DBMS and is not blocked.

Example of using a single value:

{... "nwaf_ddos_detect_host_lm": "*" ...}

or

{... "nwaf_ddos_detect_host_lm": ".example.com" ...}

or

{... "nwaf_ddos_detect_host_lm": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_ddos_detect_host_lm": "example.com, example.org" ...}
nwaf_rmq_host_exclude

A parameter that excludes sending some requests to the RabbitMQ server (the nwaf queue).

If the name of the virtual host from the request falls under the action of the parameter, then such a request is not passed to the nwaf queue, and, accordingly, is not processed by the Nemesida AI MLC module (it is not analyzed for anomalies and brute force attacks, does not participate in the construction of behavioral models).

Example of using a single value:

{... "nwaf_rmq_host_exclude": "*" ...}

or

{... "nwaf_rmq_host_exclude": "example.com" ...}

or

{... "nwaf_rmq_host_exclude": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_rmq_host_exclude": "example.com, a.example.com" ...}

or

{... "nwaf_rmq_host_exclude": "example.com, *.example.com" ...}
nwaf_body_exclude

The parameter that excludes the analysis of the BODY zone by the signature method, as well as sending its contents in the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful if it is not possible to change the value of the client_body_buffer_size parameter in the /etc/nginx/nginx.conf file.

Example:

{... "nwaf_body_exclude": "*" ...}

or

{... "nwaf_body_exclude": "example.com/uploads.php" ...}

or

{... "nwaf_body_exclude": "example.com/uploads" ...}

When applying the parameter, the exact match of the path (vhost/path).

For example, with the value: example.com/uploads the BODY zone analysis exception will be applied for requests to example.com/uploads, but for example.com/uploads.php and example.com/uploads/index.php the parameter will not be applied. With the value *, the BODY zone analysis exception will be applied to any address.

nwaf_put_body_exclude

The parameter that excludes the signature method from analyzing the contents of the BODY zone for INPUT requests, as well as sending the contents of the zone to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful when interacting with ownCloud web applications or similar ones that allow the client to upload a file to the server over the HTTP protocol.

Example of using a single value:

{... "nwaf_put_body_exclude": "*" ...}

or

{... "nwaf_put_body_exclude": "example.com" ...}

or

{... "nwaf_put_body_exclude": "*.example.com" ...}

Example of using multiple values:

{... "nwaf_put_body_exclude": "example.com, a.example.com" ...}

or

{... "nwaf_put_body_exclude": "example.com, *.example.com" ...}

Nemesida AI MLC

The functionality is available only for the Enterprise tariff.

Allows managing the settings of the Nemesida AI MLC module. The following control commands are supported:

Management commands
Get Settings:

# curl https://nemesida-security.com/nw/agent/get_mlc_settings --data 'key=%License key or SHA256 hash%'

JSON format:

# curl https://nemesida-security.com/nw/agent/get_mlc_settings?format=json --data 'key=%License key or SHA256 hash%'

Get the settings hash sum:

# curl https://nemesida-security.com/nw/agent/get_mlc_settings_hash --data 'key=%License key or SHA256 hash%'

Set a list of virtual hosts for which models will be created and applied:

# curl https://nemesida-security.com/nw/agent/public/set_vhosts_list --header 'Content-type: application/json' --data '{"token": "%Identification token%", "vhosts_list": "example.com, example.org"}'

where:

  • vhosts_list – list of virtual hosts for which models will be created and applied.

Set settings:

# curl https://nemesida-security.com/nw/agent/public/set_mlc_settings --header 'Content-type: application/json' --data '{ "token": "%Identification token%", set": {"main__ai_extra": "false", "brute_interval": "11", "brute__brute_detect": ["example.com/a1, example.com/b1"], "active": "true"}}'

where:

  • set – settings parameters in JSON format.

Delete settings:

# curl https://nemesida-security.com/nw/agent/public/set_mlc_settings --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": "brute_detect"}'

where:

  • del – settings parameters in JSON format.

Identification token is available in the cloud web interface.

Supported parameters
Parameter
Parameter description
main__ai_extra

Activate/deactivate the additional request analysis functionality, which allows detecting missed attacks and temporarily blocking their source by IP address. If the additional analysis functionality is inactive, all unblocked requests will be included in the training sample (with the exception of requests that fall under the WL mode, or illegitimate requests that fall under the LM mode).

Example:

{... "main__ai_extra": "true" ...}
ddos__enable
Activate/deactivatie of the DDoS attack detection.

Example:

{... "ddos__enable": "true" ...}
ddos__wl_ip
A parameter that defines a list of IP addresses in the format 1.2.3.4, for which the DDoS detection will be disabled. Each subsequent value is separated by a space.

Example:

{... "ddos__wl_ip": "127.0.0.1" ...}
ddos__wl_url
The parameter that defines addresses both in the format vhost and host/path, where:

vhost – virtual host for which the DDoS detection will be disabled.
path – resource address occurrence.

Strict matching and wildcard values are allowed: *, example.com, .example.com, *.example.com.

Example:

{... "ddos__wl_url": "example.com, .example.com, *.example.com" ...}

or

{... "ddos__wl_url": "example.com/auth" ...}
ddos__interval
The time interval (in seconds) during which the query analysis is performed.

Example:

{... "ddos__interval": "10" ...}
ddos__latest_only
Activation of transmission to Nemesida WAF API of only the last blocked request for each IP address. If the value false, all blocked requests for each IP address are transmitted to the Nemesida WAF API.

Example:

{... "ddos__latest_only": "true" ...}
ddos__send_possible
Activation of the transmission mechanism in Nemesida WAF API requests with the type Possible DDoS. If the value false, requests to the Nemesida WAF API will not be transmitted.

Example:

{... "ddos__send_possible": "true" ...}

The prefix Possible is added to the name of the attack if its type has not been reliably established.

brute__enable
Activate/deactivate the brute force attacks detection.

Example:

{... "brute__enable": "true" ...}
brute__wl_host
Deactivation of the brute force attacks detection for specific virtual hosts. Strict matching and wildcard values are allowed: *, example.com, .example.com, *.example.com.

Example:

{... "brute__wl_host": "example.com, .example.org, *.example.us" ...}
brute__interval
The time interval during which the query analysis is performed.

Example:

{... "brute__interval": "10" ...}
brute__max_val
The number of requests, upon reaching the value of which the IP address of the source(s) of the attack is blocked.

Example:

{... "brute__mav_val": "15" ...}
brute__brute_detect
A parameter that defines a list of addresses for detecting brute force attacks in the format host/path, where path is the occurrence of the resource address on the web server. Strict matching and wildcard values are allowed: *, example.com, .example.com, *.example.com.

Example:

{... "brute__brute_detect": "example.com/auth, .example.com/auth" ...}

or

{... "brute__brute_detect": "*.example.com/auth" ...}

Thus, with the set value example.com/auth, brute force attacks will be monitored as for example.com/auth, and for example.com/auth/reset_password.

The parameter is used to detect brute force attacks, but does not block duplicate requests with the same content in the ARGS or BODY zones.

brute__flood_detect
The parameter has a similar functionality to the brute_detect parameter, but is designed to detect flood attempts or similar attacks with repeated requests. The only difference is that during the analysis of requests that fall under the action of the flood_detect parameter, duplicates are not deleted.

Thus, in case of repeated sending of identical requests (for example, multiple attempts to recover a password by SMS), requests with similar content and falling under the action of the flood_detect parameter will not be deleted, unlike requests with similar content, but falling under the action of the brute_detect parameter.
Example:

{... "brute__flood_detect": "example.com/auth, .example.com/auth" ...}

or

{... "brute__flood_detect": "*.example.com/auth" ...}
brute__latest_only
Activation of transmission to Nemesida WAF API of only the last blocked request for each IP address. If the value false, all blocked requests for each IP address are transmitted to the Nemesida WAF API.

Example:

{... "brute__latest_only": "true" ...}
brute__send_possible
Activation of the transmission mechanism in Nemesida WAF API requests with the type Possible DDoS. If the value false, requests to the Nemesida WAF API will not be transmitted.

Example:

{... "brute__send_possible": "true" ...}

The prefix Possible is added to the name of the attack if its type has not been reliably established.

Behavioral models management

Settings management is not available for the Light tariff.

Incorrect training of behavioral models or significant changes in the web application can lead to a lot of false positives. To improve the accuracy of detecting attacks, it is recommended to retrain models once a week. The commands below allow you to perform actions on models. The following control commands are supported:

Management commands
Get a virtual hosts list with models:

# curl https://nemesida-security.com/nw/ml/mgmt/get_models_list_uri --data 'key=%License key or SHA256 hash%'

Get the model training status for a virtual host:

# curl 'https://nemesida-security.com/nw/ml/mgmt/get_training_uri' --data 'key=%License key or SHA256 hash%&vhost=example.com'

Delete a model for a virtual host:

# curl 'https://nemesida-security.com/nw/ml/mgmt/del_models_uri' --data 'key=%License key or SHA256 hash%&vhost=example.com'

where:

  • vhost – the name of the virtual host for which you want to delete the behavioral model.

Set the training period of the model for the virtual host:

# curl 'https://nemesida-security.com/nw/ml/mgmt/set_training_uri' --data 'key=%License key or SHA256 hash%&vhost=example.com&duration=4&complete=yes'

where:

  • duration – training period in days;
  • complete – training status (yes – training completed, no – not completed).

Executing the last command with the value of the parameter complete=no allows you to start the process of retraining the model, and complete=yes interrupts the learning process.

Before starting the model learning process, the virtual host must be added to the list of virtual hosts. The command that allows you to set a list of virtual hosts is given in the section Nemesida AI MLC (Management commands).

Signature exclusion rules management

The functionality is available only for the Enterprise tariff.

Allows configuring signature exclusion rules. The following control commands are supported:

Management commands
Get a list of rules:

# curl https://nemesida-security.com/nw/agent/get_dyn_wl --data 'key=%License key or SHA256 hash%'

Get extended information about the rule:

# curl https://nemesida-security.com/nw/agent/get_dyn_wl?extended=yes --data 'key=%License key or SHA256 hash%'

Get the rule list hash sum:

# curl https://nemesida-security.com/nw/agent/get_dyn_wl_hash --data 'key=%License key or SHA256 hash%'

Create rule:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_wl --header 'Content-type: application/json' --data '{ "token": "%Identification token%", "add": { "rl_id": "50001", "domain": "example.com", "mz": "URL", "extension": "$URL_X:/test"}}'

where:

  • add – settings parameters in JSON format.

More detailed information on creating rules is available in the corresponding section of the documentation.

Update rule:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_wl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "upd": {"rl_id": "50001", "pattern": "ABC"}}'

where:

  • upd – settings parameters in JSON format.

Delete rule:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_wl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": {"rl_id": "50001"}}'

where:

  • del – settings parameters in JSON format.

Identification token is available in the cloud web interface.

Extended request blocking rules

The functionality is available only for the Enterprise tariff.

The mechanism of extended request blocking rules allows you to use additional conditions for a more accurate result when drawing up personal rules. For example, you can create a rule by which the request will be blocked if:

  • corresponds to a geographical location based on an IP address (determining the country by the attacker’s IP address);
  • there is an appeal to a specific domain or URL;
  • contains a specific header (for example, User-Agent, Cookie, Referrer, etc.) and/or the contents of these headers.

For a more accurate result, the parameters can be combined with each other. In this case, the rule will only work if all the conditions are met.

The principle of operation
Supported the following parameters:

  • ip – Attacker’s IP address;
  • api – send the result of the rule triggering to the Nemesida WAF API module;
  • lm – processing of the rule in the LM mode (the rule is triggered, but the request is not blocked);
  • noban – with the value false, when the rule is triggered, the request will be blocked, but the counter rate of the parameter nwaf_limit required to block the IP address of the request source will not increase;
  • apply_to_waf_id – apply a rule for a license key or a group of keys that belong to the same WAF ID;
  • country – country (for the functionality of determining the geographical location based on the IP address, you need to connect a file with the GeoIP2 database in /etc/nginx/nwaf/conf/global/nwaf.conf);
  • domain – domain;
  • url – the occurrence of a string in the contents of the zone URL;
  • args – the occurrence of a string in the contents of the zone ARGS;
  • body – the occurrence of a string in the contents of the zone BODY;
  • cookies – the occurrence of a string in the contents of the zone Cookie;
  • ua – the occurrence of a string in the contents of the zone User-Agent;
  • referer – the occurrence of a string in the contents of the zone Referer;
  • other_headers – the occurrence of a string in the contents of the zone Other_headers.

For all parameters (except ID,API,LM, noban), it is allowed to use multiple values in one parameter using the logical operators “not” (!), “and” (&), “or” (|). Operators have no priority and are executed in turn, from left to right.

Example:

{... "IP": "192.168.61.0/24|192.168.62.0/24" ...}

When the extended request blocking rule is checked, all fields except IP, Country, API, LM and noban are checked for the contents of the field from the blocking rule to be checked in the request field. For example, with "URL": "base64(/abc)", a request with the URL /abcd will be blocked.

For domain strict matching and wildcard values are allowed: *, example.com, .example.com, *.example.com.

Example:

{... "Domain": "base64(*.example.com)" ...}

With this value, the rule will apply to all subdomains (a.example.com, b.example.com, etc.), excluding the main domain example.com. If the value of the domain field is empty, the rule will be accepted for all requests.

The prefix base64 before the parameter means that the parameter value must be passed in the format base64 when composing the rule. Example: "Domain": "base64(*.example.com )" will look like "Domain": "ki5legftcgxllmnvbq=="

Other_headers

Field format:
{... "Other_headers": ["base64(header_name):base64(header_value)", ...] ...}
where:

  • base64(header_name) – header name in base64;
  • base64(header_value) – header value in base64.

For the Other_headers field, the contents of the base64(header_name) section is optional. If there is one, the contents of the base64(header_value) header will be checked with the specified name header_name, and if not, the contents of all headers.

Example:

{... "Other_headers": ["base64(example_header):base64(abcd)"] ...}

With this value, the abcd will be searched in the example_header header.

It is allowed to use the construction !base64(header_name) in this case, blocking the request will work only if there is no header with the specified name among all headers.

Example:

{... "Other_headers": ["!base64(example_header):base64(abcd)"] ...}

If the construction is base64(header_name) is specified without a subsequent value, then the request will be blocked at any value of the header header_name (blocking by the presence of the header).

Example:

{... "Other_headers": ["base64(example_header)"] ...}

If it is not possible to get any field specified in the extended blocking rule in the request, the request will be skipped. If the /etc/nginx/nwaf/conf/global/url.db file contains an extended blocking rule created with an error, then the error information in the rule will be displayed in the Nginx event log. The rest of the rules will be processed normally, provided that they are drawn up correctly.

The following control commands are supported:

Management commands
Get a list of rules:

# curl https://nemesida-security.com/nw/agent/get_erl --data 'key=%License key or SHA256 hash%'

Get extended information about the rule:

# curl https://nemesida-security.com/nw/agent/get_erl?extended=yes --data 'key=%License key or SHA256 hash%'

Get the rule list hash sum:

# curl https://nemesida-security.com/nw/agent/get_erl_hash --data 'key=%License key or SHA256 hash%'

Create rule:

# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "add": {"ip": "1.1.1.1|2.2.2.2", "active": "true"}}'

where:

  • add – settings parameters in JSON format.
# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "add": {"ip": "!1.1.1.0/24", "domain": "ZXhhbXBsZS5jb20=" "active": "true"}}'

The request will be blocked if on example.com a request will be received from any IP address except 1.1.1.1-1.1.1.255.

# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "add": {"ip": "1.1.1.1", "domain": "ZXhhbXBsZS5jb20=", "other_headers": ["dGVzdC1oZWFkZXI=:YWJj"], "active": "true"}}'

The request will be blocked by the rule if example.com a request will be received from the IP address 1.1.1.1 and the header test-header contains the string abc.

# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token", "add": {"сountry": "Q0g=|UlU=", "domain": "ZXhhbXBsZS5jb20=", "other_headers": ["dGVzdC1oZWFkZXI=:YWJj"], "cookie": "!dGVzdF9jb29raWU=", "referer": "!aHR0cDovL2V4YW1wbGUuY29t" "active": "true"}}'

The request will be blocked by the rule if a request for example.com will be received from an IP address, from the region RU or CH, the header test-header contains the string abc, the header Cookie does not contain the string test_cookie and the header Referer does not contain http://example.com .

# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{ "token": "%Identification token%", "add": { "ip": "1.1.1.1", "other_headers": ["VGVzdC1GaWVsZA==:"], "referer": "aHR0cDovL2V4YW1wbGUuY29tLw==", "ua": "TW96aWxsYS81LjA=", "cookie": "dGVzdF9jb29raWU=", "body": "YmM9MyZjYz0x", "args": "P3BhZ2U9Mw==", "url": "aW50ZXJuYWx0ZXN0", "domain": "ZXhhbXBsZS5jb20=", "api": false, "country": "Q0g=|VFc=", "active": true}}'

The request will be blocked by the rule if a request for example.com will be received from the IP address 1.1.1.1, from the region RU or CH, which will contain:

  • header Referer with http://example.com/ content;
  • header Test-Field with any content;
  • header User-Agent with Mozilla/5.0 content;
  • header Cookie with test_cookie content;
  • request body content bc=3&cc=1;
  • request argument ?page=3.

Update rule:

# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "upd": {"id": "1", "ip": "1.1.1.1", "active": "true"}}'

where:

  • upd – settings parameters in JSON format.

Delete rule:

# curl https://nemesida-security.com/nw/agent/public/set_erl --header 'Content-type: application/json' --data '{"token": "%Identification token%", "del": {"id": "1"}}'

where:

  • del – settings parameters in JSON format.

Identification token is available in the cloud web interface.

Syncing the list of blocked IP addresses

The functionality is available only for the Enterprise tariff.

Allows configuring automatic synchronization of the list of blocked IP addresses between servers. For the synchronization of blocked IP addresses to work correctly on all servers belonging to the synchronization group, it is necessary to set uniform values for the parameters nwaf_limit.

The following control commands are supported:

Management commands
Get the list of keys included in the synchronization group:

# curl https://nemesida-security.com/nw/agent/public/get_dyn_sync_ban_r --data 'key=%License key or SHA256 hash%'

Set the list of keys included in the synchronization group:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_sync_ban_r --header 'Content-type: application/json' --data '{ "active": "true", "set_relations": ["%License key 1 or SHA256 hash%", "%License key 2 or SHA256 hash%"]}'

where:

  • active – synchronization status.

Identification token is available in the cloud web interface.

Delete key from the synchronization group:

# curl https://nemesida-security.com/nw/agent/public/set_dyn_sync_ban_r --header 'Content-type: application/json' --data '{"del_relations": ["%License key 1 or SHA256 hash%", "%License key 2 or SHA256 hash%"]}'

Setting up the Nemesida WAF dynamic module

/etc/nginx/nwaf/conf/global/nwaf.conf – the main configuration file of the Nemesida WAF module.

Parameters nwaf.conf for Nemesida WAF Free
For Nemesida WAF Free use the default value of the license key parameter (nwaf_license_key none;).

To update signatures, provide access to nemesida-security.com:443. When using a proxy server, specify it in the nwaf_sys_proxy option (for example, nwaf_sys_proxy proxy.example.com:3128;).

nwaf.conf parameters
Default setting
Description of the parameter
nwaf_license_key

The installation parameter of the license key software Nemesida WAF. The key is also used by the Nemesida AI module, if it is located on the same server. The using one license key on two or more examples of nwaf-dyn is prohibited.

With the nwaf_license_key = none parameter or incorrect product key the Nemesida WAF will continue working in Nemesida WAF Free mode.

nwaf_host_enable

The parameter that activates the Nemesida WAF functionality for the listed virtual hosts. With the nwaf_host_enable *; parameter, analysis will be performed for all virtual hosts.

Example for use single value:

nwaf_host_enable *;
nwaf_host_enable example.com;
nwaf_host_enable *.example.com;

Example for use many values:

nwaf_host_enable example.com, 1.example.com;
nwaf_host_enable example.com, *.example.com;
nwaf_limit

Setting the limit of blocked requests. If the allowed number of requests specified by the rate option is exceeded, the IP address will be blocked for the time (in seconds) specified in block_time.

Example:

nwaf_limit rate=5r/m block_time=600;

To set the limit of blocked requests for a specific domain, you need to make the parameter look like: nwaf_limit rate=... block_time=... domain=...;

Example:

nwaf_limit rate=5r/m block_time=600 domain=example.com;

For the domain parameter it is allowed to use a wildcard value.

nwaf_captcha_unban*

Activation/deactivation of the mechanism for unlocking an IP address using captcha.

Example: 

nwaf_captcha_unban on;
nwaf_ban_captcha_host*

A parameter that activates the mechanism for unlocking an IP address for virtual hosts using captcha for requests detected by the Nemesida AI MLC module as BT 7, BT 9 or BT 10. It is allowed to use a wildcard value.

Example: 

nwaf_ban_captcha_host *;
nwaf_ban_captcha_host example.com;
nwaf_ban_captcha_host *.example.com;

More detailed information about the functionality is available in in the corresponding section.

nwaf_ban_captcha_path*
nwaf_ban_captcha_url*

A parameter that determines the location of the captcha page.

Example: 

nwaf_ban_captcha_path /captcha_path;

For specify the URL of an arbitrary page with captcha on the Internet, use the nwaf_ban_captcha_url parameter.

Example:

nwaf_ban_captcha_url http://example.com/captcha_path;

The parameter takes precedence over nwaf_ban_captcha_path when used at the same time.

For the correct work of unlocking mechanism, you must activate the nwaf_captcha_unban parameter for a specific URL. Using one instance of Nemesida WAF to protect both the web application and the captcha page will lead to incorrect operation of the unlocking mechanism.

nwaf_sync_ban_ip_key*

Setting a secret key for syncing blocked IP addresses, which must be identical on all synced instances of Nemesida WAF.

Example:

nwaf_sync_ban_ip_key 1234567890abcdef;
nwaf_sync_ban_ip_host*

The parameter defines the URL for getting the list of blocked IP addresses and the period of requests. The polling period must be identical on all synced instances of Nemesida WAF.

Example:

nwaf_sync_ban_ip_host srv1.example.com/ban_ip_sync_path 15;
nwaf_sync_ban_ip_host srv2.example.com/ban_ip_sync_path 15;

For IP addresses with a remaining blocking time of less than 60 seconds, synchronization is not performed.

nwaf_sys_proxy
This parameter defines the proxy server address for accessing nw-auth-extra.nemesida-security.com:443 (license key verification) and nemesida-security.com:443 (getting signatures, loading a list of virtual hosts and loading behavioral models).

Example:

nwaf_sys_proxy http://proxy.example.com:3128;

For distributions Ubuntu 16.04 and CentOS 7, it is allowed to use a proxy server only from the HTTP scheme.

nwaf_api_proxy
This parameter defines the proxy server address for accessing the Nemesida WAF API and Nemesida WAF Signtest.

Example:

nwaf_api_proxy http://proxy.example.com:3128;

For distributions Ubuntu 16.04 and CentOS 7, it is allowed to use a proxy server only from the HTTP scheme.

nwaf_api_conf

Set up interaction with the Nemesida WAF API and other related parameters.

host – is parameter defines the address of the Nemesida WAF API server for sending information about attacks, the results of the Nemesida WAF Scanner and Nemesida AI. With the host=none option, data will not be transmitted to the Nemesida WAF API.

nwaf_mla*

Settings of interaction with the Nemesida AI MLA module, where mla_score is the threshold option, upon reaching which the decision to block the request is transmitted to the Nemesida AI MLA module.

Signatures with threshold value is 12 are blocked without sending in Nemesida AI MLA module.

nwaf_rmq_host_exclude*

The parameter which excludes some requests sending to the RabbitMQ server (nwaf queue).

If the vitual host name from the request falls within the scope of the parameter, the request is not sent to nwaf queue and is not processed by Nemesida AI MLC module (is not analyzed on anomalies and brute force attacks, does not take part in behavioral models building).

Example for use single value:

nwaf_rmq_host_exclude *;
nwaf_rmq_host_exclude example.com;
nwaf_rmq_host_exclude *.example.com;

Example for use many values:

nwaf_rmq_host_exclude example.com 1.example.com;
nwaf_rmq_host_exclude example.com *.example.com;
nwaf_ai_extra_host_lm*

The parameter activates LM (IDS) mode for the requests, which were detected as illegitimate by Nemesida AI MLC module. If the virtual host name from the request falls within the scope of the parameter, the request is fixed in the DBMS, but is not blocked.

Example for use single value:

nwaf_ai_extra_host_lm *;
nwaf_ai_extra_host_lm example.com;
nwaf_ai_extra_host_lm *.example.com;

Example for use many values:

nwaf_ai_extra_host_lm example.com, 1.example.com;
nwaf_ai_extra_host_lm example.com, *.example.com;
nwaf_mla_host_lm*

The parameter activates LM (IDS) mode for the requests, which were detected as illegitimate by Nemesida AI MLA module.

If the name of the virtual host from the request falls under the parameter, the request is fixed in the database management system, but it is not blocked.

Example for use single value:

nwaf_mla_host_lm *;
nwaf_mla_host_lm example.com;
nwaf_mla_host_lm *.example.com;

Example for use many values:

nwaf_mla_host_lm example.com, 1.example.com;
nwaf_mla_host_lm example.com, *.example.com;
nwaf_ai_extra_host_wl*

The parameter activates WL mode for the requests, that were detected by Nemesida AI MLC module as illegitimate. If the virtual host name from the request falls within the scope of the parameter, the request is not fixed in the DBMS and is not blocked.

Example for use single value:

nwaf_ai_extra_host_wl *;
nwaf_ai_extra_host_wl example.com;
nwaf_ai_extra_host_wl *.example.com;

Example for use many values:

nwaf_ai_extra_host_wl example.com, 1.example.com;
nwaf_ai_extra_host_wl example.com, *.example.com;
nwaf_bf_detect_host_lm*

The parameter activates LM mode for the requests, that were detected by Nemesida AI MLC module as brute force attacks (BT 7).

If the virtual host name from the request falls under the parameter, the request is fixed in the DBMS, but it is not blocked.

Example for use single value:

nwaf_bf_detect_host_lm *;
nwaf_bf_detect_host_lm .example.com;
nwaf_bf_detect_host_lm *.example.com;

Example for use many values:

nwaf_bf_detect_host_lm example.com, example.org;
nwaf_ddos_detect_host_lm*

The parameter activates LM mode for the requests, that were detected by Nemesida AI MLC module as DDoS attacks (BT 10).

If the virtual host name from the request falls under the parameter, the request is fixed in the DBMS, but it is not blocked.

Example for use single value:

nwaf_ddos_detect_host_lm *;
nwaf_ddos_detect_host_lm .example.com;
nwaf_ddos_detect_host_lm *.example.com;

Example for use many values:

nwaf_ddos_detect_host_lm example.com, example.org;
nwaf_put_body_exclude

The parameter that prevents the signature method from analyzing the content of the BODY zone for PUT requests, as well as sending the zone content to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful when using web applications such as ownCloud or similar that allow the user to upload files via the HTTP protocol.

Example for use single value:

nwaf_put_body_exclude *;
nwaf_put_body_exclude example.com;
nwaf_put_body_exclude *.example.com;

Example for use many values:

nwaf_put_body_exclude example.com, 1.example.com;
nwaf_put_body_exclude example.com, *.example.com;
nwaf_body_exclude

The parameter that prevents the signature method from analyzing the content of the BODY zone, as well as sending the zone content to the Nemesida AI MLA and Nemesida AI MLC modules. This option is useful if you can’t change the value of theclient_body_buffer_size parameter in the /etc/nginx/nginx.conf file.

Example:

nwaf_body_exclude *;
nwaf_body_exclude example.com/uploads.php;
nwaf_body_exclude example.com/uploads;

When using the parameter, the exact path match (vhost/path) is taken into account.

For example, if the value is example.com/uploads the BODY zone analysis exception will be applied for requests to example.com/uploads, but for example.com/uploads.php and example.com/uploads/index.php this parameter will not be applied.

nwaf_rmq

Configuring the interaction subsystem with RabbitMQ software.

nwaf_clamav*

Activation of the mechanism for sending the body of POST and PUT requests to the ClamAV module.

For analyzing only file content from the request body with Content-Type: multipart/form-data, use the FILE_ONLY option.

The file content of the PUT request body is transferred regardless of the FILE_ONLY value.

nwaf_ip_wl

Deactivation of the request analysis mechanism by means of the Nemesida WAF software for a specific IP address or subnet.

Example: 

nwaf_ip_wl x.x.x.x;

With the parameter nwaf_ip_wl x.x.x.x domain=example.com; the analysis mechanism will be deactivated only when accessing a specific IP address to a specific virtual host.
For the domain option it is allowed to use a wildcard value.
As an IP address it is possible to use address with subnet mask (for example, 192.168.0.0/24) or subnet range (for example, 192.168.0.1-192.168.255.255).

To reduce false positives, it is recommended to specify the static IP address of specialized users (administrators, content managers, editors) in nwaf_ip_wl parameter. Requests are put under the parameter will not be blocked, transfered into RabbitMQ annd analysed by Nemesida AI module. Be careful using this parameter.

It is allowed to use IPv6 and IPv4-addresses.

nwaf_ip_lm

Configuring the pass of all occurrences of the rules for a specific IP address or subnet with the event recorded in the DBMS (IDS mode).

Example:

nwaf_ip_lm x.x.x.x;

With the nwaf_ip_lm x.x.x.x domain=example.com; pass will be made only when contacting a specific IP address to a specific domain.
For the domain option it is allowed to use a wildcard value.
As an IP address it is allowed to use address with subnet mask (for example, 192.168.0.0/24) or subnet range (for example, 192.168.0.1-192.168.255.255).

It is allowed to use IPv6 and IPv4-addresses.

nwaf_host_wl

Deactivation of the request analysis mechanism, using Nemesaida WAF instruments, for the virtual host. Using parameter nwaf_host_wl *; the pass will be made for all virtual hosts.

Example for use single value:

nwaf_host_wl *;
nwaf_host_wl example.com;
nwaf_host_wl *.example.com;

Example for use many values:

nwaf_host_wl example.com, 1.example.com;
nwaf_host_wl example.com, *.example.com;
nwaf_host_lm

Configuring the pass of all occurrences of the rules for a specific virtual host with the event captured in the DBMS (IDS mode). With the parameter nwaf_host_lm *; the pass will be made for all virtual hosts.

Example for use single value:

nwaf_host_lm *;
nwaf_host_lm example.com;
nwaf_host_lm *.example.com;

Example for use many values:

nwaf_host_lm example.com, 1.example.com;
nwaf_host_lm example.com, *.example.com;
nwaf_clamav_wl*

Configuring the blocking exclusion list for the contents of the request body or downloadable file by the MD5 amount (the MD5 amount is contained in the error.log of the Nginx software).

Example of a log entry:

Nemesida WAF: blocked by ClamAV, stream: Eicar-Test-Signature FOUND, md5: 44d88612fea8a8f36de82e1278a-bb02f, ...

Example of WL rule:

nwaf_clamav_wl 44d88612fea8a8f36de82e1278a-bb02f
nwaf_log_mr_all

Activation of the parameter for recording information about all occurrences of blocking rules (attack signatures) in the Nginx software error log. By default, the parameter is deactivated (commented out). When a parameter is deactivated, only the signature is written to the error log of the Nginx software, which led to blocking the request or fixing the signature without further blocking (in the LM mode).

Using thenwaf_log_mr_all domain=example.com; parameter the record of the recorded occurrances will do only for specific domain. For the domain option it is possible to use wildcard value.

nwaf_check_bot_name

This parameter is used for defining search engine robots. Blocked requests that fall under the parameter do not increase the value of the rate counter and cannot cause the IP address to be blocked. The first parameter value is defined in the User-Agent zone. The second parameter value defines the host name obtained by reverse IP address conversion. If the second value is not set, it is considered equal to the first one.

Example:

nwaf_check_bot_name "example.com" "example.net";
nwaf_check_bot_name "example.com";
nwaf_check_bot_name "bingbot" "msn.com";
nwaf_check_bot_name "yandex.ru";
nwaf_geoip_db_path*

The parameter defining the location of the file with the GeoIP2 base. Used by the extended locking mechanism.

Example:

nwaf_geoip_db_path /opt/geoip/GeoLite2-Country.mmdb;

For correct operation, it is necessary to grant the Nginx web-server access to read the specified file.

* Not used in Nemesida WAF Free.

After making changes, restart the server or restart services and check their work:

# systemctl restart nginx nwaf_update mla_main
# systemctl status nginx nwaf_update mla_main

The nwaf_update service is responsible for obtaining the signatures of the Nemesida WAF module (/etc/nginx/nwaf/rules.bin). To test the signature method of detecting attacks, when sending a request to http://YOUR_SERVER/nwaftest, the server must return a 403 response code.

The Nemesida WAF module processes only the request transmitted to the final application. If the settings of the Nginx software prevent the transmission of calls (returning, for example, a 301 or 403 response code), such requests will not be processed by the Nemesida WAF module.

If the signature set would be changed on the server nemesida-security.com nwaf_update service will automatically update rules.bin file and apply the changes. If the nwaf_update service is deactivated during the signature set updating on the server, the download of the new version of signature set will be after the service nwaf_update starts.

Optional header $nwaf_block_type

Nemesida WAF allows to use special header, which determinative the result of the request processing. To activate it required to add parameter add_header NemesidaWAF-BT $nwaf_block_type always; into http, server or location area of the nginx configuration file.

Example of using the header

  • Set the header into the server area: 
    server {
   ...
   add_header NemesidaWAF-BT $nwaf_block_type always;
   ...
}

    and restart nginx.

  • Execute the request: curl -i localhost/nwaftest.

The server’s answer will contain the information about the status of the request processing in the NemesidaWAF-BT header:

HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Wed, 12 Feb 2020 19:05:26 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive
NemesidaWAF-BT: 2
...

In this case the status is 2. It means that the request was blocked because of the attack’s signature entry with the score equal to 12 (nwaftest). More information about the request processing status is available in the corresponding paragraph. This header can be useful during the generation of the customized page of the server answer (for example if the request is blocked).

Other information

LM mode features
The request that falls under the action of the nwaf_ip_lm, nwaf_host_lm or LM parameters and has BT 0 (request processing status) does not blocked, but will be included in the training sample.

The request that falls under the signature with a score (digital significance indicator) equal to 12, in the LM mode, will be transmitted to the Nemesida WAF API module, as well as to other query analysis subsystems.

If the request with score equal to 12 does not fall under the LM mode, the request will be blocked by signature analysis with transmission to the Nemesida WAF API module, but without processing by other request analysis subsystems.

Setting up the Nemesida AI module

Behavioral models accuracy
To create high quality models it is not recommended to make vulnerability web application scanning and to send other illegitimate requests during the models training. After the first training it is recommended to re-train the models. False positives are controlled using Nemesida WAF Signtest module.
Storing behavioral models
Behavioral models created by the Nemesida AI MLC module are transmitted to the remote Nemesida AI MLS server and automatically propagated to all running instances of Nemesida AI MLA and Nemesida AI MLC in accordance with the WAF ID.

Nemesida AI MLA

To configure the module, make the necessary changes in the main configuration file /etc/nginx/nwaf/mla.conf.

mla.conf parameters
Default parameter
Parameter description
[main]
Section is responsible for the general settings Nemesida AI MLA.
[st]
Section is responsible for interaction with the Nemesida WAF Signtest.
st_enable
Sending disputed requests to the Nemesida WAF Signtest server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLA module determined it as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLA module determined it as illegitimate.

st_uri
Nemesida WAF Signtest server URI for processing Nemesida AI results.

The Nemesida AI MLA module loads models according to the list obtained from the Nemesida AI MLC module (vhosts_list parameter in the mlc.conf file).

Nemesida AI MLC

To configure the module, make the necessary changes to the configuration file /opt/mlc/mlc.conf.

mlc.conf parameters to operate in normal mode
Default parameter
Parameter description
[main]
Section is responsible for the general settings Nemesida AI MLC.
vhosts_list
A list of domain names used as virtual hosts for which behavioral models need to be created.

Wildcard values can be used. The model in the request is applied in the following order of priority from highest to lowest:

1. vhosts_list = example.com – building and applying a model for the certain domain;
2. .example.com – building and applying a model for the domain .example.com and its subdomains;
3. *.example.com – building and applying the model only for subdomains *.example.com, excepting the main domain example.com;
4. * – building and applying the model for the rest domains.

Example: 

vhosts_list = example.com 1.example.com 2.example.com

– building and applying models for the listed virtual hosts.

It is not allowed to use example.com and .example.com together. If you want to use one model for a domain and another for its subdomains, then use example.com and *.example.com.

Example:

vhosts_list = example.com *.example.com

When applying behavioral models to a request, the domain level is taken into account, that is, the model corresponding to the virtual host from the request will be applied, and if it is not present, the model that includes this domain will be applied.

So, for a request with a domain name b.example.com the model will be applied b.example.com, if there is no such model — example.com, if there is no such model, then the model *.example.com.

You can change the model training period by setting a list of domain names: x:example.com, where x is the training period in days. For example, 5:example.com – model training will last 5 days.

ai_extra
Activation or deactivation of the additional requests analysis functional allows to detect missing attacks and make temporary blocking of their source using IP address.
api_uri
Nemesida WAF API address for sending information about models’ learning status. With parameter api_uri = none the information will not be sent.
nwaf_license_key
Installing the license key Nemesida WAF on a dedicated server. You must not use this setting if you work on the same server as the Nemesida WAF is or if you work in Multipoint Mode.

Example:

nwaf_license_key = 1234567890
[run]
Section is responsible for the parameters of the connection to RabbitMQ local server.
rmq_host
Parameters for connecting to the RabbitMQ service. You can use multiple values separated by a space.

Example:

rmq_host = guest:guest@192.168.0.1 guest:guest@192.168.0.2
rmq_host_local
Parameters for connecting to the RabbitMQ service for local queue placement.

Example:

rmq_host_local = guest:guest@127.0.0.1

If this parameter is omitted, the following values will be used: guest:guest@127.0.0.1.

[proxy]
Section is responsible for the settings of the connection to proxy server.
sys_proxy

Configure of the proxy server address for request to nemesida-security.com:443 (check of license key, loading of behavioral models).

Example:

sys_proxy = http://proxy.example.com:3128
api_proxy
Configure of the proxy server address for request to Nemesida WAF API and Nemesida WAF Signtest.

Example: 

api_proxy = http://proxy.example.com:3128

If the parameters have no values, the module will try to use the parameters from the nwaf.conf file.

[mls]
Section is responsible for transmitting traffic to a remote server for the purpose of further analysis and building behavioral models. To use this functionality, please contact technical support.
mls_enable
Activation of the mechanism for transmitting the analyzed traffic to the Nemesida WAF MLS server. By default, the functionality is deactivated.
[ddos]
The section responsible for the functionality of detecting denial of service attacks (DDoS attacks) at the application level.
enable
Activation/deactivation of the DDoS attack detection functional.
wl_ip
The parameter that defines the path to a file in which IP addresses are specified in the 1.2.3.4 format, for which the DDoS detection functionality will be disabled. Each subsequent value is indicated with a space.

Changes to files are applied automatically without restarting Nemesida AI MLC.

wl_url
The parameter defining the path to the file in which the addresses are specified both in the vhost format and in the vhost/path format, where:

vhost – the name of the virtual host for which the DDoS detection functionality will be disabled.
path – resource address entry.

For virtual host are allowed wildcard values.

Example:

example.com
.example.com
*.example.com
example.com/auth

Changes to files are applied automatically without restarting Nemesida AI MLC.

interval
The time interval of the segment (window) during which the analysis of requests is performed.
latest_only
Activation of sending only the last blocked request for each IP address to the Nemesida WAF API. If set to false, the Nemesida WAF API passes all blocked requests for each IP address.
send_possible
Activation of the mechanism for sending requests with the Possible DDoS type to the Nemesida WAF API. If the value is false, requests to the Nemesida WAF API will not be transmitted.
The prefix Possible is added to the name of the attack if its type has not been reliably established.
[brute]
The section responsible for the brute force detection function. Revealing of values ​​is performed in the ARGS and/or BODY areas.
enable
Activation/deactivation of the brute force attack detection functional.
wl_host
The parameter that allows you to deactivate the brute force attack detection functionality for specific virtual hosts. You can use wildcard values.

Examples:
wl_host = example.com .example.org *.example.us

Parameter changes are applied automatically, without restarting Nemesida AI MLC.

interval
The time interval of the segment (window) during which the analysis of requests is performed.
max_val
The number of requests that, when reached, block the source(s) of the attack.
brute_detect
The parameter that defines the path to the file where user needs to set addresses for detection brute force attacks in the format vhost/path, where path is the occurrence of the resource address on the web server. You can use wildcard values for a virtual host. For example:

example.com/auth
.example.com/auth
*.example.com/auth

Thus, when the value is set example.com/auth brute force attacks will be monitored for both example.com/auth, and for example.com/auth/reset_password.

This parameter is used to detect brute force attacks, but it does not block repeated requests (when the content in the ARGS or BODY zones is passed several times).

For addresses not specified in the file, brute force attacks are not detected. Changes to files are applied automatically without restarting Nemesida AI MLC.

flood_detect
The parameter has a similar functionality to the brute_detect parameter, but it is intended for detecting flood attempts or similar attacks with repeated requests. The only difference is that during the analysis of requests that fall under the action of the flood_detect parameter, duplicates are not deleted.

Thus, in the case of repeated sending of identical requests (for example, multiple attempts to recover the password via SMS), requests that have similar content and fall under the action of the flood_detect parameter will not be deleted, unlike requests that have similar content but fall under the action of the brute_detect parameter.

For addresses not specified in the file, flood attempts are not detected. Changes to files are applied automatically without restarting Nemesida AI MLC.

latest_only
Activation of sending only the last blocked request for each IP address to the Nemesida WAF API. If set to false, the Nemesida WAF API passes all blocked requests for each IP address.
send_possible
Activation of the mechanism for sending requests with the Possible Brute force/Possible Flood type to the Nemesida WAF API. If the value is false, requests to the Nemesida WAF API will not be transmitted.
The prefix Possible is added to the name of the attack if its type has not been reliably established.
[st]
Section responsible for the interaction with Nemesida WAF Signtest module of training management.
st_enable
Sending disputed requests received from the Nemesida WAF module using RabbitMQ to the Nemesida WAF Signtest server for post-processing.

Disputed requests are defined as follows:
– if the signature analysis determined the request as illegitimate, and the Nemesida AI MLC module was defined as legitimate;
– if the signature analysis determined the request as legitimate, and the Nemesida AI MLC module was defined as illegitimate.

st_uri
Nemesida WAF Signtest server URI for sending disputed requests. When using the local version of Nemesida WAF Signtest, change the URI of the parameter.
[training]
Learning process management section.
dataset_limit
Sets the maximum number of unique queries included in the training sample.
Multipoint Mode

Nemesida AI MLC is required to 32 GB of free RAM. If you use several services with Nemesida WAF module you are able to save hardware resources using Point-to-Multipoint scheme (one server with installed Nemesida AI MLC module interacts with servers with installed Nemesida WAF module).

Components are used in Multipoint Mode:

  • Servers with installed Nemesida WAF and RabbitMQ, which have 2-4 GB of RAM for every of them;
  • Server with installed Nemesida AI MLC and RabbitMQ, which have 32 GB of RAM.

On the server with installed Nemesida WAF

- Create service’s user RabbitMQ:

# rabbitmqctl add_user USER PASSWORD
# rabbitmqctl set_permissions -p / USER ".*" ".*" ".*"

where USER and PASSWORD are username and password to connect Nemesida AI MLC module.

- Make changes to the file /etc/rabbitmq/rabbitmq-env.conf:

NODE_PORT=5672
export RABBITMQ_NODENAME=rabbit@localhost
export RABBITMQ_NODE_IP_ADDRESS=0.0.0.0
export ERL_EPMD_ADDRESS=127.0.0.1

- Permit accesses from the server where Nemesida AI MLC installed to the port 5672 (TCP).
- Complete settings of RabbitMQ:

# service rabbitmq-server restart

On the server with installed Nemesida AI MLC

Create additional configuration files in the /opt/mac/conf/ directory by copying the /opt/mlc/mlc.conf file. Make changes to the new configuration files for working with the remote RabbitMQ server. After making the changes, restart the service:

# service mlc_main restart
# service mlc_main status

In additional configuration files, nwaf_license_key is a required parameter. The license key used in the Nemesida AIMLC settings and the deleted Nemesida WAV must have the same WAF ID. If you are using additional configuration files, we recommend deleting the /opt/mlc/mlc.conf file.

Using RabbitMQ's mode services Nemesida AI MLC will collect requests with following models training as if it worked in normal mode.

Using the Nemesida AI MLS cloud server
The cloud server Nemesida AI, located in the Pentestit infrastructure, is designed to generate behavioral models based on a copy of traffic received from remote servers. The cloud server is used in cases when the user of the Nemesida WAF software does not have enough RAM for the Nemesida AI MLC module (it requires up to 32 GB). To use the capabilities of the cloud server Nemesida AI, contact technical support.

After making the changes, restart the service:

# service mlc_main restart
# service mlc_main status

Nemesida AI behavioral model management

Nemesida AI models retraining

To improve the accuracy of attack detection, it is recommended to re-train models once a week. For that you need to add the ^ symbol to virtual host.

Example:

vhosts_list = example.com^

Restart the service after changes:

# service mlc_main restart

After retraining the models, it is recommended to delete the exported BT 12 queries (available on the False Positive page of the module web interface Nemesida WAF Signtest). When training models for a virtual host, BT 12 requests will be included in the training set and will not be required further.

Nemesida AI behavioral models training period increase

Main method

For the correct construction of models, about 400.000-800.000 unique requests are required. By default, the training period is limited to four days. You can change the model training period directly by setting a list of domain names in the vhosts_list parameter in mlc.conf: x:example.com, where x is the training period in days. For example, 5:example.com – model training will last 5 days.

Restart the service after changes:

# service mlc_main restart
Additional method

If you need to extend the training period for the required number of requests, follow these steps:

1. Stop the service Nemesida AI MLC:

# service mlc_main stop

2. Rename the file /opt/mlc/ml/[vhost]_[timestamp].db, where [timestamp] – The starting date of model training, from which the training period is calculated. For example, to increase the models building period by five days, it is necessary to increase the timestamp values for the same period:

# mv /opt/mlc/ml/example.com_1587416400.db /opt/mlc/ml/example.com_1587848400.db

3. Run the service Nemesida AI MLC:

# service mlc_main start

Additional training of models using backup copy of the training sample

For the correct construction of models, about 400.000-800.000 unique requests are required. If the number of requests was insufficient during training, then you can restart it and use the requests from the previous sample. To do this, follow these steps:

1. Stop the service Nemesida AI MLC:

# service mlc_main stop

2. Move the file /opt/mlc/ml/backup/[vhost].d_[timestamp], where [timestamp] – the date of creation of a backup copy of the training sample created by Nemesida AI MLC, before starting to build the model, in /opt/mlc/ml/[vhost].d. For example, for the model example.com:

# mv /opt/mlc/ml/backup/example.com.d_1613587613 /opt/mlc/ml/example.com.d

3. Start training. To do this, add the ^ symbol to the virtual host value. Example: vhosts_list = example.com^.

Run the service Nemesida AI MLC:

# service mlc_main start

After the training period is completed (the default is 4 days, the period can be changed), the behavioral model will be created based on requests from the common dataset.

Nemesida AI models removing

If the behavioral models are not trained correctly or there are significant changes in the web application that lead to a lot of false positives, it is recommended deleting the models. To do this, send a request to support@nemesida-security.com. In the request, specify the license key used in Nemesida WAF.

Training sample for building behavioral models

Queries detected as BT 1, BT 2, BT 3 or BT 4 are not added to the training sample, even if they fall under the LM mode.

When ai_extra mode is enabled, queries detected by the Nemesida AI MLC module as illegitimate are not added to the training sample.

Configuring interaction with ClamAV software
After installing Nemesida WAF package the functionality of interaction with ClamAV software is disabled by default, since it can be a source of false blocking of some requests to the Web application (depending on the current state of the ClamAV signature analysis database). Use this functionality at your discretion.

To activate antivirus protection, install ClamAV software on the server with the configured Nemesida WAF software, if it has not done yet.

Installation example for Debian 9 OS:

# apt install clamav-daemon

The interaction with the ClamAV software is enabled by activating the nwaf_clamav configuration parameter in the /etc/nginx/nwaf/conf/global/nwaf.conf file and reduction of the /etc/clamav/clamd.conf file to a look:

...
TCPSocket 3310
TCPAddr   127.0.0.1
...

After changing restart the Nginx software.

Using Nemesida WAF in IDS mode
It is necessary to set up traffic mirroring from the main web server (through which calls to the web application are made)to the server with the installed Nemesida WAF software, to working Nemesida WAF in IDS mode. You must make changes to the files on every server:

1. On the main server (without the Nemesida WAF module installed), configure traffic mirroring according to the guidelines of the installed web server (Nginx, Apache2, Microsoft IIS and others).

An example of Nginx setting for traffic mirroring

If using the Nginx web server, make the necessary changes to the virtual host file:

location / {
    mirror /mirror;
    ...
}

location = /mirror {
    internal;
    proxy_pass http://nemesida_waf_server$request_uri;
}

where nemesida_waf_server is the address of the server with the Nemesida WAF module installed, to which duplicate traffic will be transmitted.

2. On the server with the installed Nemesida WAF module, bring the configuration file of the virtual host Nginx to the form:

server {
        listen  80;
        index   index.html;
        root    /var/www/html;
        try_files $uri $uri/ /index.html;
}

3. On the server with the Nemesida WAF module installed, create the /var/www/html directory and place an empty index.html file in it.

4. On the server with the Nemesida WAF module installed, bring the /etc/nginx/nwaf/conf/global/nwaf.conf file to the form:

...
nwaf_limit rate=5r/m block_time=0;
...

5. After changing restart the Nginx on every server.

Using Nemesida WAF in reverse proxy mode

To use a web server with installed Nginx and Nemesida WAF as an intermediate server, you should create corresponding file of the virtual host (for example /etc/nginx/conf.d/example.com.conf).

Example of the virtual host file
server {
        server_name  site.example.com;
        listen 80;

        location / {
                proxy_pass http://192.168.0.1;
        }
}

where 192.168.0.1 is the address of destination server with the web application.

More information is available on the official page of the Nginx documentation.

Nemesida WAF work in cluster work (active/active)

For Nemesida WAF to work in a cluster, all license keys used must have a single WAF ID (identifier that allows to combine different license keys into a group). To group license keys into a single WAF ID, send a request to support@nemesida-security.com.

Behavioral models of machine training, as well as FP requests exported via the Nemesida WAF Signtest functionality, will be automatically downloaded to all instances of the cluster in accordance with WAF ID. For a more accurate detection of attacks, it is recommended to use one installed instance of the Nemesida AI MLC module at one time.

When using Nemesida WAF as a cluster solution in active/active mode, you must:
1. Organize synchronization of Nemesida WAF configuration files (the /etc/nginx/nwaf/ directory by default, excluding the objects /etc/nginx/nwaf/rules.bin and /etc/nginx/nwaf/ml/) with all installation instances. Synchronization should be done after each modification implementation to the configuration files.

Example of synchronization using rsync utility
# rsync -az --no-perms --no-owner --no-group --exclude "/ml/" --exclude "/rules.bin" /etc/nginx/nwaf/ root@%remote_server_address%:/etc/nginx/nwaf/

2. After synchronizing the objects, it is necessary to update the parameters in the /etc/nginx/nwaf/conf/global/nwaf.conf file on each installed instance of the Nemesida WAF dynamic module:

  • nwaf_license_key (necessarily);
  • nwaf_api_proxy and nwaf_sys_proxy (optionally).

3. After modifications, you must restart the services:

# nginx -t && systemctl reload nginx 
# systemctl restart nwaf_update mla_main

Signature management

There is a support of custom set of signatures rules (signature, RL) and signature exception rules (exclusion rule, WL) in Nemesida WAF and Nemesida WAF Free.

Zones and additional conditions

During the creation of RL or WL rules special parameters can be used:

  • zones: URL, ARGS, BODY, HEADERS, Cookie, User-Agent, Content-Type, etc.;
  • conditions of using the rule (additional condition, specification of the zone): $URL, $ARGS, $BODY, $HEADERS, $Cookie, $User-Agent, etc.

Using zones and additional conditions allows to concretize maximally the creating rule. Additional conditions are set by adding prefix $ (for example: "Z:...|$URL:...").

An example of using the rule with zone and additional condition: WL ... "Z:ARGS|$URL:/123"; – the rule will work, if the entry zone of the RL rule will be ARGS zone and URL will contain an entry /123.

Several parameters (zones, additional conditions) in one rule must be separated with the character |, the following principle of interaction will be used:

  • zones interact using the logical principle OR, for example: Z:URL|ARGS;
  • zones interact with additional conditions using the logical principle AND, for example: Z:URL|$ARGS:123;
  • additional conditions interact using the logical principle AND, for example: Z:...|$ARGS:123|$BODY:123".

When used in the additional conditions | as a regular character, it is necessary to make its single shielding. For example: $URL:abc\|d – search for the occurrence of abc|d.

Regular expressions in the additional conditions

It is possible to use regular expressions in the additional conditions. This requires to add to the additional condition postfix _X (for example: "Z:...|$URL_X:\w+").

For use regular expression operators in a rule as regular characters (/, ., *, ?, !, {, }, [, ], (, ), ^, $, :, \, etc.), they must be double shielding. For example:

  • $BODY_X:block\\|page – search of an entry block|page;
  • $BODY_X:data=\\(block-\\\a\\\-in-the-main\\) – search of an entry data=(block-\a\-in-the-main);
  • $ACCEPT_X:image\\/webp\\\\\* – search of an entry image/webp\* in Accept headers.

For use in additional conditions the separator as a metacharacter of a regular expression it is necessary to shield it double. For example: the rule WL ... "Z:...|$URL_X:/(a\\|b)/"; will bring to URL which contains /a/ or /b/.

User-defined signature creation

The user-defined rules of detecting attack signs must be placed in the main configuration file Nemesida WAF (/etc/nginx/nwaf/conf/global/nwaf.conf). They must be determined by the RL parameter, must have ID ranging from 50000 to 99999 and take the following form:

RL ID:50000 "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50001 domain=example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50002 domain=.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50003 domain=*.example.com "P:select from" "SC:SQL:12" "Z:ARGS";
RL ID:50004 "PX:select\s+from" "SC:SQL:12" "Z:ARGS|$URL:/admin";
RL ID:50005 "P:select from" "SC:SQL:12" "Z:ARGS|$URL:/(admin\\|dev)";

For signatures in the zone it is allowed to use the MLA value to force request sending into Nemesida AI MLA, that falls within the scope of the created signature if the score < 12 (by default requests with a score equal or greater than the value of the mla_score parameter are sent into Nemesida AI MLA).

Signature force sending into Nemesida AI MLA examples

Request contains an entry select from in any of four zones will be sent into Nemesida AI MLA:

RL ID:50005 "P:select from" "SC:SQL:1" "Z:MLA";

Request contains an entry select from in ARGS zone will be sent into Nemesida AI MLA:

RL ID:50006 "P:select from" "SC:SQL:1" "Z:ARGS|MLA";
Signature options
ID
The unique identifier for the rule. A range from 50000 to 99999 is available for creating your own rules. Required.
domain
Set the ownership of the rule to the domain. For the domain option it is allowed to use a wildcard value.
P/PX
Option defining the entry pattern (option P is used to denote a simple entry, option PX is a regular expression). Required.
SC
Setting the rule tag (Injection, XSS, UWA, Scanner, Evasion, Other or another) and the numerical value indicator (from 1 to 12). Required.

Requests that fall within the scope of the rules with an indicator value of 12 are blocked without being sent to other analysis subsystems. More information is available in the corresponding section.

Z

Zone application of the rule. To apply a signature to all zones, use the empty "Z:" parameter. Required.

To apply a signature to multiple zones, use the delimiter "Z:URL|BODY".

To force the request to the Nemesida AI MLA module use MLA value in rules application zone ("Z:MLA") while digital significance indicator (SC) must be less than 12.

To disable sending a request to the Nemesida AI MLA module, use the NoMLA value in the rule application area ("Z: NoMLA").

To disable IP address blocking due to the occurrence of a signature that has score = 12, use the value NoBan in the rule area ("Z:NoBan"). Entering a signature with such a zone does not reduce the nwaf_limit counter, meaning it does not block the IP address.

To clarify the zone, you can use additional options. For "Z:ARGS|$URL:/templates" the rule will work only in the ARGS zone with /templates parameter in URL.

For signatures in zone area, you can use the NoAPI value to disable sending a message to the Nemesida WAF API that falls under the action of the created signature. For all triggers of this signature, the message will not be sent to the Nemesida WAF API, but it will be blocked and written to the log file. This value is only used for signatures that have score = 12. For signatures with a different score, this value is ignored.

RL ID:50001 "P:select from" "SC:SQL:12" "Z:ARGS|URL|BODY|NoAPI";

For zone area you can use the LM value, which activates the LM mode for a request that falls under the action of the created signature. Each request that falls under the signature will not be blocked, but a corresponding message will be sent to the Nemesida WAF API about it, which is also recorded in the log file. The LM value is only used for signatures that have score = 12. For signatures with a different score, this value is ignored.

RL ID:50002 "P:select from" "SC:SQL:12" "Z:ARGS|URL|BODY|LM";

To reduce the number of false positives during the creation signature rules it is neсessary to specificate them maximally.

Creating a signature exclusion rule

In case the inquiry falls under action of a signature, in addition to sending the incident to the Nemesida WAF API, the following line will be displayed in the error log of the Nginx software:

Nemesida WAF: the request ххх contains a rule id 1 in zone HEADERS, ...

or, if the request contains a signature with a maximum allowable digital indicator of significance (score = 12):

Nemesida WAF: the request ххх blocked by rule id 1 in zone HEADERS, ...

where:

  • 1 – attack signature ID;
  • HEADERS – signature entry zone.

To display absolutely all occurrences of signatures in the request (if there are occurrences), including those occurrences that did not lead to the subsequent blocking of the request, activate the nwaf_log_mr_all; parameter, in the nwaf.conf file Nemesida WAF.

The information about current signature list is on the page rlinfo.nemesida-security.com.

Examples of creating attack signature exception rules

WL ID:1 "Z:"; – using these parameters, the entry of the rule with the identifier 1 will be excluded from all zones for all virtual hosts.

WL ID:1 "Z:ARGS|HEADERS"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the ARGS and HEADERS zones for all virtual hosts.

WL ID:1 "Z:ARGS|Cookie"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the ARGS and Cookie for all virtual hosts.

WL ID:1 domain=.example.com "Z:URL"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com and its subdomains.

WL ID:1 domain=example.com "Z:URL|$URL:/index/index.php"; – using these parameters the entry of the rule with the identifier 1 will be excluded from the URL zone for the virtual host example.com for URI http://example.com/index/index.php.

WL ID:* domain=example.com "Z:ARGS"; – with these parameters, the ARGS zone of all requests to the virtual host example.com will be excluded from the signature analysis processing.

WL ID:* domain=example.com "Z:$URL:/test"; – using these parameters the entry of the rule all requests to example.com/test will be excluded from the signature analysis processing.

For security reasons, when creating exclusion rules, you need to specify them as much as possible.

Switching the blocking rules to LM mode

Requests that fall under the LM mode are recorded in the database, but are not blocked. When the rule is triggered, a message will be sent to the Nginx error log and to the Nemesida WAF API about switching the corresponding blocking rule to LM mode, but the request will not be blocked. The rules for switching to the LM mode must be defined by the LM parameter, have the ID of the corresponding blocking rule and take the following form:

Examples of creating rules for switching to LM mode
LM ID:1 "Z:URL"; – with these parameters, requests with occurrence the signature with the ID 1 in the URL zone will be switched to the LMmode;

LM ID:50001 "Z:URL"; – with these parameters, requests with the occurrence of a user-defined signature with the identifier 50001 in the URL zone will be switched to the LMmode;

LM ID:50002 domain=example.com "Z:URL"; – with these parameters, requests with the occurrence of a user-defined signature with the identifier 50002 in the URL zone will be switched to the LM mode for the domain example.com;

LM ID:50003 domain=*.example.com "Z:ARGS"; – with these parameters, requests with the occurrence of a user-defined signature with the identifier 50003 in the ARGS zone will be switched to the LM mode for the domain example.com and his subdomains.

Request processing statuses (BT)

Each request processed by the Nemesida WAF module is assigned a blocking identifier (BT – blocking type).
The identifier can be assigned regardless of whether the request was blocked.

The pivot table shows the types of identifiers and their corresponding request processing status.

0 The request was not blocked.
1 The request is blocked by signature method and the request did not contain any signature with the score = 12.
2 The request is blocked by signature method and the request contained a signature which has the score = 12.
3 The request is blocked by Nemesida AI MLA.
4 The request is blocked by ClamAV module.
5 The request is blocked because of the internal error.
6 The request is blocked because of the oversubscription of blocked requests from one IP address.
7 The request is detected like the brute force attempt and blocked by Nemesida AI MLC.
8 The request is blocked by Nemesida AI MLC (additional traffic analysis of all nonblocked requests by Nemesida WAF module) and is managed by ai_extra parameter in mlc.conf file.
9 The request is detected as a flood attempt and blocked by the Nemesida AI MLC.
10 The request is detected like the DDoS attacks and blocked by Nemesida AI MLC.

For BT 1, 2, 3, 4, 8 events, the nwaf_limit parameter in the nwaf.conf file allows you to adjust the allowed number of blocked requests. If the allowed number of requests specified by the rate option is exceeded, the IP address will be blocked for the time (in seconds) specified in block_time.

For BT 7, 9, 10 events the blocking of the IP address of the request source will occur after the first blocked request, regardless of the value of the rate parameter (the allowed number of blocked requests) in nwaf_limit.

Unlocking an IP address using captcha
If suspicious activity is detected, Nemesida WAF allows you to block the IP address of the source of requests for a certain time (the duration of the block is regulated by the nwaf_limit option in the nwaf.conf configuration file). Using the captcha functionality, the user can unlock their own IP address if it has been identified as a source of brute force attacks (BT 7), floods (BT 9) or denial of service attacks (BT 10).

For correct work of the IP address unlocking mechanism, you need to activate the nwaf_captcha_unban parameter by adding it in the virtual host file to the server section for a specific URL address. Example of activating the nwaf_captcha_unban parameter 

server {
    listen  80;
    server_name example.com;

    location /captcha_ip_unban_path {
             ...
             nwaf_captcha_unban on;
             ...
    }
    ...
}

Also, you need to setup a web application with a captcha. Detailed instructions for integrating Nemesida WAF with reCAPTCHA functionality can be found at link.

After activating the nwaf_captcha_unban on; parameter and restarting Nginx, the IP address unblocking functionality becomes available for the target URL address with the nwaf_captcha_unban option set. For example: example.com/captcha_ip_unban_path.

If the answer is correct, the web application with captcha sends a request delete_banned_ip to the Nemesida WAF module to unlock the IP address. The user will then be redirected to the original page.

For security reasons, it is recommended to allow requests to the server URL with the Nemesida WAF dynamic module installed and the nwaf_captcha_unban IP address unlocking parameter activated only from the IP address of the server with captcha.

Syncing the list of blocked IP addresses

Not used in Nemesida WAF Free.

The Nemesida WAF functionality allows you to automatically synchronize blocked IP addresses between servers. The IP address blocking time is determined by the nwaf_limit option in the nwaf.conf configuration file. To activate synchronization of blocked IP addresses on all servers that use this functionality, you must:

  • set the same values for the nwaf_limit and nwaf_sync_ban_ip_key parameters in the nwaf.conf file;
  • define the target URL for syncing using the nwaf_sync_ban_ip_host parameter in the nwaf.conf file.
  • define a path with the nwaf_ban_ip_sync on; parameter set in the virtual host file in the location section to get a list of blocked addresses, for example: 
    location /ban_ip_sync_path
{
    ...
    nwaf_ban_ip_sync on;
    ...
}

For security reasons, it is recommended to restrict access to the Blocked IP Address Synchronization Management interface to the list of allowed IP addresses to preventmanagement of Nemesida WAF work processes to unauthorized users.

Getting file with GeoIP2 base
The GeoIP2 base file provides IP-based geographic location information (identifying the country by the attacker’s IP address) and is used for the extended blocking mechanism. To obtain it, you must perform the following steps:

  • go to the address and select GeoLite2 Free Geolocation Data in the Products section;
  • register an account by filling in all required fields and providing a valid email address;
  • confirm the registration by clicking on the link from the email;
  • go to the Account Summary section in your personal account and follow the link Download Database;
  • on the page that opens, find GeoLite2 Country and download the archive by clicking on the link Download GZIP;
  • unpack the resulting archive to get the mmdb file with the base.

Error messages sources
During the Nemesida WAF operation the information about errors can be contained in:

  • system logs;
  • run-time journal of the Nginx software;
  • run-time journal of the RabbitMQ software;
  • run-time journal of the Nemesida WAF modules /var/log/nwaf/.
Technical support

Technical support of Nemesida WAF Free is on the forum only.

In case of unforeseen errors in the operation of the Nemesida WAF software, contact technical support by email (Mon-Fri from 10:00 to 19:00 time, GMT+3) or leave a message on the forum.