The installation and setup guide of Nemesida WAF Signtest module, which is intended to manage of Nemesida AI machine learning.

Content
Nemesida WAF Signtest is in API and web application forms. Used to proof Nemesida AI module’s operation.

Nemesida WAF Signtest installation

1. Install and configure packages:

DebianUbuntuCentOSDockerVirtual Appliance

Install and configure PostgreSQL:

# apt install postgresql
# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;\""

Connect the repository:

# apt install apt-transport-https gnupg2
Debian 10
# echo "deb https://nemesida-security.com/repo/nw/debian buster non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
Debian 11
# echo "deb https://nemesida-security.com/repo/nw/debian bullseye non-free" > /etc/apt/sources.list.d/NemesidaWAF.list

Install the packages:

# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3 python3-pip python3-venv python3-dev nginx memcached build-essential libpcre3-dev gcc postgresql-server-dev-all
# apt install nwaf-st

Install and configure PostgreSQL:

# apt install postgresql
# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;\""
# apt install apt-transport-https gnupg2
Ubuntu 20.04
Connect the repository and install the packages:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu focal non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# wget -O- https://nemesida-security.com/repo/nw/gpg.key | apt-key add -
# apt update && apt upgrade
# apt install python3 python3-pip python3-venv python3-dev nginx memcached build-essential libpcre3-dev gcc postgresql-server-dev-all
Ubuntu 22.04
Connect the repository and install the packages:

# echo "deb [arch=amd64] https://nemesida-security.com/repo/nw/ubuntu jammy non-free" > /etc/apt/sources.list.d/NemesidaWAF.list
# curl -s https://nemesida-security.com/repo/nw/gpg.key | gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/trusted.gpg --import
# chmod 644 /etc/apt/trusted.gpg.d/trusted.gpg 
# apt update && apt upgrade
# apt install python3 python3-pip python3-venv python3-dev nginx memcached build-essential libpcre3-dev gcc postgresql-server-dev-all

Install Nemesida WAF Signtest:

# apt install nwaf-st
Configure the SELinux policy or deactivate it with the command:

# setenforce 0

then bring the file /etc/selinux/config to the form:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
CentOS 8 Stream
Connect additional repositories and install the necessary dependencies:

# dnf install postgresql-server
# postgresql-setup initdb

# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/data/pg_hba.conf
# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/data/pg_hba.conf
# systemctl start postgresql
# systemctl enable postgresql

# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;\""

Install Nemesida WAF Signtest:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-8-1-6.noarch.rpm
# dnf update
# dnf install python39 nginx memcached python39-devel python39-pip pcre pcre-devel gcc postgresql-devel
# dnf install nwaf-st

For the correct operation of the Nemesida WAF Signtest, it is necessary to check the server section in the nginx.conf file and if it is not used, delete it to avoid redirects to the page specified in it.

CentOS 9 Stream
Connect additional repositories and install the necessary dependencies:

# dnf install postgresql-server
# postgresql-setup initdb

# sed -i "s|host    all             all             127.0.0.1/32            ident|host    all             all             127.0.0.1/32            md5|" /var/lib/pgsql/data/pg_hba.conf
# sed -i "s|host    all             all             ::1/128                 ident|host    all             all             ::1/128                 md5|" /var/lib/pgsql/data/pg_hba.conf
# systemctl start postgresql
# systemctl enable postgresql

# su - postgres -c "psql -c \"CREATE DATABASE signtest;\""
# su - postgres -c "psql -c \"CREATE ROLE signtest PASSWORD 'YOUR_PASSWORD';\""
# su - postgres -c "psql -c \"GRANT ALL ON DATABASE signtest to signtest;\""
# su - postgres -c "psql -c \"ALTER ROLE "signtest" WITH LOGIN;\""

Install Nemesida WAF Signtest:

# rpm -Uvh https://nemesida-security.com/repo/nw/centos/nwaf-release-centos-9-1-6.noarch.rpm
# dnf update
# dnf install python3 nginx memcached python3-devel python3-pip pcre pcre-devel gcc postgresql-devel
# dnf install nwaf-st

For the correct operation of the Nemesida WAF Signtest, it is necessary to check the server section in the nginx.conf file and if it is not used, delete it to avoid redirects to the page specified in it.

Information about using Nemesida WAF in a Docker container is available in the corresponding section.
Information about using Nemesida WAF as a Virtual Appliance (virtual disk for KVM/VMware/VirtualBox) and Yandex VM is available in the corresponding section.

2. Make changes to the file /var/www/signtest/settings.py

settings.py parameters
Default Parameters
Description
SECRET_KEY
Security key (automatically generated during the installation).
HTTP_PROXY
Proxy server address for connection. For example: HTTP_PROXY_CONF = 'http://proxy.example.com:3128'
RULES_PATH
Path to the file rules.bin.
DB_HOST
DB_PORT
DB_NAME
DB_USER
DB_PASS
Parameters for connection to DBMS.
SMTP_SERVER
SMTP_PORT
SMTP_LOGIN
SMTP_PASSWORD
Parameters for connection to SMTP server.
SMTP_TO
Address for sending messages.
MEMCACHED_HOST
MEMCACHED_PORT
Parameters for connection to Memcached server.

3. Allow access:
– to the server Memcached 127.0.0.1:11211;
– to the server with PostgreSQL.

4. Make migrations and create administrator:

# cd /var/www/signtest/app/ && . venv/bin/activate && python3 manage.py migrate && python3 manage.py createsuperuser && deactivate

For possibility of password reset you should enter Email.

5. Activate the virtual host:

# mv /etc/nginx/conf.d/signtest.conf.disabled /etc/nginx/conf.d/signtest.conf
# nginx -t && service nginx reload

6. In firewall settings allow the requests to 80 port (is set by default in the file /etc/nginx/conf.d/signtest.conf).

7. Make server restart and check services work:

# systemctl status signtest_ipinfo signtest_rlupd signtest_web signtest_api

In case of redirection, when going to the Nemesida WAF Signtest page in the CentOS 8 Stream distribution, it is necessary to check and delete the server section in the nginx.conf file.

For security reasons, it is recommended to restricted access to the web interface of the Nemesida WAF Signtest module as well as the Nemesida WAF Signtest API to lists of allowed IP addresses to prevent unauthorized users to controlling the Nemesida WAF processes.

Nemesida WAF Signtest integration
To integrate Nemesida WAF Signtest with Nemesida WAF software follow these steps:

1. On the server with installed Nemesida WAF module change the configure file /etc/nginx/nwaf/mla.conf , bring the parameter to the form:

st_uri = http://localhost:8088/nw/st/

where localhost:8088 is the address and port of the server where the Nemesida WAF Signtest module is installed.

2. On the server with installed Nemesida AI MLC module change the configure file /opt/mlc/mlc.conf, bring the parameter to the form:

st_uri = http://localhost:8088/nw/st/

3. After making changes, you must restart the services or restart the server.

Other information

During the Nemesida WAF Signtest operation the information about errors is contained in the run-time journals of the module /var/log/uwsgi/signtest/*.log.

Exploitation of Nemesida WAF Signtest module

There are following events, which were got from API and machine learning module on the main page:

BT 11 — the request was detected by signature method as an attack, but according to the Nemesida AI module’s decision was unblocked.
BT 12 — the request was blocked by Nemesida AI module and wasn’t detected as an attack by signature method.
BT 13 — the request was blocked by Nemesida AI module and signature method.

Events of type BT 11 and BT 13 are not passed to the Nemesida AI MLC module.

Exported “False Positive” requests will be considered by Nemesida AI as an example of a legitimate request. Exported requests are applied «on the fly».

The main page

All events from Nemesida AI are rendered on the main page («Attack») for the next processing.

The main page

The search field is available for requests’ filtering. It allows to select requests using occurrence of word(s) and using special operators.

Examples of requests

Display requests with the IP address 1.2.3.4:

ip:1.2.3.4

Display requests with the domain example.com:

host:example.com

Display requests sent by the POSTmethod:

method:post

Display requests with the identified vulnerability in the Bodyfield:

mz:body

Display requests with the lock ID 12:

bt:12

Display requests with the ID 0a509eae749e62f2fe5c84:

request_id:0a509eae749e62f2fe5c84

Display requests with the commit date 11.05:

timestamp:11.05

Display requests containing the value csrf=1 in the Cookie:

cookie:csrf=1

Display requests containing the mozilla value in the User-Agentfield:

ua:mozilla

Display requests containing example.com in the Refererfield:

referer:example.com

Display requests containing example.com in the request header:

headers:example.com

Display requests containing /test in the URL:

url:/test

Display requests containing the string id=1 in the ARGSfield:

args:id=1

Display all requests detected by the Nemesida AI MLC module:

agent:MLC

Display requests containing 1601403941 in the waf_idfield:

waf_id:1601403941

Display requests from IP address 1.2.3.4 containing the string /test in the URL:

ip:1.2.3.4 and url:/test

Display requests containing the domain example.com and the request type POST:

host:example.com and method:post

Display a request with the lock ID 11 containing example.com in the Refererfield:

referer:example.com and bt:11
Navigation bar functions
Delete of the tagged records.
Tables switching («Attack», «False Positive»).
File-status indicator of the file «rules.bin».
Record management of the main page functions
Request export into the table.
Delete marked request.
Request contain editing with next export into the table.
Display of extended information about the request.
Checking the request using signature method.