diff --git a/www/mod_security/Makefile b/www/mod_security/Makefile index 93992f953db4..422a359bdf8c 100644 --- a/www/mod_security/Makefile +++ b/www/mod_security/Makefile @@ -1,84 +1,82 @@ PORTNAME= mod_security +PORTVERSION= 2.9.10 DISTVERSIONPREFIX= v -PORTVERSION= 2.9.6 CATEGORIES= www security -MASTER_SITES= https://github.com/SpiderLabs/ModSecurity/releases/download/v${PORTVERSION}/ PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX} -DISTNAME= ${PORTNAME:S/_//:S/2//}-${PORTVERSION} MAINTAINER= joneum@FreeBSD.org COMMENT= Intrusion detection and prevention engine WWW= https://www.modsecurity.org/ LICENSE= APACHE20 -LIB_DEPENDS+= libpcre.so:devel/pcre \ +LIB_DEPENDS+= libpcre2-8.so:devel/pcre2 \ libapr-1.so:devel/apr1 \ libyajl.so:devel/yajl \ libcurl.so:ftp/curl \ libgdbm.so:databases/gdbm \ libexpat.so:textproc/expat2 -USES= apache bdb gnome perl5 pkgconfig shebangfix +USES= apache bdb:18 gnome perl5 pkgconfig shebangfix autoreconf libtool:build +USE_GITHUB= yes +GH_ACCOUNT= owasp-modsecurity +GH_PROJECT= ModSecurity USE_GNOME= libxml2 GNU_CONFIGURE= yes SHEBANG_FILES= tools/rules-updater.pl.in mlogc/mlogc-batch-load.pl.in perl_OLD_CMD= @PERL@ AP_INC= ${LOCALBASE}/include/libxml2 AP_LIB= ${LOCALBASE}/lib MODULENAME= mod_security2 SRC_FILE= *.c PORTDOCS= * DOCSDIR= ${PREFIX}/share/doc/${MODULENAME} SUB_FILES+= pkg-message SUB_FILES+= README SUB_FILES+= ${APMOD_FILE}.sample APMOD_FILE= 280_${PORTNAME}.conf SUB_LIST+= APMOD_FILE=${APMOD_FILE} OPTIONS_DEFINE= DOCS FUZZYHASH LUA MLOGC OPTIONS_SUB= yes LUA_CONFIGURE_ON= --with-lua=${LOCALBASE} LUA_CONFIGURE_OFF+= --without-lua LUA_USES= lua:51+ MLOGC_DESC= Build ModSecurity Log Collector MLOGC_CONFIGURE_ON= --disable-errors MLOGC_CONFIGURE_OFF= --disable-mlogc FUZZYHASH_DESC= Allow matching contents using fuzzy hashes with ssdeep FUZZYHASH_CONFIGURE_ON= --with-ssdeep=${LOCALBASE} FUZZYHASH_CONFIGURE_OFF=--without-ssdeep FUZZYHASH_LIB_DEPENDS= libfuzzy.so:security/ssdeep ETCDIR= ${PREFIX}/etc/modsecurity REINPLACE_ARGS= -i "" AP_EXTRAS+= -DWITH_LIBXML2 -CONFIGURE_ARGS+=--with-apxs=${APXS} --with-pcre=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE} - -post-patch: - @${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure +CONFIGURE_ARGS+=--with-apxs=${APXS} --with-pcre2=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE} pre-install: @${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR} post-install: @${MKDIR} ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \ ${STAGEDIR}${ETCDIR}/modsecurity.conf.sample ${INSTALL_DATA} ${WRKSRC}/unicode.mapping \ ${STAGEDIR}${ETCDIR}/unicode.mapping @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC} && ${COPYTREE_SHARE} doc ${STAGEDIR}${DOCSDIR}) ${INSTALL_DATA} ${WRKDIR}/README ${STAGEDIR}${DOCSDIR} @${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEETCDIR}/modules.d ${INSTALL_DATA} ${WRKDIR}/${APMOD_FILE}.sample ${STAGEDIR}${PREFIX}/${APACHEETCDIR}/modules.d .include diff --git a/www/mod_security/distinfo b/www/mod_security/distinfo index 950e40698d76..063cf2ff129a 100644 --- a/www/mod_security/distinfo +++ b/www/mod_security/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1662714949 -SHA256 (modsecurity-2.9.6.tar.gz) = 626a831aca92cdff73ea68a85b7f5c105d9a15365fa270fbed3139a81eaf3344 -SIZE (modsecurity-2.9.6.tar.gz) = 4316582 +TIMESTAMP = 1749190237 +SHA256 (owasp-modsecurity-ModSecurity-v2.9.10_GH0.tar.gz) = d18bf74fa2073a6aad8e08a6f46c1eaac6c1841afb0b309b3acc54788a0b05d0 +SIZE (owasp-modsecurity-ModSecurity-v2.9.10_GH0.tar.gz) = 3901245 diff --git a/www/mod_security/files/README.in b/www/mod_security/files/README.in index 9c13fcd1248e..c18d7e419348 100644 --- a/www/mod_security/files/README.in +++ b/www/mod_security/files/README.in @@ -1,89 +1,93 @@ Configuring ModSecurity on FreeBSD ---------------------------------- To enable ModSecurity in Apache, follow the instructions in %%PREFIX%%/%%APACHEETCDIR%%/modules.d/%%APMOD_FILE%% ModSecurity has various configuration options. To change them, edit the following file: %%ETCDIR%%/modsecurity.conf Getting the Core Rule Set ------------------------- ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it. pkg install git cd %%ETCDIR%% - git clone https://github.com/SpiderLabs/owasp-modsecurity-crs - cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \ - crs.conf + git clone https://github.com/coreruleset/coreruleset.git + cp coreruleset/crs-setup.conf.example \ + crs-setup.conf -The CRS has various config options. To change them, edit crs.conf. +The CRS has various config options. To change them, edit crs-setup.conf. To activate the CRS base rules, add the following to your httpd.conf: - Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf + IncludeOptional %%ETCDIR%%/coreruleset/crs-setup.conf + IncludeOptional %%ETCDIR%%/coreruleset/plugins/*-config.conf + IncludeOptional %%ETCDIR%%/coreruleset/plugins/*-before.conf + IncludeOptional %%ETCDIR%%/coreruleset/rules/*.conf + IncludeOptional %%ETCDIR%%/coreruleset/plugins/*-after.conf You can also add custom configuration and CRS exceptions here. For instance, you might want to disable rules that generate false positives. Example: SecRuleRemoveById 960015 Starting ModSecurity -------------------- When the configuration is all set, simply restart Apache and confirm that ModSecurity is loaded by checking Apache's log file: apachectl restart tail /var/log/httpd-error.log Configuring blocking mode ------------------------- Now that ModSecurity is active, try making a suspicious request to your web server, for instance browse to a URL: http://www.example.com/?foo=/etc/passwd. The CRS has a rule against this type of request. After browsing to the URL, you should now see the request logged in /var/log/modsec_audit.log. You'll notice that the request succeeds, and the response is sent to the browser normally. The reason is that ModSecurity runs in "DetectionOnly" mode by default, in order to prevent downtime from misconfiguration or heavy-handed blocking. You can enable blocking mode simply by editing modsecurity.conf and changing the following line: SecRuleEngine On Again, restart Apache. Now, make the same suspicious request to your web server. You should now see a "403 Forbidden" error! In practice, it's probably best to keep SecRuleEngine DetectionOnly for some time, while your users exercise the web applications. Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see what is being blocked. If there are any false positives, you need to mitigate this by writing custom exceptions. Maintenance ----------- An essential resource for working with ModSecurity is the ModSecurity Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and it's good to scan this book before you start writing custom rules and exceptions. You probably want to keep the CRS updated from time to time. You can do this with Git: - cd %%ETCDIR%%/owasp-modsecurity-crs + cd %%ETCDIR%%/coreruleset git pull apachectl restart