We need 3 rpm packages
rpms/bison-3.0.4-3.fc23.x86_64.rpm
rpms/yajl-2.1.0-4.fc23.x86_64.rpm
rpms/yajl-devel-2.1.0-4.fc23.x86_64.rpm
yum install ssdeep ssdeep-devel byobu lmdb lmdb-libs lmdb-devel --enablerepo=epel -y
yum install git telnet tcpdump mlocate htop -y
yum install gcc-c++ autoconf automake openssl-devel flex curl-devel curl libxml2-devel doxygen zlib zlib-devel libtool pcre pcre-devel geoip geoip-devel lua lua-devel httpd24 httpd24-devel mod24_ssl -y
rpm -ivh rpms/*
mkdir ~/work
cd ~/work
git clone https://github.com/SpiderLabs/ModSecurity.git modsec-master
cd modsec-master
./autogen.sh
./configure
make
make install
ln -s /usr/local/modsecurity/lib/mod_security2.so /etc/httpd/modules/
cat > /etc/httpd/conf.modules.d/00-modsecurity.conf
LoadModule security2_module modules/mod_security2.so
<IfModule security2_module>
Include /etc/modsecurity/modsecurity.conf
SecRuleEngine Off
</IfModule>
mkdir /etc/modsecurity
cd /etc/modsecurity/
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs
cd crs
mkdir activated_rules
for rule in crawlers-user-agents.data \
REQUEST-901-INITIALIZATION.conf \
REQUEST-913-SCANNER-DETECTION.conf \
REQUEST-941-APPLICATION-ATTACK-XSS.conf \
REQUEST-942-APPLICATION-ATTACK-SQLI.conf \
REQUEST-949-BLOCKING-EVALUATION.conf \
RESPONSE-959-BLOCKING-EVALUATION.conf \
RESPONSE-980-CORRELATION.conf \
scanners-headers.data \
scanners-urls.data \
scanners-user-agents.data \
scripting-user-agents.data \
sql-errors.data \
sql-function-names.data; do cp rules/$rule activated_rules/ ; done
cp rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
cp /home/ec2-user/work/modsec-master/{modsecurity.conf-recommended,unicode.mapping} /etc/modsecurity/
cd /etc/modsecurity/
mv modsecurity.conf-recommended modsecurity.conf
cd /etc/httpd/conf.modules.d/
vim 00-base.conf
- Don't forget to Remove/Uncomment
LoadModule unique_id_module modules/mod_unique_id.soif its already enabled by default