• ModSecurity Logo

    Trustwave provides a commercial certified rule set for ModSecurity® 2.9.X that protects against known attacks that target vulnerabilities in public software.

    Trustwave is the primary custodian of ModSecurity, the most widely deployed Web application firewall in the world with more than 1,000,000 deployments.

ModSecurity Rules

  • The ModSecurity Rules from Trustwave SpiderLabs® are based on intelligence gathered from real-world investigations, penetration tests and research.

    1

    More than 16,000 specific rules, broken out into the following attack categories:

    • SQL injection
    • Cross-site Scripting (XSS)
    • Local File Include
    • Remote File Include
    2

    User option for application specific rules, covering the same vulnerability classes for applications such as:

    • Microsoft IIS, ASP, .Net and SharePoint
    • WordPress
    • cPanel
    • osCommerce
    • Joomla
    3

    Complements and integrates with the OWASP Core Rule Set

    4

    IP Reputation capabilities which provide protection against malicious clients identified by the Trustwave SpiderLabs Distributed Web Honeypots

    5

    Malware Detection capabilities which prevent your web site from distributing malicious code to clients.


    FAQ for ModSecurity Rules

    Q.

    What are ModSecurity Rules from Trustwave SpiderLabs?

    A.

    The ModSecurity Web application firewall engine provides powerful protection against threats to data via applications. To be effective, ModSecurity must be configured with rules that help it recognize threats and defend against them. Trustwave SpiderLabs provides a commercial, certified rule set for ModSecurity 2.9.X that protects against known attacks that target vulnerabilities in public software.

    Q.

    What types of vulnerabilities do the Rules cover and protect against?

    A.

    Vulnerability Category Rules - the rules are broken out into the following top attack categories: SQL Injection, Cross-site Scripting, Local File Include and Remote File Includes

    Application Specific Rules - there is an option to use application specific rules, which covers the same vulnerability classes, for apps such as WordPress, osCommerce, Joomla, etc...

    Q.

    What is the difference between the ModSecurity Rules from Trustwave SpiderLabs versus the open source OWASP ModSecurity Core Rules Set (CRS)?

    A.

    The OWASP ModSecurity CRS security model is based on the concept of "generic attack detection" which means that it analyzes all HTTP transactional data looking for malicious payloads. While this technique does provide a base level of protection, there are still accuracy issues since the CRS does not correlate specific attack vector locations (such as URL and parameters) from publicly disclosed vulnerabilities. The ModSecurity Rules from Trustwave SpiderLabs focuses on specific attack vector locations, creating custom virtual patches for public vulnerabilities.

    Q.

    What is the advantage of the ModSecurity Rules from Trustwave SpiderLabs vs. the OWASP CRS?

    A.

    The main advantage of using rules from Trustwave SpiderLabs is accuracy. These rules lead to lower false positives as they only inspect certain types of data, providing the user with an increased confidence in blocking traffic.

    Q.

    Can the Trustwave SpiderLabs Rules be used together with the OWASP CRS?

    A.

    Yes. The Trustwave SpiderLabs Rules may be used on their own or they may be integrated with the OWASP CRS. The rules work collaboratively with the OWASP CRS by allowing it to generically identify malicious payloads. The Trustwave SpiderLabs Rules then verify the attack vector locations. Please see this blog postwhich describes the rules in more detail.

    Q.

    What data is used to create the rules feed?

    A.

    Trustwave SpiderLabs correlates data from numerous sources to generate the commercial rules, including:

    Q.

    Do the ModSecurity Rules from Trustwave SpiderLabs only contain virtual patches for known public vulnerabilities?

    A.

    No, they also include rules for new attack methods. See recent examplesof the types of rules that are included in the Trustwave SpiderLabs rules feed.

    Q.

    How can I purchase the ModSecurity Rules from Trustwave SpiderLabs?

    A.

    Purchase a subscriptionfor the ModSecurity Rules from Trustwave SpiderLabs.

    Q.

    How do I use the rules feed from Trustwave?

    A.

    Once you purchase the ModSecurity Rules feed, you will receive:

    • A unique license hash token. Use this token when accessing the commercial rules repository URL.
    • Download instructions. Instructions on using curl/wget to access the URL of the commercial rules feed repository.
    Q.

    How do you handle accuracy and update frequency of the IP Reputation data?

    A.

    We update the IP Reputation blacklist file daily based on attack data gathered from our web honeypot systems. The blacklist includes IP addresses that have demonstrated confirmed attacks against our honeypots within the last 48 hours.

    Q.

    How does the Malware Detection work?

    A.

    SpiderLabs Research Team gathers malicious payloads from various web sources and consolidates them into a blacklist. Our ModSecurity rules then use a fast pattern matching algorithm to inspect outbound html for signs of this malicious code. ModSecurity can then alert/block/clean the malicious code to prevent infecting your web site clients.

    Q.

    How do I determine the number of Rule Licenses I need?

    A.

    Rule licenses are determined based on the number of ModSecurity instances in use. If you have 10 difference web servers each with ModSecurity, you would need to purchase 10 licenses.

    Q.

    Are Enterprise Licenses available?

    A.

    Yes, enterprises with more than 100 ModSecurity installations (such as Hosting Providers) qualify for an enterprise license. Contact Salesfor more information.

ModSecurity Support

  • Trustwave now offers support for ModSecurity, including:

    • Standard support for ModSecurity troubleshooting
    • ModSecurity product maintenance and updates
    • Access to in-depth technical expertise from Trustwave

    FAQ for ModSecurity Support

    Q.

    Does Support cover initial installation of ModSecurity?

    A.

    No. Support provides assistance once ModSecurity has initially been installed by the customer.

    Q.

    What type of Support is covered by Trustwave SpiderLabs?

    A.

    Trustwave's Technical Assistance Center (TAC) provides ModSecurity customers with help related to alert analysis, rules configuration questions and exception assistance related to either the commercial rules or the OWASP ModSecurity Core Rule Set.

    Q.

    Does Support cover the creation of virtual patches for vulnerabilities identified by the customer?

    A.

    No. Support provides rule creation assistance for active attacks but not for virtual patches for vulnerabilities. If the customer would like virtual patching assistance, they should contact Sales about the SpiderLabs 360 Application Security Program

    Q.

    How do I determine the number of Support Licenses I need?

    A.

    Support licenses are determined based on the number of Apache LoadModule directives that activate the mod_security2.so file. For example, if you have one physical server with 10 virtual hosts, each running Apache with ModSecurity, that would equate to 10 support licenses.

    Q.

    Are Enterprise Licenses available?

    A.

    Yes, enterprises with more than 100 ModSecurity installations qualify for an enterprise license. Contact Sales for more information.

Resources

  • Documents


  • SpiderLabs Blog

    OWASP ModSecurity CRS Version 3.0 RC1 Released

    Trustwave has been dedicated to supporting ModSecurity and the associated community for the better part of a decade. Over this time, ModSecurity and the associated OWASP Core Rule Set (CRS) have seen major advances and are currently positioned as leading...

    Sending ModSecurity Logs to MySQL

    Previous Work As part of our positions at SpiderLabs Research we each get time to undertake various research tasks. Typically on the Web Server Security team we spend this time improving ModSecurity and Trustwave WAF, analyzing the latest web threats,...

    Protecting Your Sites from Apache.Commons Vulnerabilities

    A few weeks ago, FoxGlove Security released this important blog post that includes several Proof-of-Concepts for exploiting Java unserialize vulnerabilities. A remote attacker can gain Remote Code Execution by sending specially crafted payload to any endpoint expecting a serialized...

    Joomla 0-Day Exploited In the Wild (CVE-2015-8562)

    A recent new 0-day in Joomla discovered by Sucuri (Sucuri Blog) has drawn a lot of attention from the Joomla community, as well as attackers. Using knowledge gained from our recent research on Joomla (CVE-2015-7857, SpiderLabs Blog Post) and information...