• ModSecurity Logo

    Trustwave provides a commercial certified rule set for ModSecurity® 2.9.X that protects against known attacks that target vulnerabilities in public software.

    Trustwave is the primary custodian of ModSecurity, the most widely deployed Web application firewall in the world with more than 1,000,000 deployments.

ModSecurity Rules

  • The ModSecurity Rules from Trustwave SpiderLabs® are based on intelligence gathered from real-world investigations, penetration tests and research.

    1

    More than 16,000 specific rules, broken out into the following attack categories:

    • SQL injection
    • Cross-site Scripting (XSS)
    • Local File Include
    • Remote File Include
    2

    User option for application specific rules, covering the same vulnerability classes for applications such as:

    • Microsoft IIS, ASP, .Net and SharePoint
    • WordPress
    • cPanel
    • osCommerce
    • Joomla
    3

    Complements and integrates with the OWASP Core Rule Set

    4

    IP Reputation capabilities which provide protection against malicious clients identified by the Trustwave SpiderLabs Distributed Web Honeypots

    5

    Malware Detection capabilities which prevent your web site from distributing malicious code to clients.


    FAQ for ModSecurity Rules

    Q.

    What are ModSecurity Rules from Trustwave SpiderLabs?

    A.

    The ModSecurity Web application firewall engine provides powerful protection against threats to data via applications. To be effective, ModSecurity must be configured with rules that help it recognize threats and defend against them. Trustwave SpiderLabs provides a commercial, certified rule set for ModSecurity 2.9.X that protects against known attacks that target vulnerabilities in public software.

    Q.

    What types of vulnerabilities do the Rules cover and protect against?

    A.

    Vulnerability Category Rules - the rules are broken out into the following top attack categories: SQL Injection, Cross-site Scripting, Local File Include and Remote File Includes

    Application Specific Rules - there is an option to use application specific rules, which covers the same vulnerability classes, for apps such as WordPress, osCommerce, Joomla, etc...

    Q.

    What is the difference between the ModSecurity Rules from Trustwave SpiderLabs versus the open source OWASP ModSecurity Core Rules Set (CRS)?

    A.

    The OWASP ModSecurity CRS security model is based on the concept of "generic attack detection" which means that it analyzes all HTTP transactional data looking for malicious payloads. While this technique does provide a base level of protection, there are still accuracy issues since the CRS does not correlate specific attack vector locations (such as URL and parameters) from publicly disclosed vulnerabilities. The ModSecurity Rules from Trustwave SpiderLabs focuses on specific attack vector locations, creating custom virtual patches for public vulnerabilities.

    Q.

    What is the advantage of the ModSecurity Rules from Trustwave SpiderLabs vs. the OWASP CRS?

    A.

    The main advantage of using rules from Trustwave SpiderLabs is accuracy. These rules lead to lower false positives as they only inspect certain types of data, providing the user with an increased confidence in blocking traffic.

    Q.

    Can the Trustwave SpiderLabs Rules be used together with the OWASP CRS?

    A.

    Yes. The Trustwave SpiderLabs Rules may be used on their own or they may be integrated with the OWASP CRS. The rules work collaboratively with the OWASP CRS by allowing it to generically identify malicious payloads. The Trustwave SpiderLabs Rules then verify the attack vector locations. Please see this blog post which describes the rules in more detail.

    Q.

    What data is used to create the rules feed?

    A.

    Trustwave SpiderLabs correlates data from numerous sources to generate the commercial rules, including:

    Q.

    Do the ModSecurity Rules from Trustwave SpiderLabs only contain virtual patches for known public vulnerabilities?

    A.

    No, they also include rules for new attack methods. See recent examples of the types of rules that are included in the Trustwave SpiderLabs rules feed.

    Q.

    How can I purchase the ModSecurity Rules from Trustwave SpiderLabs?

    A.

    Purchase a subscription for the ModSecurity Rules from Trustwave SpiderLabs.

    Q.

    How do I use the rules feed from Trustwave?

    A.

    Once you purchase the ModSecurity Rules feed, you will receive:

    • A unique license hash token. Use this token when accessing the commercial rules repository URL.
    • Download instructions. Instructions on using curl/wget to access the URL of the commercial rules feed repository.
    Q.

    How do you handle accuracy and update frequency of the IP Reputation data?

    A.

    We update the IP Reputation blacklist file daily based on attack data gathered from our web honeypot systems. The blacklist includes IP addresses that have demonstrated confirmed attacks against our honeypots within the last 48 hours.

    Q.

    How does the Malware Detection work?

    A.

    SpiderLabs Research Team gathers malicious payloads from various web sources and consolidates them into a blacklist. Our ModSecurity rules then use a fast pattern matching algorithm to inspect outbound html for signs of this malicious code. ModSecurity can then alert/block/clean the malicious code to prevent infecting your web site clients.

    Q.

    How do I determine the number of Rule Licenses I need?

    A.

    Rule licenses are determined based on the number of ModSecurity instances in use. If you have 10 difference web servers each with ModSecurity, you would need to purchase 10 licenses.

    Q.

    Are Enterprise Licenses available?

    A.

    Yes, enterprises with more than 100 ModSecurity installations (such as Hosting Providers) qualify for an enterprise license. Contact Sales for more information.

ModSecurity Support

  • Trustwave now offers support for ModSecurity, including:

    • Standard support for ModSecurity troubleshooting
    • ModSecurity product maintenance and updates
    • Access to in-depth technical expertise from Trustwave

    FAQ for ModSecurity Support

    Q.

    Does Support cover initial installation of ModSecurity?

    A.

    No. Support provides assistance once ModSecurity has initially been installed by the customer.

    Q.

    What type of Support is covered by Trustwave SpiderLabs?

    A.

    Trustwave's Technical Assistance Center (TAC) provides ModSecurity customers with help related to alert analysis, rules configuration questions and exception assistance related to either the commercial rules or the OWASP ModSecurity Core Rule Set.

    Q.

    Does Support cover the creation of virtual patches for vulnerabilities identified by the customer?

    A.

    No. Support provides rule creation assistance for active attacks but not for virtual patches for vulnerabilities. If the customer would like virtual patching assistance, they should contact Sales about the SpiderLabs 360 Application Security Program

    Q.

    How do I determine the number of Support Licenses I need?

    A.

    Support licenses are determined based on the number of Apache LoadModule directives that activate the mod_security2.so file. For example, if you have one physical server with 10 virtual hosts, each running Apache with ModSecurity, that would equate to 10 support licenses.

    Q.

    Are Enterprise Licenses available?

    A.

    Yes, enterprises with more than 100 ModSecurity installations qualify for an enterprise license. Contact Sales for more information.

Resources

  • Documents


  • SpiderLabs Blog

    ModSecurity Web Application Firewall - Commercial Rules Update(4)

    We have recently released new commercial rules for ModSecurity Web Application Firewall (WAF) v2.9 and above. These rules' purpose is to protect against new emerging attacks that target vulnerabilities in public software. For this release we are highlighting virtual patches...

    ModSecurity Web Application Firewall - Commercial Rules Update(3)

    We have released new commercial rules for ModSecurity Web Application Firewall (WAF) v2.9 and above. These rules' purpose is to protect against new emerging attacks that target vulnerabilities in public software. For this release we would like to highlight the...

    ModSecurity version 3.0.0 first release candidate

    Recently we announced the first release candidate for libModSecurity (also as known as ModSecurity version 3). The goal was to turn ModSecurity into a mature library that could be used seamlessly regardless of web server or platform. The motivations for...

    ModSecurity Web Application Firewall - Commercial Rules Update(2)

    We have released new commercial rules for ModSecurity Web Application Firewall (WAF) v2.9 and above. These rules' purpose is to protect against new emerging attacks that target vulnerabilities in public software. For this release we are highlighting virtual patches for...

    Announcing ModSecurity version 2.9.2

    We recently released ModSecurity version 2.9.2. The release contains a number of bug fixes, including two security issues: Allan Boll reported an uninitialized variable that may lead to a crash on Windows platform. Brian Adeloye reported an infinite loop on...