Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

ModSecurity Rules subproject added

If you are a ModSecurity user you may have noticed that I am distributing ModSecurity without any rules. This may seem strange at a first glance, but there is a good reason for it. ModSecurity did, in fact, come with some rules back in the early days. There were some rules that were meant to serve as an example, and I also included a bunch of rules that I used for regression testing. I thought people would look at the included rules to learn how to write their own.

I was very wrong. Many people simply decided to use *all* of the rules included in the distribution *and* deploy ModSecurity configured to block everything that's suspicious. Unsurprisingly, this created a lot of false positives. The regression testing rules, in particular, were tightly coupled to a specific test configuration. To cut the long story short - I removed all but a handful of rules from ModSecurity in order to save my mailbox from overflowing.

The situation is about to change again. As time went on I began to see the lack of "standard" rules as a bottleneck, a road block to further ModSecurity growth. People *do* need to have examples in order to learn how to write their own rules. To deal with this I started a new subproject called ModSecurity Rules. This is where I will keep the rules. The rules that are in the subproject right now are already in a pretty good shape by the way, as I've been using them myself for some time. They are officially in beta, but this is only because there's still some polishing left to do (for example, assigning each rule an unique ID).

Starting with ModSecurity 2.0, a snapshot of the rules will be included with the distribution. There, I've decided to bite the bullet again.