You are here: Home / Products / Breach / ModSecurity

ModSecurity

Supporting the Open Source Community

Breach Security is committed to contributing to the development of the ModSecurity open source community.   Since the acquisition, Breach Security has provided the following products and offerings based on ModSecurity technology:

  • ModSecurity 2.x, 2.1.x and 2.5 – many significant upgrades releases to ModSecurity providing significantly enhanced analysis and performance updates.
  • Core Rule Set (CRS) – Breach Security facilitated the CRS becoming an official OWASP Project which provides essential web application security rules to the community.
  • Enhanced Rule Set (ERS) – optimized packages of ModSecurity rules for protecting commercial web applications with known vulnerabilities and ensuring web applications are compliant with specific regulations, such as PCI.
  • Rules Subscription Service – ModSecurity users can download periodic rule updates that virtually patch vulnerabilities identified in public software.
  • WebDefend Global Event Manager (GEM) – WebDefend is now able to accept ModSecurity events providing event consolidation for multiple ModSecurity sensors.
  • Support packages – for open source ModSecurity users.
  • Training packages – onsite ModSecurity Training offerings.

ModSecurity Open Source

Intrusion Detection and Prevention Engine

ModSecurity is the most widely deployed Web application firewall in the world with over 10,000 deployments. For more information, visit www.modsecurity.org.

ModSecurity Core Rule Set (CRS)

ModSecurity’s pre-packaged rule sets prevent information leakage and help organizations with their compliance efforts. These easy-to-apply rule sets save time and provide immediate protection for production applications against targeted attacks. Individual rule sets can be applied on a per-web application basis for more customized protection. Included rule sets address:

  • Automated detection of malicious activity;
  • Open Web Application Security Project (OWASP) Top 10 vulnerabilities;
    • SQL Injection
    • Cross-site Scripting (XSS)
    • Remote File Inclusion (RFI)
    • Cross-site request forgery protection – Users can implement unique tokens into parameter data via content injection and Javascript.
    • Identification of improper output encoding – Identifies applications that aren’t properly output encoding user-supplied data, which leads to successful cross-site scripting attacks.
  • Information leakage protection;
  • Known vulnerabilities – Includes a large rule set of converted Emerging Threats’ Snort web attack signatures and Breach Security Labs will continue to periodically release new signatures.

The Core Rule Set is based on generic rules that provide protection from zero-day and unknown vulnerabilities often found in web applications, which are typically custom-coded and difficult to secure. The open source ModSecurity CRS is provided free to the public and has recently become an official OWASP Project with Breach Security Labs as the sponsor, enabling more community collaboration at www.owasp.org, such as rules documentation, information regarding identification and handling of false positive, workarounds and recommendations for new rules.

ModSecurity Enhanced Rule Set (ERS)

Breach also offers a new Enhanced Rule Set (ERS) version as a commercial package, which includes the features of the CRS as well as the following:

  • Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard (PCI DSS);
  • Performance improvements by ignoring static content
  • Platform-specific protection for Apache, IIS, PHP, ASP, ASP.NET, and others;
  • Microsoft Outlook Web Access protection;
  • Anti-virus protection for file uploads through integration with ClamAV.
  • Session hijacking protection – Saves client meta-data hash, such as IP network range and user agent string, for each session ID and creates alerts and blocks when there are changes.
  • Anti-automation rule set – Detects automated clients by rate-limiting, and can also identify vulnerability scanners and brute force attacks by tracking the number of failed logins to specific resources.
  • Password strength validation – Detects password fields and checks that the password is strong enough.
  • Audit logins – Logs successful or failed logins, or a number of consecutive failed logins to the same user.
  • Add username to transactions – Extracts the username from the userfield and adds it to logging for a subsequent event.

ModSecurity Rules Subscription Service

Breach also offers a new data feed of ModSecurity rules specifically created to address attacks and vulnerabilities identified in public applications.  Customers will be able to remotely access the Breach Security Labs (BSL) rules repository to download the latest rules and apply them to their configurations.  These rules will be updated on a periodic basis and help to identify specific vulnerabilities such as SQL Injection, Cross-site Scripting and Remote File Inclusion in public software such as WordPress and Joomla.

WebDefend Global Event Manager (GEM)

The ModSecurity Management Appliance (MMA) has been taken over by the WebDefend GEM. The WebDefend GEM allows customers to simultaneously monitor events from AKamai WAF service in the cloud, WebDefend appliances, and ModSecurity sensors.
Learn more today!

ModSecurity Support Packages

Breach Security’s Customer Care program provides world-class security wherever and whenever you need it. Our team has made a commitment of excellence to ensure your satisfaction with every aspect of our products. Utilizing the latest technical resources and many combined years of experience, our security support team promptly answers questions and resolves issues.
ModSecurity Commercial Support includes:

  • 24×7 phone and email support.
  • Basic installation and deployment assistance.
  • Access to all ModSecurity system level updates.
  • Audit log analysis assistance.
  • Log debugging and updates to system level bugs.
  • Assistance with updating to newer versions.
  • Enhanced Rule Set package.
  • Starting at $12,395/year to support up to 15 web servers; volume discounts available for larger deployments.

ModSecurity Training

ModSecurity: Rules Writing Workshop (1-day)

Overview
This one-day class provides an in-depth look at ModSecurity rules and ModSecurity rules language syntax. ModSecurity is currently the most widely used open source web application firewall product. Learning how to take advantage of the power behind ModSecurity rules can help web security administrators write and configure highly effective rules. This class features extensive hands-on rules development and testing to reinforce the theoretical concepts that are presented.

Target Audience

  • Web Server Administrators
  • Web Security Administrators
  • Security Consultants
  • Anyone who is responsible for web application security

Prerequisites
In order to gain the most value from the course, students should be familiar with Perl Compatible Regular Expressions (PCRE). This course assumes that students have a technical understanding of the HTTP protocol. Proficiency with Linux and UNIX text editing tools (vi editor) is suggested, not required.

Course Topic Outline

  • Introduction to ModSecurity’s Rule Language
  • Anatomy of a ModSecurity rule
  • Overview of PCRE
  • Variables
  • Transformation functions
  • Actions
  • Using advanced rule syntax with the “chain” action
  • Overview of the Core Rule set
  • Creating custom rules
  • Virtual Patching
  • Using initcol and setsid for stateful rules
  • Good rule writing practices
  • Testing rules
  • Tuning rules