I decided to copy the Série Snortando of my friend Rodrigo "Sp0oKeR" Montoro, and even at his suggestion, create a series of posts about ModSecurity.
The idea of these posts is not to be a step by step guide or a ModSecurity manual, but write about my day-by-day work in settings and resolutions of problems in its use. I think it will be useful for others, and even for me, I'll be documenting some procedures that might later forget. ;-)
I always intend to post a version in Portuguese and one in English of the same post, and the frequency of the posts will be weekly. You can also use the comments to suggest topics to be addressed in future posts, with your issues.
I start this series talking a little about ModSecurity and WAF (Web Application Firewalls), if you want an introduction about WAF, you can see the presentation I made in March 2011 in OWASP Porto Alegre First Meeting, which is available here (portuguese):
An excellent presentation that covers some WAF concepts was made by Carolina Bozza in Hack Conference, and is available here:http://www.bhack.com.br/talks/Carolina/BHACK.pdf.
If you have not installed yet ModSecurity, I've created a post (which is already outdated, maybe I will update it here in this series in the future) on how to install ModSecurity 2.6.1-rc1 + CRS (Core Rule Set) 2.2.0.
Currently, ModSecurity version is 2.6.7 (stable), and CRS rules file (Core Rule Set) is at version 2.2.5.
It was also announced that the ModSecurity has been ported to IIS. It will be soon ported to Nginx as the Trustwave announcement through its SpiderLabs team.
In fact, Trustwave is currently the company maintains the ModSecurity, where Ryan Barnett and brazilian Breno Silva are the main developers of the project.
Trustwave, among other services in the area of security, provides support services and have a set of trade rules that are not distributed in the CRS for use in ModSecurity on their customers. More information about the services provided by Trustwave with ModSecurity can be seen here: Trustwave ModSecurity Rules and Support Services.
There are a lot of documentation available in internet about ModSecurity, almost entirely in English. But the project has considerably changed in recent years, and sometimes the documentation found in Internet is outdated and can no longer be used. So here are some references that I recommend:
- Official documentation of the project, straight from the version repository: SVN repository of the project have a documentation area, and whether a new functionality is added or changed, it will first be documented there. More updated is impossible: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/doc/. This reference manual is available after in the official project Wiki.
- Handbook of Ivan Ristik, who was the ModSecurity author, but that is no longer developer of the project. This book is very good mainly because Ivan provides its update constantly, so it does not get outdated. It is worthwhile to buy this book if you want to use ModSecurity, mainly because this policy of updating and digital distribution.
- Mod-security-users e Owasp-modsecurity-core-rule-set mailing lists.
This post has been long, and the intention is that this series is just short posts. See you later! :-)