ModSecurity – Web application security firewall

Features included :

parallel text matching,

Geo IP resolution,

credit card number detection,

support for content injection,

automated rule updates,

scripting,

many others

Other main features of Modsecurity:

Performance Enhancements

Transformation Function Caching

Automated Rule Update Capability

Enhancements to the Rules Language

Dynamic Removal of Rules with the new ctl:ruleRemoveById action

New Variables

New Transformation Functions

Content Injection

Credit Card Number Detection

Full Scripting Support using Lua

PDF Universal XSS Protection

Logging Enhancements

Modsecurity has remote console which makes it manageble remotley . It also can be used as a alternative of your expensive Intrusion Prevention System .

How to install modsecurity

Pre-riquisite apache should be installed

Untar your ModSecurity Package

cd mod_security-2.5.6

Now if you’re using Apache 2.0 you’ll need to copy out the mod_security.c file from the Apache2 directory. In our case, we’ll be using the Apache1 module. As such, copy the mod_security.c file into your apache extra modules directory.

cp apache1/mod_security.c ../apache-2.X/src/modules/extra/

cd ..

Now to build and configure Apache with ModSecurity

cd apache-2.X

../configure –-prefix=/usr/local/apache –-activate-module=src/modules/extra/mod_security

make

make install

If there is no error ( most of the time we get it)

Congratulations you have installed sucessfully !!!

To get ModSecurity activated, we will need to modify Apache httpd.conf file and define rules for ModSecurity . The source package includes a converted set of snort rules in the util directory named snortmodsec_rules.txt. do not cut and paste the entire contents of the file as a starting reference to your mod_security ruleset without reading through it and determining what rules you actually need and which you don’t. Enabling ALL those rules will essentially break almost any application in some way or another. we will also run the risk of having false positives as the ModSecurity engine would flag for attacks that may not affect your machine . Below is a small sample that should serve well to get you started on writing your own rule sets.

Sample Example file.

<IfModule mod_security.c>

# Turn the filtering engine On or Off

SecFilterEngine On

# Make sure that URL encoding is valid

SecFilterCheckURLEncoding On

# Unicode encoding check

SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range

SecFilterForceByteRange 0 255

# Only log suspicious requests

SecAuditEngine RelevantOnly

# The name of the audit log file

SecAuditLog logs/audit_log

# Debug level set to a minimum

SecFilterDebugLog logs/modsec_debug_log

SecFilterDebugLevel 0

# Should mod_security inspect POST payloads

SecFilterScanPOST On

# By default log and deny suspicious requests

# with HTTP status 500

SecFilterDefaultAction “deny,log,status:500″

</IfModule>