[Owasp-modsecurity-core-rule-set] Need Help for Mod security

Chaim Sanders CSanders at trustwave.com
Tue Jul 14 16:03:05 UTC 2015


Josh has pretty much nailed it.


  1.  The CRS rules are generic and don't update often I usually update them about once a month with minor bug fixes (almost exclusively in the 3.0 branch). If you are looking for signature like protection (i.e what snort does) Trustwave offers commercial rules that do just that. We do however recommend that you also use CRS  where reasonable.
  2.   Writing rules isn't so bad. A good intro is available here: https://www.nccgroup.trust/globalassets/resources/us/presentations/crowell_stjohn_modsecurity_introduction.pdf.  Ultimately if you want to get into it in any depth I recommend buying Ivan's ModSecurity Handbook (https://www.feistyduck.com/books/modsecurity-handbook/). Its a treasure trove of information and is a great start.
  3.   The UI I use most often is AuditConsole from Jwall but your milage may vary. Many people use splunk. I have a blog post coming out soon that details how to save logs directly to any database such that you can use/make pretty much any log analyzer.

From: Joshua Roback <jroback at gmail.com<mailto:jroback at gmail.com>>
Date: Tuesday, July 14, 2015 at 9:26 AM
To: Rishi nand <aadimanavtest at gmail.com<mailto:aadimanavtest at gmail.com>>, "owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>" <owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:owasp-modsecurity-core-rule-set at lists.owasp.org>>
Subject: Re: [Owasp-modsecurity-core-rule-set] Need Help for Mod security

1) Typically open source rules are updated along with new ModSecurity releases.  There isn't really a need to update as frequently as an IDS since the scope of detection requirements for a WAF is much smaller.

2) Spent time looking at the rules to get a feel for the format and the purpose and then buy
The Web Application Defender's Cookbook - http://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/ref=sr_1_2?ie=UTF8&qid=1436880245&sr=8-2&keywords=web+application+cookbook<http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT7oOwuBozg&s=5&u=http%3a%2f%2fwww%2eamazon%2ecom%2fWeb-Application-Defenders-Cookbook-Protecting%2fdp%2f1118362187%2fref%3dsr%5f1%5f2%3fie%3dUTF8%26qid%3d1436880245%26sr%3d8-2%26keywords%3dweb%2bapplication%2bcookbook>
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual<http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT-ZemLcwnA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fwiki%2fReference-Manual>
http://www.atomicorp.com/wiki/index.php/Mod_security<http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT-1dm-Zmzg&s=5&u=http%3a%2f%2fwww%2eatomicorp%2ecom%2fwiki%2findex%2ephp%2fMod%5fsecurity>

3) Don't know about this.  I use a proprietary application.

On Tue, Jul 14, 2015 at 7:49 AM Rishi nand <aadimanavtest at gmail.com<mailto:aadimanavtest at gmail.com>> wrote:
Hi There

I am new to modsecurity and want to try in our organization, but came across few doubts. I will be glad if any body can clear them

1. OWASP modsecurity CRS : are these rules update daily (like snort rules, If so how to update). or how often they will update, In that case how to update them.
2. if i want to write my own custom rules how can i proceed :- where to create file and in which directory, Can i write all the rules in one file or a separate rule for each file
3. any recommended UI for modsecurity

Thanks in advance


--
Cheer's

Nand
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT-sPw-czwA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150714/12def86a/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list