[Owasp-modsecurity-core-rule-set] Need Help for Mod security

Rishi nand aadimanavtest at gmail.com
Wed Jul 15 10:21:21 UTC 2015

Hey Joshua,

Thank you very much. Now got the clear picture.


On Tue, Jul 14, 2015 at 9:33 PM, Chaim Sanders <CSanders at trustwave.com>

>  Josh has pretty much nailed it.
>    1. The CRS rules are generic and don’t update often I usually update
>    them about once a month with minor bug fixes (almost exclusively in the 3.0
>    branch). If you are looking for signature like protection (i.e what snort
>    does) Trustwave offers commercial rules that do just that. We do however
>    recommend that you also use CRS  where reasonable.
>    2.  Writing rules isn’t so bad. A good intro is available here:
>    https://www.nccgroup.trust/globalassets/resources/us/presentations/crowell_stjohn_modsecurity_introduction.pdf.
>     Ultimately if you want to get into it in any depth I recommend buying
>    Ivan’s ModSecurity Handbook (
>    https://www.feistyduck.com/books/modsecurity-handbook/). Its a
>    treasure trove of information and is a great start.
>    3.  The UI I use most often is AuditConsole from Jwall but your milage
>    may vary. Many people use splunk. I have a blog post coming out soon that
>    details how to save logs directly to any database such that you can
>    use/make pretty much any log analyzer.
>   From: Joshua Roback <jroback at gmail.com>
> Date: Tuesday, July 14, 2015 at 9:26 AM
> To: Rishi nand <aadimanavtest at gmail.com>, "
> owasp-modsecurity-core-rule-set at lists.owasp.org" <
> owasp-modsecurity-core-rule-set at lists.owasp.org>
> Subject: Re: [Owasp-modsecurity-core-rule-set] Need Help for Mod security
>   1) Typically open source rules are updated along with new ModSecurity
> releases.  There isn't really a need to update as frequently as an IDS
> since the scope of detection requirements for a WAF is much smaller.
>  2) Spent time looking at the rules to get a feel for the format and the
> purpose and then buy
> The Web Application Defender's Cookbook -
> http://www.amazon.com/Web-Application-Defenders-Cookbook-Protecting/dp/1118362187/ref=sr_1_2?ie=UTF8&qid=1436880245&sr=8-2&keywords=web+application+cookbook
> <http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT7oOwuBozg&s=5&u=http%3a%2f%2fwww%2eamazon%2ecom%2fWeb-Application-Defenders-Cookbook-Protecting%2fdp%2f1118362187%2fref%3dsr%5f1%5f2%3fie%3dUTF8%26qid%3d1436880245%26sr%3d8-2%26keywords%3dweb%2bapplication%2bcookbook>
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
> <http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT-ZemLcwnA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fwiki%2fReference-Manual>
> http://www.atomicorp.com/wiki/index.php/Mod_security
> <http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT-1dm-Zmzg&s=5&u=http%3a%2f%2fwww%2eatomicorp%2ecom%2fwiki%2findex%2ephp%2fMod%5fsecurity>
>  3) Don't know about this.  I use a proprietary application.
>  On Tue, Jul 14, 2015 at 7:49 AM Rishi nand <aadimanavtest at gmail.com>
> wrote:
>> Hi There
>>  I am new to modsecurity and want to try in our organization, but came
>> across few doubts. I will be glad if any body can clear them
>>  1. OWASP modsecurity CRS : are these rules update daily (like snort
>> rules, If so how to update). or how often they will update, In that case
>> how to update them.
>> 2. if i want to write my own custom rules how can i proceed :- where to
>> create file and in which directory, Can i write all the rules in one file
>> or a separate rule for each file
>> 3. any recommended UI for modsecurity
>>  Thanks in advance
>>  --
>>  Cheer's
>>  Nand
>>   _______________________________________________
>> Owasp-modsecurity-core-rule-set mailing list
>> Owasp-modsecurity-core-rule-set at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> <http://scanmail.trustwave.com/?c=4062&d=kZOl1fQMIZX7mJz_iVyCNeOaH9906S4ZT-sPw-czwA&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set>
> ------------------------------
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20150715/17530dad/attachment-0001.html>

More information about the Owasp-modsecurity-core-rule-set mailing list