We have searching for some additional rules for ModSecurity (mod_security) - you will find 2 commercial options, either GotRoot, or they from TrustWave



I'ev heard about TrustWave although not GotRoot. Nevertheless the GotRoot rules appear to possess more mentions on the internet, etc - it appears TrustWave's rules only made an appearance in regards to a month approximately ago

We'd be utilising these to safeguard an eCommerce site

I'm the ModSecurity Project Add the Trustwave SpiderLabs Research Team. When evaluating two rulesets and asking that is "better" which will rely on the application setup and preferred security needs. You pointed out that it is really an eCommerce site. Could it be using public software for example osCommerce?

The commercial ModSecurity rules from Trustwave have many general advantages:

  1. The guidelines are produced through the Trustwave SpiderLabs Research Team that evolves the ModSecurity code which leads to lower errors of rule precision (see data below about GotRoot issues)

  2. The SpiderLabs Research Team conducts extensive testing and research against our rules to ensure they are better. See our recent SQL Injection Challenge - http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

  3. The guidelines may be used either by themselves or integrated using the OWASP ModSecurity Core Rule Set (also is handled through the same Trustwave SpiderLabs Research Team). This enables for versatility of deployment as well as boosts the precision as there's collaborative recognition for attack payloads. The finish outcome is that there's a lesser possibility of false negative (missing attacks).

  4. Trustwave rules does apply either utilizing an attack-type or application-type methodology. For instance, if you're running an osCommerce site, there exists a packed ruleset with virtual patches only for your particular application. The advantage of this method is you are just initiating rules which are relevant for your atmosphere rather than running 100s or 1000's of needless rules. Another advantage of the approach is it will reduce processing time/latency of demands.

  5. The Trustwave virtual patches likewise incorporate meta-data with http links to third party vulnerability data for example OSVDB.

For the GotRoot rules themselves, you will find numerous precision problems that I've discovered after looking at their public postponed rules which might result if false negative issues. The primary problem is based on the improper use of transformation functions. Transformation functions (example t:base64Decode) are utilized to normalize data before using an operator. You will find many GotRoot rules that apply improper trasformation functions that alter data in ways the operator won't ever match even if malicious information is present. This signifies these haven't been examined for precision.

Hope these details helps.