Latest Rules Added to the Trustwave SpiderLabs Rules Feed:# of current ModSecurity rules: 19594 rule_list.new
# of current IPs in Blacklist: 2399 slr_vuln_rules/ip_blacklist.txt
# of current Malware payloads: 502 slr_vuln_rules/malware_payloads.txt
Commercial ModSecurity Rules from Trustwave SpiderLabsHere is a quick listing of security coverage (details in sections below):
- Virtual Patching
- IP Reputation
- Web-based Malware Detection
- Webshell/Backdoor Detection
- Botnet Attack Detection
- HTTP Denial of Service (DoS) Attack Detection
- Anti-Virus Scanning of File Attachments
Trustwave now provides a commercial certified rule set for ModSecurity 2.9 and above that protects against known attacks that target vulnerabilities in public software.
- More than 19,000 specific rules, broken out into the following attack categories:
- SQL injection
- Cross-site Scripting (XSS)
- Local File Include
- Remote File Include
- User option for application specific rules, covering the same vulnerability classes for applications such as:
- Microsoft SharePoint
- For a complete listing of application coverage, please refer to this link (which is updated daily).
IP ReputationBy inspecting the remote IP address of the client, we can identify known attacking systems in the following categories::
- Malicious Attack Sources Identified from Web Honeypots
- Botnet C&C Hosts
- TOR Exit Nodes
Web-based Malware DetectionBy inspecting both inbound and outbound HTTP data, we can identify web-based malware in the following categories:
- Drive-by-Download URLs Identified by Trustwave's Secure Web Gateway/Secure Browsing Plugin
- Malicious Redirect URLs
- Malicious JS Payloads
Webshell/Backdoor DetectionBy inspecting outbound HTTP data, we can identify if a client is accessing a webshell/backdoor resource on your website. SpiderLabs Research has access to thousands of captured webshells and have developed custom detection rules including detections for:
- C99 Shell
- R57 Shell
- PHP Shell
- JCE File Upload Shell
- Basic File Uploader
Botnet Attack DetectionDetection for common attacks originating from IRC Botnet Clients including:
- rfi () - RFI Attacks
- lfi () - Local File Incusion Attacks
- e107 () - e107 PHP Injection Attacks
- xml_cek_query() - XML-RPC PHP Injection Attack
- sql_brute() - SQL Injection Attack
- osco_xpl() - osCommerce File Upload Attacks
- osql_xpl() - Oscommerce File Disclosure And Admin ByPass
- e107xpl() - e107 Plugin my_gallery Exploit
- op() - Opencart Remote File Upload Vulnerability
- zen() - Zen Cart local file disclosure vulnerability
HTTP Denial of Service (DoS) AttacksDetection for top HTTP DoS Attack techniques and tools:
- HOIC Flooder
- HULK DoS Flooder
- IRC Botnet: HTTP Flood
- ApacheKiller - Range Header DoS
- DirtJumper v3
Anti-Virus Scanning of File AttachmentsRules and scripts are included that allow ModSecurity to use local AV software (such as ClamAV) to scan file attachments. This helps to prevent malicious files from being uploaded into your web application and from spreading maclicious files to end users.:
FAQ for ModSecurity Rules from Trustwave SpiderLabs
What is the difference between the ModSecurity Rules from Trustwave SpiderLabs versus the open source OWASP ModSecurity Core Rules Set (CRS)?
The OWASP ModSecurity CRS security model is based on the concept of "generic attack detection" which means that it analyzes all HTTP transactional data looking for malicious payloads. While this technique does provide a base level of protection, there are still accuracy issues since the CRS does not correlate specific attack vector locations (such as URL and parameters) from publicly disclosed vulnerabilities. The ModSecurity Rules from Trustwave SpiderLabs focuses on specific attack vector locations, creating custom virtual patches for public vulnerabilities.
What is the advantage of the ModSecurity Rules from Trustwave SpiderLabs vs. the OWASP CRS?
The main advantage of using rules from Trustwave SpiderLabs is accuracy. These rules lead to lower false positives as they only inspect certain types of data, providing the user with an increased confidence in blocking traffic.
Can the Trustwave SpiderLabs Rules be used together with the OWASP CRS?
Yes. The Trustwave SpiderLabs Rules may be used on their own or they may be integrated with the OWASP CRS. The rules work collaboratively with the OWASP CRS by allowing it to generically identify malicious payloads. The Trustwave SpiderLabs Rules then verify the attack vector locations. Please see the following blog post which describes the rules in more detail - http://blog.spiderlabs.com/2011/10/modsecurity-advanced-topic-of-the-week-commercial-rules-overview.html
What data is used to create the rules feed?
Trustwave SpiderLabs correlates data from numerous sources to generate the commercial rules, including:
- Public vulnerability data such as the Exploit-DB and SecurityFocus/Bugtraq
- Honeypot systems such as the WASC Distributed Web Honeypot Project
- Trustwave Customer Data Analysis
How often are the ModSecurity Rules from Trustwave SpiderLabs updated?
The rules are automatically updated daily and may be updated as needed as new threats are identified by Trustwave SpiderLabs.
Do the ModSecurity Rules from Trustwave SpiderLabs only contain virtual patches for known public vulnerabilities?
No, they also include rules for new attack methods. Recent examples of the types of rules that are included in the Trustwave SpiderLabs rules feed are:
- [Honeypot Alert] Probes for Apache Struts 2.X OGNL Vulnerability
- [Honeypot Alert] More PHP-CGI Scanning (apache-magika.c)
- [Honeypot Alert] Active Exploits Attempts for Plesk Vulnerability
How can I purchase the ModSecurity Rules from Trustwave SpiderLabs?
Purchase a subscription for the ModSecurity Rules from Trustwave SpiderLabs by using our shopping cart:https://ssl.trustwave.com/web-application-firewall
How do I use the rules feed from Trustwave?
Once you purchase the ModSecurity Rules feed, you will receive the following information:
- Unique license key(s). Use this key to identify yourself.
- Download instructions. Details on using SecRemoteRules with your license key to pull the rules from the commercial rules repository.
- Dashboard access. Choose which rules you want to support for a given license and see information about your configuration.
How do you handle accuracy and update frequency of the IP Reputation data?
We update the IP Reputation blacklist file daily based on attack data gathered from our web honeypot systems. The blacklist includes IP addresses that have demonstrated confirmed attacks against our honeypots within the last 48 hours.
How does the Malware Detection work?
SpiderLabs Research Team gathers malicious payloads from various web sources and consolidates them into a blacklist. Our ModSecurity rules then use a fast pattern matching algorithm to inspect outbound html for signs of this malicious code. ModSecurity can then alert/block/clean the malicious code to prevent infecting your web site clients.
How do I determine the number of Rule Licenses I need?
Rule licenses are determined based on the number of ModSecurity instances in use. If you have 10 difference web servers each with ModSecurity, you would need to purchase 10 licenses.
Are Enterprise Licenses available?
Yes, enterprises with more than 100 ModSecurity installations (such as Hosting Providers) qualify for an enterprise license. Contact firstname.lastname@example.org
How is Trustwave WebDefend different from ModSecurity?
Trustwave WebDefend is a commercial Web application firewall (WAF) appliance, and is targeted at organizations looking for quick install, out-of-the-box reporting, a GUI interface and full commercial support. Trustwave WebDefend also provides auditing capabilities for an organization's compliance needs. WebDefend can be purchased as a stand-alone product, or as a component of Trustwave's 360 Application Security program, which combines Secure Code Training, Application Penetration Testing, Code Review and Trustwave WebDefend with virtual patching into an application security program.