Commercial Rules

ModSecurity Rules from Trustwave SpiderLabs Trustwave now provides a commercial certified rule set for ModSecurity 2.x that protects against known attacks that target vulnerabilities in public software. More than 18,000 specific rules, broken out into the following attack categories: SQL injection Cross-site Scripting (XSS) Local File Include Remote File Include User option for application specific rules, covering the same vulnerability classes for applications such as: WordPress cPanel osCommerce Joomla For a complete listing of application coverage, please refer to this link (which is updated daily). Complements and integrates with the OWASP Core Rule Set IP Reputation capabilities which provide protection against malicious clients identified by the Trustwave SpiderLabs Distributed Web Honeypots Malware Detection capabilities which prevent your web site from distributing malicious code to clients. The ModSecurity Rules from Trustwave SpiderLabs are based on intelligence gathered from real-world investigations, penetration tests and research. Proceed to Secure Cart FAQ for ModSecurity Rules from Trustwave SpiderLabs What are ModSecurity Rules from Trustwave SpiderLabs? The ModSecurity Web application firewall engine provides powerful protection against threats to data via applications. To be effective, ModSecurity must be configured with rules that help it recognize threats and defend against them. Trustwave SpiderLabs provides a commercial, certified rule set for ModSecurity 2.x that protects against known attacks that target vulnerabilities in public software. What types of vulnerabilities do the Rules cover and protect against? Vulnerability Category Rules - the rules are broken out into the following top attack categories: SQL Injection, Cross-site Scripting, Local File Include and Remote File Includes Application Specific Rules - there is an option to use application specific rules, which covers the same vulnerability classes, for apps such as WordPress, osCommerce, Joomla, etc... What is the difference between the ModSecurity Rules from Trustwave SpiderLabs versus the open source OWASP ModSecurity Core Rules Set (CRS)? The OWASP ModSecurity CRS security model is based on the concept of "generic attack detection" which means that it analyzes all HTTP transactional data looking for malicious payloads. While this technique does provide a base level of protection, there are still accuracy issues since the CRS does not correlate specific attack vector locations (such as URL and parameters) from publicly disclosed vulnerabilities. The ModSecurity Rules from Trustwave SpiderLabs focuses on specific attack vector locations, creating custom virtual patches for public vulnerabilities. What is the advantage of the ModSecurity Rules from Trustwave SpiderLabs vs. the OWASP CRS? The main advantage of using rules from Trustwave SpiderLabs is accuracy. These rules lead to lower false positives as they only inspect certain types of data, providing the user with an increased confidence in blocking traffic. Can the Trustwave SpiderLabs Rules be used together with the OWASP CRS? Yes. The Trustwave SpiderLabs Rules may be used on their own or they may be integrated with the OWASP CRS. The rules work collaboratively with the OWASP CRS by allowing it to generically identify malicious payloads. The Trustwave SpiderLabs Rules then verify the attack vector locations.  Please see the following blog post which describes the rules in more detail - http://blog.spiderlabs.com/2011/10/modsecurity-advanced-topic-of-the-week-commercial-rules-overview.html What data is used to create the rules feed? Trustwave SpiderLabs correlates data from numerous sources to generate the commercial rules, including: Public vulnerability data such as the Open Source Vulnerability Database (OSVDB) Honeypot systems such as the WASC Distributed Web Honeypot Project Trustwave Customer Data Analysis How often are the ModSecurity Rules from Trustwave SpiderLabs updated? The rules are automatically updated daily and may be updated as needed as new threats are identified by Trustwave SpiderLabs. Do the ModSecurity Rules from Trustwave SpiderLabs only contain virtual patches for known public vulnerabilities? No, they also include rules for new attack methods. Recent examples of the types of rules that are included in the Trustwave SpiderLabs rules feed are: http://blog.spiderlabs.com/2012/01/twsl2012-002-multiple-vulnerabilities-in-wordpress.html How can I purchase the ModSecurity Rules from Trustwave SpiderLabs? Purchase a subscription for the ModSecurity Rules from Trustwave SpiderLabs by using our shopping cart:https://ssl.trustwave.com/web-application-firewall How do I use the rules feed from Trustwave? Once you purchase the ModSecurity Rules feed, you will receive the following information: Unique license hash token(s). Use this token when accessing the commercial rules repository URL. Download instructions. Details on how to use curl/wget to use your license key to pull the rules archive from the commercial rules repository. Configuration Information - Choose how whether you want to run the rules "standalone" or integration with the OWASP CRS. Also choose whether you want to run all attack type rules or application-specific rule packs How do you handle accuracy and update frequency of the IP Reputation data? We update the IP Reputation blacklist file daily based on attack data gathered from our web honeypot systems.  The blacklist includes IP addresses that have demonstrated confirmed attacks against our honeypots within the last 48 hours. How does the Malware Detection work? SpiderLabs Research Team gathers malicious payloads from various web sources and consolidates them into a blacklist.  Our ModSecurity rules then use a fast pattern matching algorithm to inspect outbound html for signs of this malicious code.  ModSecurity can then alert/block/clean the malicious code to prevent infecting your web site clients.  How do I determine the number of Rule Licenses I need? Rule licenses are determined based on the number of ModSecurity instances in use. If you have 10 difference web servers each with ModSecurity, you would need to purchase 10 licenses. Are Enterprise Licenses available? Yes, enterprises with more than 100 ModSecurity installations (such as Hosting Providers) qualify for an enterprise license. Contact Sales for more information. How is Trustwave WebDefend different from ModSecurity? Trustwave WebDefend is a commercial Web application firewall (WAF) appliance, and is targeted at organizations looking for quick install, out-of-the-box reporting, a GUI interface and full commercial support. Trustwave WebDefend also provides auditing capabilities for an organization's compliance needs. WebDefend can be purchased as a stand-alone product, or as a component of Trustwave's 360 Application Security program, which combines Secure Code Training, Application Penetration Testing, Code Review and Trustwave WebDefend with virtual patching into an application security program. Proceed to Secure Cart