ModSecurity Trustwave

Commercial ModSecurity Rules from Trustwave SpiderLabs

The ModSecurity Rules from Trustwave SpiderLabs are based on intelligence gathered from real-world investigations, penetration tests and research. The rules package is updated daily by the SpiderLabs Research Team to ensure that customers receive critical updates in a timely manner. Here is a quick listing of security coverage (details in sections below):
    • Virtual Patching
    • IP Reputation
    • Web-based Malware Detection
    • Webshell/Backdoor Detection
    • Botnet Attack Detection
    • HTTP Denial of Service (DoS) Attack Detection
    • Anti-Virus Scanning of File Attachments

Virtual Patching

Trustwave now provides a commercial certified rule set for ModSecurity 2.x that protects against known attacks that target vulnerabilities in public software.

  1. More than 19,000 specific rules, broken out into the following attack categories:
    • SQL injection
    • Cross-site Scripting (XSS)
    • Local File Include
    • Remote File Include
  2. User option for application specific rules, covering the same vulnerability classes for applications such as:
    • Microsoft SharePoint
    • WordPress
    • cPanel
    • osCommerce
    • Joomla
    • cPanel
    • Drupal
    • vBulletin
    • For a complete listing of application coverage, please refer to this link (which is updated daily).

IP Reputation

By inspecting the remote IP address of the client, we can identify known attacking systems in the following categories::
    • Malicious Attack Sources Identified from Web Honeypots
    • Botnet C&C Hosts
    • TOR Exit Nodes

Web-based Malware Detection

By inspecting both inbound and outbound HTTP data, we can identify web-based malware in the following categories:
    • Drive-by-Download URLs Identified by Trustwave's Secure Web Gateway/Secure Browsing Plugin
    • Malicious Redirect URLs
    • Malicious JS Payloads

Webshell/Backdoor Detection

By inspecting outbound HTTP data, we can identify if a client is accessing a webshell/backdoor resource on your website. SpiderLabs Research has access to thousands of captured webshells and have developed custom detection rules including detections for:
    • C99 Shell
    • R57 Shell
    • WSO
    • PHP Shell
    • stunshell
    • JCE File Upload Shell
    • Basic File Uploader

Botnet Attack Detection

Detection for common attacks originating from IRC Botnet Clients including:
    • rfi () - RFI Attacks
    • lfi () - Local File Incusion Attacks
    • e107 () - e107 PHP Injection Attacks
    • xml_cek_query() - XML-RPC PHP Injection Attack
    • sql_brute() - SQL Injection Attack
    • osco_xpl() - osCommerce File Upload Attacks
    • osql_xpl() - Oscommerce File Disclosure And Admin ByPass
    • e107xpl() - e107 Plugin my_gallery Exploit
    • op() - Opencart Remote File Upload Vulnerability
    • zen() - Zen Cart local file disclosure vulnerability

HTTP Denial of Service (DoS) Attacks

Detection for top HTTP DoS Attack techniques and tools:
    • HOIC Flooder
    • LOIC Javascript Flooder
    • HULK DoS Flooder
    • IRC Botnet: HTTP Flood
    • ApacheKiller - Range Header DoS
    • DirtJumper v3
    • Pandora

Anti-Virus Scanning of File Attachments

Rules and scripts are included that allow ModSecurity to use local AV software (such as ClamAV) to scan file attachments. This helps to prevent malicious files from being uploaded into your web application and from spreading maclicious files to end users.:

FAQ for ModSecurity Rules from Trustwave SpiderLabs

What is the difference between the ModSecurity Rules from Trustwave SpiderLabs versus the open source OWASP ModSecurity Core Rules Set (CRS)?

The OWASP ModSecurity CRS security model is based on the concept of "generic attack detection" which means that it analyzes all HTTP transactional data looking for malicious payloads. While this technique does provide a base level of protection, there are still accuracy issues since the CRS does not correlate specific attack vector locations (such as URL and parameters) from publicly disclosed vulnerabilities. The ModSecurity Rules from Trustwave SpiderLabs focuses on specific attack vector locations, creating custom virtual patches for public vulnerabilities.

What is the advantage of the ModSecurity Rules from Trustwave SpiderLabs vs. the OWASP CRS?

The main advantage of using rules from Trustwave SpiderLabs is accuracy. These rules lead to lower false positives as they only inspect certain types of data, providing the user with an increased confidence in blocking traffic.

Can the Trustwave SpiderLabs Rules be used together with the OWASP CRS?

Yes. The Trustwave SpiderLabs Rules may be used on their own or they may be integrated with the OWASP CRS. The rules work collaboratively with the OWASP CRS by allowing it to generically identify malicious payloads. The Trustwave SpiderLabs Rules then verify the attack vector locations.  Please see the following blog post which describes the rules in more detail - http://blog.spiderlabs.com/2011/10/modsecurity-advanced-topic-of-the-week-commercial-rules-overview.html

What data is used to create the rules feed?

Trustwave SpiderLabs correlates data from numerous sources to generate the commercial rules, including:

How often are the ModSecurity Rules from Trustwave SpiderLabs updated?

The rules are automatically updated daily and may be updated as needed as new threats are identified by Trustwave SpiderLabs.

Do the ModSecurity Rules from Trustwave SpiderLabs only contain virtual patches for known public vulnerabilities?

No, they also include rules for new attack methods. Recent examples of the types of rules that are included in the Trustwave SpiderLabs rules feed are:

How can I purchase the ModSecurity Rules from Trustwave SpiderLabs?

Purchase a subscription for the ModSecurity Rules from Trustwave SpiderLabs by using our shopping cart:https://ssl.trustwave.com/web-application-firewall

How do I use the rules feed from Trustwave?

Once you purchase the ModSecurity Rules feed, you will receive the following information:

  • Unique license hash token(s). Use this token when accessing the commercial rules repository URL.
  • Download instructions. Details on how to use curl/wget to use your license key to pull the rules archive from the commercial rules repository.
  • Configuration Information - Choose how whether you want to run the rules "standalone" or integration with the OWASP CRS. Also choose whether you want to run all attack type rules or application-specific rule packs

How do you handle accuracy and update frequency of the IP Reputation data?

We update the IP Reputation blacklist file daily based on attack data gathered from our web honeypot systems.  The blacklist includes IP addresses that have demonstrated confirmed attacks against our honeypots within the last 48 hours.

How does the Malware Detection work?

SpiderLabs Research Team gathers malicious payloads from various web sources and consolidates them into a blacklist.  Our ModSecurity rules then use a fast pattern matching algorithm to inspect outbound html for signs of this malicious code.  ModSecurity can then alert/block/clean the malicious code to prevent infecting your web site clients. 

How do I determine the number of Rule Licenses I need?

Rule licenses are determined based on the number of ModSecurity instances in use. If you have 10 difference web servers each with ModSecurity, you would need to purchase 10 licenses.

Are Enterprise Licenses available?

Yes, enterprises with more than 25 ModSecurity installations (such as Hosting Providers) qualify for an enterprise license. Contact infosales@trustwave.com

How is Trustwave WebDefend different from ModSecurity?

Trustwave WebDefend is a commercial Web application firewall (WAF) appliance, and is targeted at organizations looking for quick install, out-of-the-box reporting, a GUI interface and full commercial support. Trustwave WebDefend also provides auditing capabilities for an organization's compliance needs. WebDefend can be purchased as a stand-alone product, or as a component of Trustwave's 360 Application Security program, which combines Secure Code Training, Application Penetration Testing, Code Review and Trustwave WebDefend with virtual patching into an application security program.

ModSecurity Rules and Support Services

Latest Rules Added to the Trustwave SpiderLabs Rules Feed:

(2132861) ModSecurity Rules from Trustwave SpiderLabs: WordPress Theme LineNity 1.20 wp-content/themes/linenity/functions/download.php imgurl Parameter Local File Inclusion

(2132930) ModSecurity Rules from Trustwave SpiderLabs: CMSimple 4.4

# of current ModSecurity rules: 19543 rule_list.new

# of current IPs in Blacklist: 1617 slr_vuln_rules/ip_blacklist.txt

# of current Malware payloads: 110 slr_vuln_rules/malware_payloads.txt