ModSecurity Breach

Converted Snort rules

I wrote a Perl script to convert Snort rules to mod_security rules in bulk. Here you can download the script to apply it to a freshly downloaded set of Snort rules (here is the link), but you can also download the end result (based on the rules I downloaded at the beginning of October).

Snort classifies rules into web attacks and web activities. Web attack rules are converted to reject incoming requests, while web activity rules only log the activity into the error log. Be warned that some rules won't make sense after being converted; Snort and mod_security are, after all, different tools. I suggest that you scan through the rules and delete the ones that do not make sense or the ones that do not apply to your circumstances:

PS. You will need mod_security 1.7RC1 or better to run these rules, some of them make use of the chain feature.

Note: The conversion script and the converted rules are now available in the distribution.