ModSecurity is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity must be configured with rules. In order to enable users to take full advantage of ModSecurity out of the box, Breach Security Inc. is providing a free certified rule set for ModSecurity 2.0. Unlike intrusion detection and prevention systems, which rely on signature specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity. The latest Core Rules can be found at the ModSecurity website - http://www.modsecurity.org/projects/rules/.
If you expect a single pack of Apache configuration files, you are right, and wrong. A ModSecurity rule set includes information about different areas:
The logic required to detect attacks.
A policy setting the actions to perform if an attack is detected.
Information regarding attacks.
In order to allow separate management of the different parts, the Core Rules are based on templates that are generated into a run-time rule set by inserting policy, patterns and event information. The Core Rules package includes these templates, the generation script (written in Perl) and data files required to generate a useful rule set. It also includes a bunch of pre-generated rule sets for different policies. The generation script also allows two optimizations:
Optimal use of regular expressions. Since regular expressions are much more efficient if assembled into a single expression and optimized, the generation script takes the list of patterns that are required for a rule and optimize them into a most efficient regular expression.
Removal of rules that are not utilized by a specific policy.
In order to provide generic web applications protection, the Core Rules use the following techniques:
HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy.
Common Web Attacks Protection - detecting common web application security attack.
Automation detection - Detecting bots, crawlers, scanners and other surface malicious activity.
Trojan Protection - Detecting access to Trojans horses.
Error Hiding - Disguising error messages sent by the server.