ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Breach Security, Inc. is providing a free certified rule set for ModSecurity™ 2.x. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the Core Rules provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™. The latest Core Rules can be found at the ModSecurity™ website - http://www.modsecurity.org/projects/rules/.
In order to provide generic web applications protection, the Core Rules use the following techniques:
HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy.
Common Web Attacks Protection - detecting common web application security attack.
Automation detection - Detecting bots, crawlers, scanners and other surface malicious activity.
Trojan Protection - Detecting access to Trojans horses.
Error Hiding - Disguising error messages sent by the server.