05 January 2011

A new version of the Core Rule Set (CRS) for ModSecurity was release a couple of days back. I wanted to blog about it, as I find the changes to the previous version 2.0.9 are quite amazing, but I did not find the time to do that. So here is my list what I really find amazing:

  • Checks whether cookies are marked as http only or as secure when they came down the wire via https and throws a warning.
  • Helps mitigiting against the slow HTTP POST attack.
  • Helps mitigitating¬† against DoS attacks - I wonder how that works, as it is still handled at the application layer, at least at protocol level.
  • Flags up requests where a CSRF tag is expected - I did not look into this at all what this is exactly, I only see occasionally some errors popping up - when a dodgy client is accessing the site.

I think the folks at modsecurity/Trustwave have done a good job again. My feeling is that ModSecurity makes really good progress as an application firewall (even though I dont like that term, "protocol enforcer" would be better suitable).

Btw, with version 2 ModSecurity also supports now not only ingress filtering, it also has some egress filters in place, for example blocking "Directory Listings" pages to name the most famous one.

It is worth to have a look at their blog at here, which discusses certain hardcore topics from time to time, at the time of writing they have an article about "Credit Card Tracking" online, so another egress filter.

blog comments powered by Disqus