ModSecurity Trustwave
This blog has moved! Please update your
bookmarks to

ModSecurity Blog: July 2006

Forrester Research Q2 2006 Web Application Firewall Evaluation

Back in March 2006 I was approached by Forrester Research and invited to participate in their Q2 web application firewall evaluation, along with six other WAF vendors. I was delighted with their invitation and gladly accepted. It is not often that an open source product is invited to play with the commercial guys. It turned out the participation required a lot of work on my part. I had to systematically cover and describe the entire feature set of ModSecurity, and that's not something I do often (at least not with that level of detail). It was, however, a very productive exercise because I had to make a step back and look at a bigger picture.

The results were published a couple of weeks ago and I think we did rather well. We were praised for our positive aspects (e.g. everything is configurable) and criticised for our weaknesses (e.g. lack of a management GUI). Unfortunately the entire report is not available online - you would have to buy the report if you want to read it. Revealing excerpts are available for the main report and for ModSecurity.

Two quotes from the ModSecurity scorecard summary are of particular interest:

"...ModSecurity is by far the most extensively deployed Web application firewall, with more than 10,000 customers."


"ModSecurity's stringent implementation standards — build nothing unless you approach the highest level of security — will push the entire Web application firewall market toward higher-quality products."

[Source: Forrester WaveTM: Web Application Firewalls, Q2 June 2006", Forrester Research, Inc., June 2006.]

P.S. Forrester are also making available a PowerPoint presentation that gives a quick overview of the reviewed products.

(August 7 Update) Michael Gavin, the lead researcher behind the Forrester WAF evaluation, wrote to me to say that their comments referred to the 1.9.x branch of ModSecurity, and that he expects ModSecurity 2.x to address most, if not all, of the issues they identified.

Yahoo Small Business offers "ModSecurity-like" functionality

I just came across this and can't help but make a note about it: A web hosting package offered by Yahoo Small Business is promoted with the following sentence:

ModSecurity-like functionality to help reduce referrer and comment spam

I feel so flattered. But why not get the real thing? :)

ModSecurity 2: Variables, Collections and Transaction Scoring

Variables and collections are concepts new to ModSecurity 2. ModSecurity 1.x does allow you to use the "setvar" and "setnote" actions to create, change, or remove the request environment variables and request notes (request notes are an Apache facility that can be used to communicate with other modules). In v2 the concept was further extended with the introduction of transaction variables.

Variables are grouped into a collection, which is essentially a separate name space you can work with. Transaction variables are part of the transaction collection, which is a built-in collection called "TX". This collection is created automatically in the request initialisation phase and thus always available to your rules. It is also automatically deleted at the end of each request. ModSecurity 2 also supports persistent collections (variables placed in them will be available to you across requests) but in order to use them you have to manage them manually. This is something I will cover in a separate blog post shortly.

Collection variables are manipulated with the "setvar" action. To create a new variable simply assign value to it. To delete it, prefix the name with an exclamation mark. You must prefix each variable name with the name of the collection it belongs to.


There are two variable types: strings and counters. Strings are just text; you can create them, access them, or delete them. Counters are positive integers. In addition to the operations supported by the sting variable type, counters can be incremented or decremented.


Transaction variables allow you to employ a fundamentally different approach in your rule sets. In ModSecurity 1.9.x. you could either interrupt a transaction or issue a warning. In ModSecurity 2 you can use scoring-based rule sets. The idea is to assign a score to every transaction and set it to zero initially. Then you write a series of rules to inspect transactions. But you don't want the rules to interrupt transactions straight away. Instead, you want them to just increment the transaction score. At the end of your rule set you can evaluate the transaction score and decide what to do with the transaction. Here is a complete example:

# A series of rules to evaluate transaction
SecRule ARGS KEYWORD1 pass,setvar:tx.score=+5
SecRule ARGS KEYWORD2 pass,setvar:tx.score=+5
SecRule ARGS KEYWORD3 pass,setvar:tx.score=+5
SecRule ARGS KEYWORD4 pass,setvar:tx.score=+5
# Decide what to do with transaction
SecRule TX:SCORE "@gt 15" deny

ModSecurity Console Now Available

ModSecurity Console ScreenshotI love the command line, I do. But there are some tasks where this type of user interface is simply not enough. Monitoring ModSecurity is one of them. Sifting through gigabytes of log files looking for clues and trying to correlate events is not an experience I can recommend to anyone. Therefore it gives me great pleasure to announce the immediate availability of ModSecurity Console (v1.0.0-rc-2) for both testing and deployment. It's a daemon application that collects audit log entries from remote ModSecurity sensors. It also comes with an embedded web server and a database engine to power the web-based user interface. It has a number of features you'd expect from a product of this type - I am not going to rave about them here even though I am pretty excited about the whole thing.

I am excited because the imminent stable release of ModSecurity Console is a milestone for me and for Thinking Stone. I had designed the console several years ago but it wasn't until this year, when Thinking Stone took off, that we started the development. It's almost a surreal feeling to see this thing, which I've kept in my head for so long, actually working in real life.

As for Thinking Stone, the excitement comes from the fact that we are now going to see whether the business model I have adopted (continue to provide ModSecurity for free, charge a reasonable sum for the add-on product) is going to work. I know we have a very large user base. The challenge now is converting enough of them from users to customers.

P.S. You can download ModSecurity Console from Thinking Stone Network straight away.


November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30


Atom Feed



Recent Entries