ModSecurity Rules: Which are better - GotRoot or TrustWave?

StackOverflow https://stackoverflow.com/questions/8181052

Domanda

We've looking for some additional rules for ModSecurity (mod_security) - there are 2 commercial options, either GotRoot, or the new ones from TrustWave

http://www.gotroot.com/mod_security+rules

https://www.trustwave.com/modsecurity-rules-support.php

I'ev heard of TrustWave but not GotRoot. However the GotRoot rules seem to have more mentions on Google, etc - it seems TrustWave's rules only appeared about a month or so ago

We'd be using them to protect an eCommerce site

È stato utile?

Soluzione

I am the ModSecurity Project Lead on the Trustwave SpiderLabs Research Team. When comparing two rulesets and asking which is "better" that will depend on your application setup and desired security needs. You mentioned that this is an eCommerce site. Is it using public software such as osCommerce?

The commercial ModSecurity rules from Trustwave have a number of general advantages:

  1. The rules are created by the Trustwave SpiderLabs Research Team that develops the ModSecurity code which results in lower errors of rule accuracy (see data below about GotRoot issues)

  2. The SpiderLabs Research Team conducts extensive testing and research against our rules to make them better. See our recent SQL Injection Challenge - http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html

  3. The rules can be used either on their own or integrated with the OWASP ModSecurity Core Rule Set (which is also managed by the same Trustwave SpiderLabs Research Team). This allows for flexibility of deployment and also increases the accuracy as there is collaborative detection for attack payloads. The end result is that there is a lower chance of false negative (missing attacks).

  4. Trustwave rules can be applied either using an attack-type or application-type methodology. For example, if you are running an osCommerce site, we have a packaged ruleset with virtual patches only for that particular application. The benefit of this approach is that you are only activating rules that are applicable to your environment instead of running hundreds or thousands of unneeded rules. An additional benefit of this approach is that it will reduce processing time/latency of requests.

  5. The Trustwave virtual patches also include meta-data with http links to 3rd party vulnerability data such as OSVDB.

As for the GotRoot rules themselves, there are a number of accuracy issues that I have found after reviewing their public delayed rules which may result if false negative issues. The main problem lies in the improper usage of transformation functions. Transformation functions (example t:base64Decode) are used to normalize data before applying an operator. There are many GotRoot rules that apply improper trasformation functions that alter data in a way that the operator will never match even when malicious data is present. This indicates that these have not been tested for accuracy.

Hope this information helps.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top