ModSecurity is an application security firewall for security all types web applications.
Features included :
parallel text matching,
Geo IP resolution,
credit card number detection,
support for content injection,
automated rule updates,
scripting,
many others

Other main features of Modsecurity:

Performance Enhancements

Transformation Function Caching

Automated Rule Update Capability

Enhancements to the Rules Language

Dynamic Removal of Rules with the new ctl:ruleRemoveById action

New Variables

New Transformation Functions

Content Injection

Credit Card Number Detection

Full Scripting Support using Lua

PDF Universal XSS Protection

Logging Enhancements

There are also similar products greensql-fw , PHPIDS and other but this product support sepcific applications live database , PHP etc.. Modsecurity covers all of this so need to install sperate software for seprate application.

Modsecurity has remote console which makes it manageble remotley . It also can be used as a alternative of your expensive Intrusion Prevention System .

we have tested it on Linux system and works fine for small network . we are also planing it to test on windows.

How to install modsecurity

Pre-riquisite apache should be installed

Untar your ModSecurity Package

tar –xvzf mod_security-2.5.6.tar.gz
cd mod_security-2.5.6

Now if you’re using Apache 2.0 you’ll need to copy out the mod_security.c file from the Apache2 directory. In our case, we’ll be using the Apache1 module. As such, copy the mod_security.c file into your apache extra modules directory.

cp apache1/mod_security.c ../apache-2.X/src/modules/extra/
cd ..

Now to build and configure Apache with ModSecurity

cd apache-2.X
../configure –-prefix=/usr/local/apache –-activate-module=src/modules/extra/mod_security
make
make install

If there is no error ( most of the time we get it)
Congratulations you have installed sucessfully !!!

To get ModSecurity activated, we will need to modify Apache httpd.conf file and define rules for ModSecurity . The source package includes a converted set of snort rules in the util directory named snortmodsec_rules.txt. do not cut and paste the entire contents of the file as a starting reference to your mod_security ruleset without reading through it and determining what rules you actually need and which you don’t. Enabling ALL those rules will essentially break almost any application in some way or another. we will also run the risk of having false positives as the ModSecurity engine would flag for attacks that may not affect your machine . Below is a small sample that should serve well to get you started on writing your own rule sets.

Sample Example file.

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log
# Debug level set to a minimum
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction “deny,log,status:500″

</IfModule>

Download Modsecurity Here