Modsecurity rules vendors?

[Cron0]

cPanel/WHM 11.48 allow Modsecurity rules vendors to provide their rules in a format that can be integrated very easily. The vendor we currently use do not seem to provide them under that format.

Does anybody know if there are known modsecurity rules vendors providing their rules in the format supported by cPanel/WHM?

Thanks!

 

[quizknows]

I have added the comodo vendor rules on top of my custom ruleset with good results.

https://forums.comodo.com/free-mods...a-modsecurity-vendor-in-cpanel-t110147.0.html

 

[cPanelMichael]

The vendor we currently use do not seem to provide them under that format.

Hello,

Are you having trouble adding your vendor's existing rules, or are you simply seeking a way to make it easier to add them through WHM? We do have support for custom vendors:

ModSecurity Vendors

However, you may want to contact your vendor to see if they are aware of this new functionality in 11.48.

Thank you.

 

[cPanelKenneth]

cPanel/WHM 11.48 allow Modsecurity rules vendors to provide their rules in a format that can be integrated very easily. The vendor we currently use do not seem to provide them under that format.

Does anybody know if there are known modsecurity rules vendors providing their rules in the format supported by cPanel/WHM?

Thanks!

There's also a request to add Comodo as a vendor: https://features.cpanel.net/topic/comodo-waf-as-a-modsecurity-vendor

If you'd like to see them included as one of the standard vendors, please let your voice be heard on the request.

 

[Cron0]

Our current vendor is Atomicorp. They have told us they will not implement the vendor functionnality because their own update mechanism is "better" (we download and install their rules manually right now)

https://www.atomicorp.com/wiki/index.php/Aum

When I contacted them, they said

cPanel has actually acknowledged that AUM is better than what they have and are working on switching over to/implementing our system.

Their system is not very well documented. It installs a cron job, recompiles apache with their own modsecurity version and install a 3rdparty yum repository. To me this looks way more complex and error-prone than the cPanel rules vendoring system which is fully integrated into WHM.

If they do not integrate well with cPanel/WHM we will switch to another vendor or straight up OWASP and a few of our own custom rules.

Feedback?

 

[quizknows]

Cron0, to be honest, atomicorp rules really are the best on the market. Trustwave is close, owasp is pretty much still a joke at this point. Comodo rules aren't bad, I'd put them somewhere just above owasp. Hopefully the community reporting for owasp can help salvage something usable out of that rule set.

I manage modsec rules for a major host, and we use RPM updates still. I've considered using the cPanel vendor system, however, we've been using RPMs for many years and it allows us to update everyone on legacy systems all the way through the newest WHM builds. To switch to the vendor system would be a major overhaul which would only work for people who keep everything up to date (which in a perfect world would be everyone, but in practice we all know how often people disable or neglect updates). Also it would give our users an easy one-click way to shut off all the rules we work so hard to make to protect them if they were to shut off our "vendor." Instead, I make sure that our RPM works alongside additional vendor configs. This is not to say anything bad about the vendor system, I actually like it, but because it didn't exist in the past we already created our own solution of using RPMs to deploy modsecurty rules to cPanel servers, and we can't exactly ditch that very easily.

I hate to say it but I can understand atomics stance on it, and I'd never be in a hurry to ditch their rules. They really are the best vetted rules in the industry.

On the flip side though, I will say that when evaluating them as a vendor, they did try to push the rest of the ASL stuff on us when we just wanted to purchase modsec rules. We had nothing but troubles trying to get ASL to work properly as a whole, and eventually ditched the whole idea and pretty much just manage our own rules. When an entire team of our sysadmins had less than a 20% success rate installing ASL at all, it really rubbed us the wrong way.

At this point I (personally) use custom rules, with comodo on top as additional protection since it's easy enough and seems to have a very low false positive rate when compared with OWASP.