Modsecurity rules vendors?

I have added the comodo vendor rules on top of my custom ruleset with good results.

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/comodo-as-a-modsecurity-vendor-in-cpanel-t110147.0.html

 

Cron0, to be honest, atomicorp rules really are the best on the market. Trustwave is close, owasp is pretty much still a joke at this point. Comodo rules aren't bad, I'd put them somewhere just above owasp. Hopefully the community reporting for owasp can help salvage something usable out of that rule set.

I manage modsec rules for a major host, and we use RPM updates still. I've considered using the cPanel vendor system, however, we've been using RPMs for many years and it allows us to update everyone on legacy systems all the way through the newest WHM builds. To switch to the vendor system would be a major overhaul which would only work for people who keep everything up to date (which in a perfect world would be everyone, but in practice we all know how often people disable or neglect updates). Also it would give our users an easy one-click way to shut off all the rules we work so hard to make to protect them if they were to shut off our "vendor." Instead, I make sure that our RPM works alongside additional vendor configs. This is not to say anything bad about the vendor system, I actually like it, but because it didn't exist in the past we already created our own solution of using RPMs to deploy modsecurty rules to cPanel servers, and we can't exactly ditch that very easily.

I hate to say it but I can understand atomics stance on it, and I'd never be in a hurry to ditch their rules. They really are the best vetted rules in the industry.

On the flip side though, I will say that when evaluating them as a vendor, they did try to push the rest of the ASL stuff on us when we just wanted to purchase modsec rules. We had nothing but troubles trying to get ASL to work properly as a whole, and eventually ditched the whole idea and pretty much just manage our own rules. When an entire team of our sysadmins had less than a 20% success rate installing ASL at all, it really rubbed us the wrong way.

At this point I (personally) use custom rules, with comodo on top as additional protection since it's easy enough and seems to have a very low false positive rate when compared with OWASP.