ModSecurity — Open Source Web Application Firewall Engine

Introduction

ModSecurity is an open-source web application firewall (WAF) engine maintained by the OWASP community. It analyzes HTTP requests and responses in real time, matching them against configurable rule sets to block attacks like SQL injection, cross-site scripting, and remote code execution before they reach your application.

What ModSecurity Does

• Inspects inbound HTTP requests and outbound responses in real time
• Blocks SQL injection, XSS, CSRF, and other OWASP Top 10 attack vectors
• Supports the OWASP Core Rule Set (CRS) with hundreds of curated detection rules
• Provides virtual patching to shield known vulnerabilities without code changes
• Logs detailed audit trails of blocked and suspicious requests

Architecture Overview

ModSecurity v3 is a standalone C library (libmodsecurity) with a connector model. Connectors for Nginx, Apache, and IIS feed HTTP transaction data into the library, which processes them through its rule engine. Rules are written in the SecRule language, evaluating request headers, body, cookies, and other transaction variables. The engine supports four disruptive actions: deny, redirect, drop, and pass. Audit logging writes matched events to structured log files for SIEM integration.

Self-Hosting & Configuration

• Install libmodsecurity3 and the appropriate web server connector from OS packages
• Download the OWASP Core Rule Set and include it in your configuration
• Tune the paranoia level (1-4) to balance detection sensitivity and false positives
• Use anomaly scoring mode to aggregate rule matches before deciding to block
• Deploy in detection-only mode first, then switch to blocking after tuning

Key Features

• Cross-platform support for Nginx, Apache, and IIS via connector architecture
• OWASP Core Rule Set provides battle-tested protection with minimal configuration
• Virtual patching lets you mitigate CVEs without modifying application code
• Anomaly scoring mode reduces false positives by requiring multiple rule matches
• Detailed audit logging with JSON output for integration with ELK, Splunk, and other SIEMs

Comparison with Similar Tools

• AWS WAF — Managed cloud WAF; ModSecurity is self-hosted and vendor-neutral
• Cloudflare WAF — Edge-based protection; ModSecurity runs on your own infrastructure
• SafeLine — Newer Go-based WAF; ModSecurity has a larger rule ecosystem and longer track record
• Coraza — Go reimplementation of ModSecurity; compatible with CRS but lacks the C library's maturity
• NAXSI — Nginx-only WAF with a learning mode; ModSecurity supports multiple web servers and richer rule syntax

FAQ

Q: Is ModSecurity still actively maintained? A: Yes. After Trustwave transferred stewardship to OWASP, the project continues active development with community contributions and regular CRS updates.

Q: How do I reduce false positives? A: Start in detection-only mode, review audit logs, then add rule exclusions for your application's legitimate traffic patterns before enabling blocking.

Q: Can ModSecurity inspect encrypted HTTPS traffic? A: ModSecurity operates after TLS termination inside the web server, so it sees decrypted request and response data.

Q: Does ModSecurity affect performance? A: There is measurable latency overhead depending on the rule set size and paranoia level, typically 1-5 ms per request with CRS at paranoia level 1.

Sources

• https://github.com/owasp-modsecurity/ModSecurity
• https://owasp.org/www-project-modsecurity/