ModSecurity is an open-source web application firewall that inspects HTTP traffic for malicious patterns. Combined with the OWASP Core Rule Set, it provides robust protection against SQL injection, cross-site scripting, and other common web attacks.
Deploying ModSecurity with the Core Rule Set
Install ModSecurity as an Apache or Nginx module, then deploy the OWASP CRS rules. Start in detection-only mode to identify false positives before switching to blocking mode. Review the audit log to understand which rules trigger on legitimate traffic.
Tuning false positives requires creating rule exclusions specific to your application. Use the SecRuleRemoveById directive or targeted exclusions to whitelist known-good patterns while maintaining protection against genuine attack vectors.
Anomaly scoring mode, the default in CRS 3.x, assigns point values to rule matches rather than blocking on the first match. This approach reduces false positives by requiring a threshold of suspicious activity before blocking a request, providing more nuanced threat detection.