ModSecurity is a rule-driven security scanner that runs as a plug-in module to Apache. You can run the plug-in directly on your Web server, or set up a separate server running Apache with ModSecurity in reverse-proxy mode. In either case, ModSecurity receives all HTTP requests, filters them, and passes the safety-checked requests on to your application server. ModSecurity also looks at your application server's response to detect possibly successful intrusions. Configured correctly, ModSecurity adds very little overhead to application Web serving.

The rules database lets it detect various attacks, and you configure the actions you want from ModSecurity for each detected violation: report, repair, or reject. The rule syntax is based on the open source Snort IDS; you can enhance the base rule library with custom detection rules of your own devising.

Rules come in two varieties: input and output. Input rules guard against malformed requests and other attacks from the Internet; output rules check HTTP responses to make sure they don't contain sensitive information. The rule set to protect against the most common Web application attacks is surprisingly short: just 15 lines. You'll customize this base set for your specific application language. Currently Java, PHP, and Web Services are supported.

Output rules guard against information leaks by watching for telltale strings such as "Command Completed", "Index of /cgi-bin", and "file(s) copied". Such strings indicate an attack, such as remote command execution, has partially succeeded; output filtering prevents the attacker from reaping the fruits of his attack.

Download ModSecurity today from:
http://www.modsecurity.org