The content on this page may be outdated. We are currently in the process of rewriting all of our documentation: please bear with us while we update our older content.
Free and Open-Source Community Help
- Core Rule Set GitHub repository. Open issues for bugs, report false positives, and access the source code.
- Core Rule Set Slack channel. Come and talk to the CRS community. If you don’t have access yet, get your invite here.
- ModSecurity Users Mailing List (SourceForge): General discussion about ModSecurity.
- ModSecurity Developers Mailing List (SourceForge): Development discussion about ModSecurity.
- There is an extended set of tutorials at netnea.com, that introduces the CRS integration and the handling of false positives with great detail. It is worth checking out:
- Tutorial 6: Embedding ModSecurity
- Tutorial 7: Including OWASP ModSecurity Core Rule Set
- Tutorial 8: Handling False Positives with the OWASP ModSecurity Core Rule Set
- Commercial Support through Trustwave's Technical Assistance Center (TAC) - https://www3.trustwave.com/modsecurity-rules-support.php
- Professional Services offer by Trustwave SpiderLabs Research Team
- ModSecurity Training
Books about ModSecurity
- ModSecurity Handbook
- ModSecurity Handbook is “The definitive guide to the popular open source web application firewall”, by Christian Folini and Ivan Ristić. The book is available from Feisty Duck in hard copy or with immediate access to the digital version which is continually updated.
- Web Application Defender’s Cookbook: Battling Hackers and Defending Users
- The Web Application Defender’s Cookbook: Battling Hackers and Protecting Users is a book written by previous ModSecurity Project Lead and OWASP ModSecurity Project Lead Ryan Barnett. The book outlines critical defensive techniques to protect web applications and includes example ModSecurity rules/scripts.
- ModSecurity 2.5
- ModSecurity 2.5 is “A complete guide to using ModSecurity”, written by Magnus Mischel. The book is available from Packt Publishing in both hard copy and digital forms.*
- Apache Security
- Apache Security is a comprehensive Apache Security resource, written by Ivan Ristic for O’Reilly. Two chapters (Apache Installation and Configuration and PHP) are available as free download, as are the Apache security tools created for the book.
- Preventing Web Attacks with Apache
- Preventing Web Attacks with Apache. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against.