Modsecurity ( www.modsecurity.org) is an Apache Web server module that acts as an intrusion detection and prevention engine for Web applications. It increases Web application security by protecting applications from both known and unknown attacks. Modsecurity is an application shim that is tightly coupled to the Apache server itself and must run within Apache s process address space. Thus, Modsecurity sits inline between the Web client and server to detect attacks. If it identifies a potential attack, it can reject the request or perform any number of built-in active responses.

Modsecurity integrates with the Web server and provides the following features:

• Request Filtering Incoming Web requests are analyzed inline before being passed to the Web server or other modules.

• Anti-evasion Techniques Paths and parameters are normalized before analysis takes place. This includes removing multiple forward slash characters (//), treating backslash and forward slash characters equally (Windows only), removing directory self-references (./), removing null characters (%00), and decoding URL-encoded characters.

• Understanding the HTTP Protocol The engine has complete understanding of the HTTP protocol, allowing it to perform very specific and granulated filtering.

• POST Payload Analysis The engine will intercept and analyze POST (Payload Operating System Technology) methods contents.

• Audit Logging All requests are logged in full detail for later analysis.

• Hypertext Transfer Protocol Secure Sockets (HTTPS) Filtering The engine can operate with encrypted sessions because it has access to the request data after decryption occurs.

• Built-in Checks