1. Mod_security comes bundled with the nicely branded, free OWASP CRS. Thing is - it’s stale since 2013… and is pure hell of false positives.

2. The official commercial alternative is Trustware SpiderWeb WAF, which seems to receive updates daily (no list, nor trial) at a hefty 500$/y.

3. You google further, you find the Atomicorp Gotroot ModSecurity Rules. They claim superior history and performance (”works right out of the box without any tuning and without interference”). Again, no trial or update feed, and at 200$/y.

4. And then, hidden from sight, is the Comodo WAF, which is receiving updates (every month or biweekly, at least) - and is free (registration necessary). The set seems balanced and shows a decent detection rate so far for me.

Comodo seems to use emergingthreats (now by proofpoint.com) as an internal source. ET is a great source of free and premium snort/fw rules, but does not offer converted mod_security signatures.

Snort



Snort itself (by VRT, now Talos), has an extensive web-app section in it’s free registered set, but again, it’s not easy to convert to mod_security.

Snort can work in place of mod_security, but has a major drawback - it can not see inside HTTPS traffic - which mod_security can.



Do you know of any other “live” resources?