ModSecurity

Official Beta

Full OWASP Core Rule Set (CRS) support via libmodsecurity with 800+ detection rules.

Version: 0.1.0 Author: Sentinel Core Team License: MIT Protocol: v0.1 View Source

Quick Install

Cargo
cargo install sentinel-agent-modsec

Overview

ModSecurity WAF agent for Sentinel reverse proxy. Provides full OWASP Core Rule Set (CRS) support via libmodsecurity bindings with 800+ detection rules.

Note: This agent requires libmodsecurity installed on your system. For a lightweight, zero-dependency alternative with basic detection rules, see WAF agent.

Features

  • Full OWASP CRS Support: 800+ detection rules out of the box
  • SecLang Compatibility: Load any ModSecurity rules
  • Request Body Inspection: JSON, form data, XML, and all content types
  • Response Body Inspection: Detect data leakage (opt-in)
  • Block or Detect-Only Mode: Monitor before blocking
  • Path Exclusions: Skip inspection for trusted paths
  • Paranoia Levels: 1-4, balance security vs. false positives

Prerequisites

This agent requires libmodsecurity >= 3.0.13:

macOS:

brew install modsecurity

Ubuntu/Debian:

apt install libmodsecurity-dev

Installation

Using Cargo

cargo install sentinel-agent-modsec

Configuration

Command Line

sentinel-modsec-agent \
  --socket /var/run/sentinel/modsec.sock \
  --rules /etc/modsecurity/crs/crs-setup.conf \
  --rules "/etc/modsecurity/crs/rules/*.conf"

Environment Variables

OptionEnv VarDescriptionDefault
--socketAGENT_SOCKETUnix socket path/tmp/sentinel-modsec.sock
--rulesMODSEC_RULESPaths to rule files (supports glob patterns like *.conf)-
--block-modeMODSEC_BLOCK_MODEBlock (true) or detect-only (false)true
--exclude-pathsMODSEC_EXCLUDE_PATHSPaths to exclude (comma-separated)-
--body-inspectionMODSEC_BODY_INSPECTIONEnable request body inspectiontrue
--max-body-sizeMODSEC_MAX_BODY_SIZEMaximum body size to inspect1048576 (1MB)
--response-inspectionMODSEC_RESPONSE_INSPECTIONEnable response body inspectionfalse
--verbose, -vMODSEC_VERBOSEEnable debug loggingfalse

Sentinel Configuration

agent "modsec" {
    socket "/var/run/sentinel/modsec.sock"
    timeout 100ms
    events ["request_headers" "request_body_chunk" "response_body_chunk"]
}

route {
    match { path-prefix "/" }
    agents ["modsec"]
    upstream "backend"
}

OWASP CRS Setup

Download CRS

# Clone the CRS repository
sudo mkdir -p /etc/modsecurity
sudo git clone https://github.com/coreruleset/coreruleset /etc/modsecurity/crs

# Copy example configuration
sudo cp /etc/modsecurity/crs/crs-setup.conf.example /etc/modsecurity/crs/crs-setup.conf

Run with CRS

sentinel-modsec-agent \
  --socket /var/run/sentinel/modsec.sock \
  --rules /etc/modsecurity/crs/crs-setup.conf \
  --rules "/etc/modsecurity/crs/rules/*.conf"

Paranoia Levels

LevelDescriptionUse Case
1Standard protection, minimal false positivesProduction - most applications
2Elevated protection, some false positivesSecurity-sensitive apps
3High protection, moderate false positivesStaging/testing, or with tuning
4Maximum protection, high false positivesSecurity research

Configure in /etc/modsecurity/crs/crs-setup.conf:

SecAction "id:900000,phase:1,pass,t:none,nolog,setvar:tx.blocking_paranoia_level=1"

Response Headers

HeaderDescription
X-WAF-Blockedtrue if request was blocked
X-WAF-MessageModSecurity message
X-WAF-DetectedDetection message (detect-only mode)

CRS Rule Categories

FileProtection
REQUEST-913-*Scanner detection
REQUEST-920-*Protocol enforcement
REQUEST-930-*Local file inclusion (LFI)
REQUEST-931-*Remote file inclusion (RFI)
REQUEST-932-*Remote code execution (RCE)
REQUEST-941-*Cross-site scripting (XSS)
REQUEST-942-*SQL injection
REQUEST-943-*Session fixation
REQUEST-944-*Java attacks
RESPONSE-950-*Data leakage

Comparison with WAF Agent

FeatureModSecurityWAF
Detection Rules800+ CRS rules~20 regex rules
SecLang SupportYesNo
Custom RulesYesNo
Dependencieslibmodsecurity (C)Pure Rust
Binary Size~50MB~5MB
InstallationRequires libmodsecuritycargo install

Use ModSecurity when:

  • You need full OWASP CRS compatibility
  • You have existing ModSecurity/SecLang rules
  • You require comprehensive protection

Use WAF agent when:

  • You want zero-dependency deployment
  • You need low latency and minimal resources
  • Basic attack detection is sufficient
AgentIntegration
WAFLightweight, pure Rust alternative
AI GatewayAI-specific security controls
Rate LimiterCombine with rate limiting