Tactical Defense with ModSecurity

Christian Bockermann

August, 20th – 21st (2 day)

Trainer_Christian_BockermannWhile application flaws should ideally be fixed in the source code, this is often not a feasible task for various reasons. Web application firewalls are often deployed as an additional layer of security that can monitor, detect and prevent attacks before they reach the web application. ModSecurity, an extremely popular open source web application firewall, is often used to help protect web applications against known and unknown vulnerabilities alike. This two-day boot-camp training is designed for people who want to quickly learn how to configure and deploy ModSecurity in the most effective manner possible. The course will cover topics such as the powerful ModSecurity rules language, extending functionality via the embedded Lua engine and managing suspicious events via AuditConsole. Documented hands-on labs help students understand the inner workings of ModSecurity and how to deploy ModSecurity securely. By leveraging the flexibility within ModSecurity, attendees will be able to write effective rules to mitigate complex web vulnerabilities. The bootcamp will cover the following topics:

  1. Introduction to Modsecurity
  2. Deployment Options and Deployment Issues
  3. ModSecurity Installation
  4. ModSecurity Rules Language Primer
    • Variables, Transformation Functions
    • Chain for Complex Rules
    • Persistent Collections
    • Anomaly Scoring, Rule Debugging
  5. OWASP Core Rule Set Overview
  6. Lua – Extending the Rules
  7. Handling False Positives and Creating Exceptions
  8. Rule Writing Tips, Cool Rules for Complex Problems 9. Virtual Patching Overview
  9. AuditConsole Installation, Configuration and Usage:
    • Multi-User Site Management
    • Automatic archiving of audit-data
    • Generating audit-data Reports, Report customization
    • Realtime Block List Management


The training is designed as a hands-on training with lots of practical exercises. Attendees are requested to bring a laptop (Windows, Linux or MacOS). The aim of this training is to set up a ModSecurity on virtual matchine equipped with ModSecurity and have every participant being able to recreate the prepared exercises.

About the trainer

Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as major subject.

Alongside to working as a research assistant he is working as a free-lancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java free tools supplementary to ModSecurity, most popuplar being the AuditConsole – a log management system for ModSecurity audit-log data. More tools and his blog on ModSecurity practices and his tools is available on his site jwall.org.

For further information and questions please contact Chritstian at chris _at_ jwall.org