Update 06.05.2008: Some people wanted to see the SQL Injection version. Screenshot added below.
Many of our customers have Apache installations, large and small, and prefer to go with a software WAF rather than a device. Reasons will vary, but cost is always a concern and ModSecurity is free. :) You can pay Breach for rule support and commercial grade management appliances if you need it, cool stuff. What customers asked for though is a path to go from Sentinel identified vulnerabilities to custom ModSecurity rules (virtual patch) - VA+WAF.
Once Sentinel pinpoints the location of a vulnerability (class, url, parameter), its verified by our operations team, and a dynamically generated ModSecurity rule becomes part of the web-based reporting (see screenshot). The custom rule is a blacklist meta-character match narrowly focused on the vulnerable URL, parameter value (multiple params are supported), and class of attack. A parameter known to be vulnerable to SQL Injection probably has no legitimate use-case for receiving quotes, semicolons, dashes, parens, etc. Similar can be said for XSS.
Sentinel users then copy/paste the custom rule into their Apache config. We recommend the rule be tested in “pass” mode ensuring no false positives exist that might block legitimate traffic. Once confidence in the rule is established, which may take an hour to a couple days, “deny” mode can then be used to block attacks. False positives are minimal because only identified attack traffic where a vulnerability of that type is specifically known to exist in that location is affected. Finally the re-test button can test the single issue and should everything work properly the vulnerability status would be automatically closed out.
Hopefully in the coming months I’ll get some good case studies going and statistics to measure how the time-to-fix windows are shrunken.