RSS feed logo header graphic

Black Hat USA 2008 Training

Caesars Palace Las Vegas • August 2-3, August 4-5

ModSecurity Bootcamp: Blackhat Edition

Ryan Barnett, Breach Security

registration button


ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day, advanced boot-camp class is designed for those people who want to quickly learn how to build, deploy, and use ModSecurity in the most effective manner possible. The course will cover topics such as: the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers, and also provides an in-depth look at the extremely powerful ModSecurity 2.5 Rules Language. Learning how to take advantage of the power behind ModSecurity rules can help web security professionals write and configure highly effective rules to handle complex web vulnerabilities. Hands-on labs with fully documented instructions help students deploy solid, secure ModSecurity installations and understand the inner workings of the premier open source web application firewall available today.


2 days

Who Should Attend

This course assumes that students have a technical understanding of the HTTP protocol and a general understanding client server communications and network architecture. Proficiency with Linux and UNIX text editing tools (vi editor) is suggested, not required. Also, in order to gain the most value from day 2 of the course, students should be familiar with Perl Compatible Regular Expressions (PCRE).


Students should have a basic understanding of TCP/IP networks and some familiarity with Windows and UNIX systems. Familiarity with computer security terminology and concepts is helpful.


Day 1:

ModSecurity Overview and Rules Writing Workshop

  • Introduction to Web Application Firewalls
  • ModSecurity 2.5 Overview
  • ModSecurity Rules Language Primer
    • Request Phases
    • Variables
    • Transformation Functions
    • Chain for Complex Rules
    • Persistent Collections
    • Anomaly Scoring
    • Debug Log
  • Core Rule Set Overview
  • Handling False Positives and Creating Exceptions
  • Rule Writing Tips
  • Cool Rules
  • ModSecurity console deployment and usage
Day 2:

Web Application Protection Lab

  • Introduction to the WASC Threat Classification and the OWASP Top Ten
  • Virtual Patching Overview
  • Virtual Patching Lab


Ryan C. Barnett is a recognized security thought leader and evangelist who frequently speaks with the media and industry groups and presents at security conferences.

He is the director of application security at Breach Security. He is also a faculty member for the SANS Institute, where his duties include instructor/courseware developer for Apache Security/Building a Web Application Firewall Workshop, Top 20 Vulnerabilities Team Member and Local Mentor for the SANS Track 4, "Hacker Techniques, Exploits and Incident Handling" course. He holds six SANS Global Information Assurance Certifications (GIAC): Intrusion Analyst (GCIA), Systems and Network Auditor (GSNA), Forensic Analyst (GCFA), Incident Handler (GCIH), Unix Security Administrator (GCUX) and Security Essentials (GSEC).

Mr. Barnett also serves as the team lead for the Center for Internet Security Apache Benchmark Project and is a member of the Web Application Security Consortium. His web security book, "Preventing Web Attacks with Apache,” was published by Addison/Wesley in 2006.

Ends May 1

Ends July 1

Ends July 31

August 1

USD 1800

USD 2000

USD 2200

USD 2500

1997-2009 Black Hat ™