Since this pertains to the OWASP ModSecurity CRS, I am cc'ing that list as well.  In the future, please sign-up for and send OWASP CRS question to that list.

That malware.data file is old and should be removed.  At one point, we were testing some outbound rules to detect known malicious URLs that were captured by Snort/VRT team and were listed on their labs site here - http://labs.snort.org/iplists/

We discontinued it as the lists would need to be updated daily so they wouldn't be stale and SourceFire has stopped posting these files.

FYI – we have different commercial rules that look at outbound HTTP data looking for know malware links, etc… in our commercial rules feed - https://www.trustwave.com/modsecurity-rules-support.php

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Rolling Stone <jzy2000@hotmail.com>
Date: Friday, January 4, 2013 2:34 PM
To: "mod-security-rules@lists.sourceforge.net" <mod-security-rules@lists.sourceforge.net>
Subject: [Mod-security-rules] modsecurity_50_outbound_malware.data not being referenced

In OWASP_CRS/2.7.7, cannot find any .conf file referencing modsecurity_50_outbound_malware.data

I would like to know the rationale behind the scene, and how this file should be used to be useful.

 

Thanks,

 




This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.