Which rules to enable from the available 15138 ModSecurity Commercial rules for a Banking App

[titucse]

We have purchased a license for Trustwave ModSecurity Commercial Rules. There are total 15138 rules. Which rules should enable from the available 15138 ModSecurity Commercial rules for a Banking App. Can anyone help please?

App Description: This is a banking app. Bank customers need to register to use the app. During the registration process customers take selfies and take photos of ID documents. Registered customers sign in with username and password. They can view balance, do fund transfer, download statements etc. For fund transfer they need OTP sent via SMS.

• Server OS: Ubuntu 18.04
• Back-end Framework: Spring boot, ReSTful API design
• Web Application: Angular 11, nginx
• Android, iOS: Flutter
• Database: PostgreSQL and Redis
• We use a TLS certificate from lets encrypt.
• Nginx with ModSecurity
• Same nginx instance is used to create https connection. We do not allow any http connection
• Same nginx instance is used as a reverse proxy server to redirect requests to microservice running on different VMs.
• We use oAuth 2.0
• Client App (Mobile, web) only communicates with the API server behind WAF. It does not communicate with any other 3rd party application.

[martinhsv]

Hi @titucse ,

This forum is really for questions and issues pertaining to the open-source ModSecurity engine, rather than information about particular rule sets.

For questions about the Trustwave's Commercial Rule set, a better avenue would be to contact their support for that product. There is a some information here:

https://www.trustwave.com/en-us/company/support/

Select 'ModSecurity' in the dropdown and there is an email address along with other information.