Check out http://code.google.com/p/naxsi/
From what I understand it doesn't use signatures at all. It uses another method which can supposedly detect new/unkown attacks.
v0.1 was only released 5 days ago so it might be a while until you can use on a production server. I'll test it on a vps though.
Thanks for the link. Looks neat, this also exists for modsecurity. We actually have both in ASL, but we realize that if you take a pure whitelisting approach (which ASL can do) the "learning phase" for a hosting system is pretty close to infinity. On a shared server, where you add new customers automatically, you have to come up with a policy in advance thats general enough to allow any random web application to just work as you add users, domains, applications, etc. and yet still stop the bad guys. If you have such a dynamic environment, then you not only to deal with more false positives (because things are changing are you dont have rules for it), but you are forced to go back into learning mode thereby leaving your system open to attack. If you environment is static, then whitelisting is feasible until you change your app (then you have to go back and relearn, take the system offline, etc.)
From a security point of view, us security guys LOVE whitelisting. Its "perfect". It can't fail (well, it can, but thats another story). In security terms it works marvellously.
From a real world point of view, its really tough to use this in any dynamic environment.
In ASL, we take a mixed approach, we have whitelisting technology in there, along with blacklisting and greylisting to provide a good balance to make the security in the system usable. The idea that the best solution is whitelisting seems a bit naive to me, so I hope they support the inverse so we can put together a practical solution people can just use right out of the box.
If naxsi can support pre-built rules, then I think its a good technology to look at it. If it can only do learned whitelisting, then I think its only going to be useful for a small number of folks or very static systems with structured changes to their applications. In short, probably not a good candidate for a shared hosting environment, but maybe a good tool for corporate customer that runs their own systems and can take the time to develop these policies for their servers (much like how our Military customers use the self learning RBAC in ASL, its stronger than selinux and they have the time and structured one-purpose systems where its feasible to do that).
Thanks again for the pointer. Also, the modsecurity project is looking to port to nginx.