A new version of mod_security has just been released - 2.0 - complete with a total rewrite that includes a number of new features.
El reg is running an article on the new release which includes an interview with ModSecurity's author Ivan Ristic.
mod_security is an apache module for monitoring requests made to a web server and acting on those requests according to rules - useful for blocking malicious bots, stopping web spammers and so on. I've been using it for a few years now and it handles blocking of weblog spammers and trojan worms/bots very well, though it has to be said the configuration isn't the simplest of all time.
Hopefully this configuration issue might be made easier with the also newly released
modsecurity console, although reading through that page it doesn't seem to mention anything about using it to configure mod_security... Will have a look at it later and see what's what.
A list of the new features or improved features in ModSecurity 2.0 - taken from the article above:
- Five processing phases (where there were only two in 1.9.x). These are: request headers, request body, response headers, response body, and logging. Those users who wanted to do things at the earliest possible moment can do them now.
- Per-rule transformation options (previously normalisation was implicit and hard-coded). Many new transformation functions were added.
- Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
- Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
- Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
- Support for web applications and session IDs.
- Regular Expression back-references (allows one to create custom variables using transaction content).
- There are now many functions that can be applied to the variables (where previously one could only use regular expressions).
- XML support (parsing, validation, XPath).
The article is well worth reading if you already use ModSecurity - particularly if you're interested in moving from just simple blocking and logging of requests as in mod_security 1.0 to a more sophisticated web application firewalling system - mod_security 2.0. 2.0 includes a pseudo web app firewalling programming language making it easy to manipulate and process HTTP in a stateful manner - tracking HTTP sessions per IP in real time for example or perhaps watching for anomalous web activity and then flagging any IP that transgresses behaviour deemed as acceptable and watching for that IP in the future.
