mod_security 2.01 released
A new version of the essential web server defense tool mod_security has been released… along with a new java-based management console.
A big surprising is that there is no change log for this new release (that I can find, anyway… there isn’t one on the web site nor in the source tarball). The only info about what has changed is in the short announcement blurb:
“XML support, event correlation, transaction scoring, anomaly detection, data persistence, a wealth of anti-evasion functions, regex back-references, support for sessions, and many more.”
Previous versions of mod_security did include a change log… which is essential information for anyone upgrading or testing the new version. The open source project was recently acquired by a security vendor… hopefully this new lack of a change log is an oversight and not a shift in policy resulting from the new ownership.
Anyway, mod_security is a very good, extremely customizable web application firewall / “intrusion prevention system”. It can be run as an Apache module or as a filtering reverse proxy sitting in front of other web servers. Configured properly mod_security can prevent many attacks against web applications, regardless of what language they were written in. Learn more about it on the mod_security web site.
Update: SecurityFocus has posted an interview with Ivan Ristic that reveals more information:
“Some of the major improvements include:
- Five processing phases (where there were only two in 1.9.x). These are: request headers, request body, response headers, response body, and logging. Those users who wanted to do things at the earliest possible moment can do them now.
- Per-rule transformation options (previously normalization was implicit and hard-coded). Many new transformation functions were added.
- Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
- Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
- Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
- Support for web applications and session IDs.
- Regular Expression back-references (allows one to create custom variables using transaction content).
- There are now many functions that can be applied to the variables (where previously one could only use regular expressions).
- XML support (parsing, validation, XPath).”
Very exciting capabilities, and more info that the press release and docs provide but it’s still not enough detail.
Related posts: