News and Updates
ModSecurity v2.5.11
(Nov 6, 2009)
ModSecurity v2.5.11 (change log) has been released.
This release fixes a multipart parsing issue that has the potential to
allow bypassing the rules engine. This bypass can be avoided via some
simple rules, however. Other changes include a rules update (CRS 2.0.3)
and some minor cleanup in build, mlogc, persistence and the output
filter ordering.
ModSecurity v2.5.10
(Sep 24, 2009)
ModSecurity v2.5.10 (change log) has been released.
This release fixes a number of small issues. Notable issues that have been
fixed are a cleaner build process, fixes to mlogc to build on Windows and
allow more reliable SSL neg. to the console, less verbose logging when using
anomaly scoring with CRS v2.x and a feature to allow easier use with Apache
mpm-itk.
ModSecurity Core Rules v2.0
(July 31, 2009)
ModSecurity Core Rules v2.0 is now available. The ModSecurity Core Rules project is now its own OWASP project and discussions have moved from the mod-security-users mailing list to the new owasp-modsecurity-core-rule-set mailing list.
ModSecurity v2.5.9
(March 11, 2009)
ModSecurity v2.5.9 (change log) has been released.
This release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests. Additionally, the release cleans up the build process and adds a few features, including atomic updates of persistent counters and macro expansion of the append/prepend actions. It is highly recommended to upgrade to this release.
ModSecurity v2.5.8
(March 11, 2009)
ModSecurity v2.5.8 (change log) has been released.
This release fixes a potential DoS vulnerability when PDF XSS protection is enabled (default is disabled) as well as a minor issue with an invalid "internal error" message. This release was immediately superseded by the 2.5.9 to fix another major issue found during the 2.5.8 release cycle. You should install the 2.5.9 release instead.
What Is ModSecurity?
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy.
It provides protection from a range of attacks against web applications and allows for HTTP
traffic monitoring, logging and real-time analysis.
It is also an open source project that aims to make the web application firewall
technology available to everyone.
Books
Apache Security is a comprehensive Apache Security resource, written by Ivan Ristic
for O'Reilly. Two chapters (Apache Installation and Configuration and PHP) are available as free
download, as are the Apache security tools created for the book.
Preventing Web Attacks with Apache. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against.
|
Support/Mailing lists
Community support is available on the
mod-security-users/lists.sourceforge.net mailing list. You must
subscribe first (by clicking here)
in order to post. The list archives are available as
News (NNTP),
Threaded HTTP,
Bloggy HTTP,
and RSS.
Commercial support and appliances based on ModSecurity can be
obtained from Breach Security.
Getting Started
External Links
ModSecurity 2.0 with Ivan Ristic
ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements. Federico Biancuzzi interviewed Ivan Ristic to discuss the new logging system, events tracking and correlation, filtering AJAX or AFLAX applications, and just-in-time patching for closed source applications.
Web Application Firewalls Primer
Introduction to Web Application Firewalls, published in INSECURE Magazine 1.5.
Talks
Our talks are available for download following the links below:
|
