ModSecurity Breach

ModSecurity: New Features (2.6)

Licensing Change - Apache Software License Version 2 (ASLv2)

To facilitate further development and technological enhancements, ModSecurity has moved to Apache Software License v2. This non-viral open source license will now make it easier to implement ModSecurity with existing Apache programs and custom solutions, as well as community users to contribute code updates. This new licensing affects ModSecurity v2.6 and all subsequent code bases.

Improved Detection Only Mode

With the new SecRequestBodyLimitAction and SecResponseBodyLimitAction directives, SecRuleEngine DetectionOnly will only process request/response bodies up to the buffering limit defined and will not block the transaction. This will help organizations who are initially deploying ModSecurity to minimize any disruptions.

Data Modification Capability

Ability to change data on-the-fly, before delivery, in order to better control outgoing content according to security policies.

  • Directives - SecStreamOutBodyInspection and SecStreamInBodyInspection
  • Variables - STREAM_OUTPUT_BODY and STREAM_INPUT_BODY
  • Operator - @rsub
Example usage: Modifying outbound html data to remove malicious content - ModSecurity Advanced Topic of the Week: Malware Link Removal

Malware Link Detection

Added in integration with Google's Safe Browsing (GSB) API to identify known malicious links.
Example usage: Identifying malware links in outound html pages - ModSecurity Advanced Topic of the Week: Malware Link Detection.

Increased Denial of Service Protection

Added the new SecWriteStateLimit directive that helps to limit the number of concurrent WRITE state connections from a source. This helps to defend against Slow HTTP POST Attacks.

Improved IP Address Handling

Added the @ipMatch operator to better handle partial ip address, cidr for IPv4 and IPv6 addresses.

Improved Rule Customizations and Exclusions

New SecRuleUpdateTargetById and SecRuleRemoveByTag directives allow for more flexibility for unconditionally removing rules or modifying which variables are inspected.

New Transformation Functions

New transformation functions, cmdline and base64DecodeExt, were added to help combat common evasion tactics used by current web attackers.

Improved Sensitive Data Tracking

Added new @verifySSN and @verifyCPF operators to identify sensitive data within transactions.

Logging Enhancements

Rule Matching

Audit logs can contain a list of all rules that matched (including simple, chained and chain nodes) which provides a more accurate picture of rule processing.

Uploaded File Meta-Data

New Log Part J logs data about uploaded files.