ModSecurity: New in 2.5

Performance Enhancements

Two new phrase matching operators, @pm and @pmFromFile are now available. These use an alternate set based matching engine (Aho-Corasick) to perform faster phrase type matches for large lists of keywords.

Transformation Function Caching

Starting with ModSecurity 2.5.0, transformations will only be performed once for each transaction. If more than one rule uses the same transformed value, then the cached value is used instead of reapplying the transformations.

Automated Rule Update Capability

ModSecurity deployments are frequently relying upon rule sets obtained from third-party developers. For example, Breach Security distributes ModSecurity Core Rules freely under GPLv2. While the installation of these rule sets is not difficult or time consuming, maintenance can be. Changes and new discoveries are frequent in the dynamic field of web application security. The high cost of rule set maintenance is effectively reducing the usefulness of web application firewalls. To help address this problem, the 2.5 code archive includes a supporting tool called rules-updater.pl that can be used to periodically check the ModSecurity Rules Repository to automatically download new rules.

Enhancements to the Rules Language

Rule Customizations and Exclusions

• New skipAfter action and SecMarker directives allow for more accurate rule processing.
• Dynamic Removal of Rules with the new ctl:ruleRemoveById action allows for more flexible exclusion conditions.
• Enhanced allow action ensures that white-listed requests are not further analyzed.

New Variables

New variables such as GEO which allow users to create rules based on the geographic location of clients.

New Transformation Functions

New transformation functions added to help combat common evasion tactics used by current web attackers.

Content Injection

With the new Content Injection capabilities in ModSecurity 2.5, we have initially added two actions which will allow ModSecurity rule writers to either "prepend" or "append" any text data to text-based (html) outbound data content. The really useful idea is to inject a JavaScript fragment at the top of all outgoing HTML pages to inspect browser code that is indicative of attacks.

Credit Card Number Detection

More accurate Credit-card number detection is possible with the new @verifyCC operator. This operator verifies a given regular expression as a potential credit card number. It first matches with a single generic regular expression then runs the resulting match through a Luhn checksum algorithm to further verify it as a potential credit card number.

Full Scripting Support using Lua

The new SecRuleScript directive allows for the execution of Lua scripts which provide an even more flexible and powerful interface into ModSecurity. When is Lua needed? ModSecurity chained rules can easily implement AND logic to create complex rules that evaluate that specific variables are present and have certain data, however they can not easily create proper OR logic. This is where Lua can help.

PDF Universal XSS Protection

A very easy to configure set of new directives were added to address this extremely complex vulnerability. Once activated, all PDF files hosted on the website will be protected by a temporary, one-time use URL location which will securely redirect clients to download the file from the site and flush out any malicious Javascript that may have been present in the client's browser.

Logging Enhancements

Mlogc

Support for efficient and secure log centralization with Mlogc, the commercial tool developed by Breach to send ModSecurity audit log data to the ModSecurity Management Appliance.

Debug Log

Rule filename and line number in debug logs to help with quicker testing and trouble-shooting.

Dual Audit Logging

Audit logs can now be sent to two locations which provides more flexible log management integration.

Rule Matching

Audit logs can contain a list of all rules that matched which provides a more accurate picture of rule processing.

Component Signature

Component signatures added to store relevant version information in audit log such as the exact version of Core Rules being used.