ModSecurity: New in 2.5
Set-based Parallel Matching
Two new phrase matching operators,
Transformation Function Caching
Starting with ModSecurity 2.5.0, transformations will only be performed once for each transaction. If more than one rule uses the same transformed value, then the cached value is used instead of reapplying the transformations.
Automated Rule Update Capability
ModSecurity deployments are frequently relying upon rule sets obtained from third-party developers.
For example, Breach Security distributes ModSecurity Core Rules freely under GPLv2. While the
installation of these rule sets is not difficult or time consuming, maintenance can be. Changes and
new discoveries are frequent in the dynamic field of web application security. The high cost of rule
set maintenance is effectively reducing the usefulness of web application firewalls. To help address
this problem, the 2.5 code archive includes a supporting tool called
Enhancements to the Rules Language
Rule Customizations and Exclusions
New variables such as GEO which allow users to create rules based on the geographic location of clients.
New Transformation Functions
New transformation functions added to help combat common evasion tactics used by current web attackers.
Credit Card Number Detection
More accurate Credit-card number detection is possible with the new
Full Scripting Support using Lua
Support for efficient and secure log centralization with Mlogc, the commercial tool developed by Breach to send ModSecurity audit log data to the ModSecurity Management Appliance.
Rule filename and line number in debug logs to help with quicker testing and trouble-shooting.
Dual Audit Logging
Audit logs can now be sent to two locations which provides more flexible log management integration.
Audit logs can contain a list of all rules that matched which provides a more accurate picture of rule processing.
Component signatures added to store relevant version information in audit log such as the exact version of Core Rules being used.