Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

ModSecurity News

Over the past few months, there has been a lot going on with ModSecurity. Our lead developer Felipe "Zimmerle" Costa (@zimmerle) has been working hard to add many improvements to the upcoming versions of ModSecurity and we're both also working to address some of the issues reported by our contributors and users as part of the milestones for 3.0.4, 2.9.4. In addition, we're also working towards some new exciting features which are currently on experimental stage for a future 3.1 release.

Among other improvements in that area, version 3.1 will bring the possibility of virtual patching on demand through the ability to reload the rules without a restart. We will describe some of these in more details on another blogpost.
 
One of the things we are working on is an experimental WAF feature that, as far as we know, is exclusive to ModSecurity. It will allow rule writers and WAF administrators to effortlessly search and match for known malware payloads and signatures through tight integration with the YARA C API by means of a new operator (e.g. @yara) and new configuration directives to support it. The intention is to step-up the game on the detection and blocking of countless types of malware and exploits since YARA signatures are widely available in different forms, from different vendors.

Finally we recently also demonstrated the flexibility of libModSecurity by showing the feasibility of running a full featured WAF inside a low powered IoT (ARM) device.
 
Modsec-iot
ModSecurity compilation process running on a Raspberry Pi Zero

Once released, 3.1 will includes hundreds of commits since the first 3.0 release including fixes, improvements, and features added to the bleeding edge version of the de-facto open source WAF, libModSecurity. Among the numerous improvements, you'll find cleanups, better practices for improved code readability, resilience, overall performance, support for a few missing features, LuaJIT and a number of fixes to actions, transformations and other ModSecurity functionalities.

Last but not least, there's an improved user experience while reading the logs with a new API component. That API component allows the unique id informed on transactions, making it possible to match an id that it is already in use by the consuming application (the connector).

In case you missed, the ModSecurity team Felipe "Zimmerle" Costa (@zimmerle) and Victor Hora (@victorhora) have recently presented some of these experimental features at the BlackHat Asia Arsenal event in Singapore. We posted some pictures from the event on our Twitter page (@modsecurity). Our friends from the Daily Swig, have recently written a nice story about these new experimental features. Check it out here.

There are some other exciting features that we are also working to make ModSecurity even greater! Stay tuned! :)

Recent SpiderLabs Blog Posts

Apr 16, 2019

ModSecurity News