Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

What's new in ModSecurity 1.9

You may have noticed it's been a while since ModSecurity has had a major release. This does not mean I was lazy. I was working on it throughout, but for various reasons beyond my control, I had to postpone the 1.9 release from Spring 2005 to SummerAutumn 2005. The other day I was compiling a list of new features for a client and I was amazed at the number of new features added. Below is a partial list. It will probably change slightly before the final release. Below is the final list of improvements.

    • A brand new audit logging subsystem was added, aimed at supporting real-time audit log aggregation. This subsystem offers significantly better performance (the central audit log lock has been removed), records more information, and allows for log entries to be stored in a database or in flat files. It is now possible configure exactly what is being logged. In the Apache 2.x version of mod_security it is possible to log the response bodies too.
    • Several new directives allow for a finer control of how rules are inherited between contexts:
      • SecFilterImport - import rules (identified via their IDs) from the parent context
      • SecFilterRemove - remove rules from the current context
  • SecFilterInheritanceMandatory - force all rules in the current context to be inherited in child contexts. This is useful when distributed configuration (via .htaccess files) is used.
  • Improvements to the way per-rule actions are configured:
      • Directive SecFilterActionsRestricted which, when enabled, only allows meta-data actions (id, rev, message, severity) to be used as per-rule actions.
      • Directive SecFilterSignatureAction can now be used as a template. The actions specified with this directive are inherited by the rules using per-rule actions. SecFilterSignatureAction can appear more than once in a configuration context, and this allows rules to be grouped according to how they respond to attacks. And it allows meta-data to be separated from policy, making it easier to rely on third-party rules.
  • A new directive, SecGuardianLog, allows information on all request processed by the web server to be exported to one external process (via piped logging). This is used in mod_security 1.9 to connect Apache to httpd-guardian, a stateful Denial-of-Service defence tool that detects attacks across all Apache processes. When an attack is detected httpd-guardian can communicate with a firewall to restrict access from the IP address. In its default implementation httpd-guardian uses iptables, the Linux host-based firewall, for this purpose.
  • New actions:

    • setenv - create an environment variable, used to interact with other Apache modules, or applications
  • setnote - create an Apache note, used to interact with other Apache modules
  • auditlog - force request to be sent to the audit log
  • noauditlog - forbid request from being recorded in the audit log
  • id - assign unique ID to the rule
  • rev - assign a rule revision
  • message - assign message to the rule, the message will appear in the log entry (error log, audit log)
  • severity - assign severity to the rule; the severity will appear in the log entry (error log, audit log)
  • proxy - instead of processing the request locally, use the built-in reverse proxy to forward it to some other web server
  • mandatory - mark a rule as mandatory for inheritance
  • Implemented performance measurement facilities throughout, in the Apache 2.x version. Now it is possible to measure the performance of ModSecurity itself (each processing phase individually, or each rule individually). It is also possible to measure network performance and the request processing time separately. This separation allows the client communication speeds to be measured, and to look at request processing performance with no impact from slow clients.
  • Full support for methods other than GET and POST. Files uploaded using PUT are now treated as files uploaded through POST and multipart/form-data.
  • Support for integration with ClamAV antivirus, allowing uploaded files to be inspected for viruses.
  • New directive, SecAuditLogRelevantStatus, allows transactions to be recorded in the audit log depending on their response status code. This is useful to record unusual transactions and to allow for communication between applications and mod_security. For example, if an internal error occurs in a script, if it sets the response code to 500 mod_security will record the complete transaction for further investigation.
  • Many new variables were added. They allow for a much finer control of what is allowed and what not.

    • FILE_NAME_* -
  • FILE_SIZE_* - uploaded files' sizes
  • FILE_NAMES - look at all uploaded files' names
  • FILE_SIZES - look at all uploaded files' sizes
  • FILES_COUNT - how many files are being uploaded?
  • HEADER_* - look at a specific header
  • HEADERS - look at all headers (names and values)
  • HEADERS_NAMES - header names (all)
  • HEADERS_VALUES - header values (all)
  • HEADERS_COUNT - how many headers are there?
  • ARGS_COUNT - how many arguments are there?
  • COOKIES_COUNT - how many cookies are there?
  • A new family of variables allows greater control of which scripts are allowed to run. This feature can be used, for example, to only allow scripts owned by a named user to be run. This would lead attack attempts based on code upload and execution to fail.

    • SCRIPT_UID - script user ID
  • SCRIPT_GID - script group ID
  • SCRIPT_USERNAME - username of the script owner
  • SCRIPT_GROUPNAME - group name of the script owner
  • SCRIPT_MODE - script permissions
  • Added output status filtering to the Apache 2.x version. It is now possible to take action based on the response status code.
  • Completely rewritten support for cookies. Two brand new parsers were implemented, one for v0 cookies (Netscape-style) and the other for v1 cookies.
  • Improvements to the internal chroot functionality. The implementation is now much cleaner, and avoids a need for a temporary lock file.
  • Many smaller improvements throughout.

Update (October 6): The list now includes all the features new to 1.9.

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More