You may have noticed it's been a while since ModSecurity has had a major release. This does not mean I was lazy. I was working on it throughout, but for various reasons beyond my control, I had to postpone the 1.9 release from Spring 2005 to SummerAutumn 2005. The other day I was compiling a list of new features for a client and I was amazed at the number of new features added. Below is a partial list. It will probably change slightly before the final release. Below is the final list of improvements.

• A brand new audit logging subsystem was added, aimed at supporting real-time audit log aggregation. This subsystem offers significantly better performance (the central audit log lock has been removed), records more information, and allows for log entries to be stored in a database or in flat files. It is now possible configure exactly what is being logged. In the Apache 2.x version of mod_security it is possible to log the response bodies too.

• Several new directives allow for a finer control of how rules are inherited between contexts:
• SecFilterImport - import rules (identified via their IDs) from the parent context

• SecFilterRemove - remove rules from the current context
• SecFilterInheritanceMandatory - force all rules in the current context to be inherited in child contexts. This is useful when distributed configuration (via .htaccess files) is used.
  

• Improvements to the way per-rule actions are configured:
• Directive SecFilterActionsRestricted which, when enabled, only allows meta-data actions (id, rev, message, severity) to be used as per-rule actions.

• Directive SecFilterSignatureAction can now be used as a template. The actions specified with this directive are inherited by the rules using per-rule actions. SecFilterSignatureAction can appear more than once in a configuration context, and this allows rules to be grouped according to how they respond to attacks. And it allows meta-data to be separated from policy, making it easier to rely on third-party rules.
  

• A new directive, SecGuardianLog, allows information on all request processed by the web server to be exported to one external process (via piped logging). This is used in mod_security 1.9 to connect Apache to httpd-guardian, a stateful Denial-of-Service defence tool that detects attacks across all Apache processes. When an attack is detected httpd-guardian can communicate with a firewall to restrict access from the IP address. In its default implementation httpd-guardian uses iptables, the Linux host-based firewall, for this purpose.
• New actions:
  
  
  
  • setenv - create an environment variable, used to interact with other Apache modules, or applications
• setnote - create an Apache note, used to interact with other Apache modules
• auditlog - force request to be sent to the audit log
• noauditlog - forbid request from being recorded in the audit log
• id - assign unique ID to the rule
• rev - assign a rule revision
• message - assign message to the rule, the message will appear in the log entry (error log, audit log)
• severity - assign severity to the rule; the severity will appear in the log entry (error log, audit log)
• proxy - instead of processing the request locally, use the built-in reverse proxy to forward it to some other web server
• mandatory - mark a rule as mandatory for inheritance
  

Update (October 6): The list now includes all the features new to 1.9.