ModSecurity 2.0 Looks Very Interesting

Federico Biancuzzi interviewed Ivan Ristic, ModSecurity developer and author of the Apache Security book (check the review from Richard Bejtlich), a few days ago about the new 2.0 version of this interesting OSS WAF (Web Application Firewall. buzzwords keep flowing these days). It runs as an Apache module and protects your web applications according to policies that you specify.

Version 2.0 is a complete rewrite of the code base and while it is still available today only as an Apache module, it's been rewritten with portability in mind and Ivan is hoping to release a IIS compatible version in the not too distant future.

The new version also looks very interesting on the functionality side. Among the major improvements on this side, here is what took my attention (excerpt from the interview):

• Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
  
• Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
  
• Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
  
• Support for web applications and session IDs.
  
• Regular Expression back-references (allows one to create custom variables using transaction content).
  

Even better (depends on whom is using the product): a GUI is available (it doesn't look like OSS though).

Read the full transcript for more details. I plan to test it as soon as I can. If you already did, let me know what you think.