WAF reloaded: ModSecurity 3.1 showcased at Black Hat Asia

Runtime rule injection and YARA support among latest developments for popular web security module

The latest version of the ModSecurity web application firewall (WAF) has been designed to give users even more control and flexibility, along with improved performance and stability, the project’s maintainers have confirmed.

During a presentation at Black Hat Asia earlier today, Trustwave’s Felipe Zimmerle and Victor Hora outlined the headline developments for ModSecurity 3.1 – the latest iteration of the open source WAF that’s deployed on thousands of web servers across the globe.

“A few years ago we started working on version 3.0 of ModSecurity, which was a complete rewrite of version 2,” Zimmerle told The Daily Swig ahead of the conference, which takes place in Singapore this week.

“In 3.0 the idea was to make it completely compatible with previous versions. Now, with 3.1, we are improving the performance and making it easier for people to extend ModSecurity and write their own rules.”

Rewriting the rulebook

ModSecurity works through the implementation of WAF rules that are designed to help stop attacks or unwanted behavior against applications.

Security professionals can create their own custom rules or deploy existing rulesets, such as the free-to-download OWASP Core Rules. Commercial rule libraries are also available, which are said to offer protection against specific vulnerabilities and provide fewer false positives.

Regardless of the chosen methodology, it is not currently possible to reload or inject new rules into ModSecurity without restarting the web server.

This, however, is set to change with version 3.1.

“The idea is that with the latest version it will be possible for a user to inject new rules in runtime,” Zimmerle explained. “This is one hell of a feature that will be amazing from a user’s perspective.”

In addition, ModSecurity 3.1 will provide even greater malware detection capabilities through YARA support.

“This is another feature we are planning to introduce,” said Hora. “The idea came when we were doing some research last year on some threats, including Magecart web skimmers.

“During our research we saw that some users were writing YARA rules to be able to detect these kind of threats, so we thought it would be a great idea to add YARA support to ModSecurity so that you could inspect payloads, such as when someone tries to upload a malicious file.”

In addition to runtime rule injection and YARA support, ModSecurity 3.1 includes around 300 commits since the first 3.0 release with fixes, improvements, and other features.

ModSecurity was originally designed as a module for Apache HTTP Server. It was developed by Ivan Ristić and launched in 2002.

Following a series of ownership changes, Trustwave has acted as custodian of the project since 2010.