Last week I released the second ModSecurity development release, 2.5.0-dev2, in preparation for the next version of ModSecurity. Some may notice that this version is now 2.5.x where as the first development release was 2.2.x. Ivan and I decided that because of the large feature sets going into this next release we would bump the version to 2.5.x to signify a halfway point to 3.0.0. This release is primarily a performance enhancement release, so I want to introduce two of the main new features in more detail.
In this release, I have introduced a phrase matching operator (@pm) to match against a list of phrases. The new operator uses the Aho-Corasick algorithm and is many times faster than the default regular expression operator (@rx) for lists of OR'd phrases. For example, if you want to accept only GET, POST and HEAD requests the following rules are equivalent, but the second is faster (even more so as the list grows):
SecRule REQUEST_METHOD "!^(?:GET|POST|HEAD)$" t:none,deny
SecRule REQUEST_METHOD "!@pm GET POST HEAD" t:none,deny
The new @pm operator should be used for static lists of phrases (black/white lists, spam keywords, etc). However, for large lists, this new operator may cause the rule to become difficult to read and maintain. If your lists are large, you can use an alternate form (@pmFromFile) that accepts a list of files and place the phrases into a file or multiple files (one per line) instead of inline. In this form, the phrase file(s) will be read on startup. To allow for easy inclusion of third party phrase lists, if the filename is given with a relative path, then ModSecurity will look for it starting in the same directory as the file that contains the rule specifying the file. For example:
SecRule REQUEST_METHOD "!@pmFromFile allowed_methods.txt" t:none,deny
### And in allowed_methods.txt in the same directory:
GET
POST
HEAD
Another performance enhancement (that is still being tuned) is transformations are now cached for each transaction. With previous versions of ModSecurity, the transformations for each rule were applied in the order specified to the original value. This was done for every variable in every rule. Starting with ModSecurity 2.5.0-dev2, transformations will only be performed once for each transaction. If more than one rule uses the same transformed value, then the cached value is used instead of reapplying the transformations.
As always, the source code is available in the download section of the ModSecurity Website. Below is an outline of the new features and changes in this release so far. Please see the documentation included in the release for full details and usage examples. Please direct any comments to the ModSecurity User Support mailing list.
@prepend value
and @append value
to inject content into the output.GEO
collection -- from any existing ModSecurity variable by using the new @geoLookup
operator.@streq
, @beginsWith
and @endsWith
-- to allow an easier-to-use non-regular expression operator. Values will have macros interpreted prior to a match, so that you can do "@streq %{REMOTE_ADDR}"
, etc.t:length
-- transforms a value into a numeric character length.t:trimLeft
, t:trimRight
or t:trim
to trim whitespace from the left, right or both, respectively.RESPONSE_CONTENT_LENGTH
, RESPONSE_CONTENT_TYPE
, and RESPONSE_CONTENT_ENCODING
-- were added.HTTP_HEADER_NAME
variables for request headers. The 2.x REQUEST_HEADERS:Header-Name
should now be used.%0 - %9
TX variables that expanded to numbered captures. Use %{TX.0} - %{TX.9}
instead.