Skip to content

ModSecurity version 3 RC1

Felipe Zimmerle edited this page Aug 28, 2017 · 4 revisions

ModSecurity version 3 Release Candidate 1

ModSecurity version 3 (RC1) is close to be released. This wikipage highlights some of the updates between the latest ModSecurity version 2, v3 earlier codebases and the RC1 to be released.

This updated release candidate of libModSecurity is targeting the most widely used features from version 2. Its goal is to fully and correctly support common commercial and free rulesets such as "OWASP Core Rules Set version 3". We realize that many of the missing pieces have a very low audience, and they will continue to be targeted in the upcoming releases candidates. The updated list of missing pieces are listed in this wikipage.

Collectors

The Nginx connector is being the de-facto setup to use and test libModSecurity. We've been having many feedbacks from the community and commercial users as well as contributions for this setup. A lot of effort have been put into it so far. For this reason we're also close to an RC1 for the Nginx Connector.

https://github.com/SpiderLabs/ModSecurity-nginx

There have been a lot of work in the Apache connector as well, and this one is already available for testing but a RC release will take some more time until we finish polishing all the hard edges and get more feedback and contributions from the community.

https://github.com/SpiderLabs/ModSecurity-apache

Code testing for robustness and maturity

Effort has also been put to testing the code extensively. As of now we have Regression tests, Unit tests (make check), Valgrind integration (--enable-valgrind) for checking memory leaks and more recently, Fuzzer testing. The fuzzer tests are individually testing each operator and transformation and in the future fuzzing tests will be expanded to the rules parser. The tests are based on American Fuzzy Lop (AFL) and they are available as part of configuration portion of compilation (--enable-afl-fuzz).

Missing pieces (Towards version 3 feature complete).

The most importante missing features belong to a milestone: Feature complete. This milestone can be listed here: https://github.com/SpiderLabs/ModSecurity/milestone/9

Some other missing features are described on the reference manual by looking for the tag: Supported on libModSecurity: NO | TBI | TBD

If there's any specific feature that you are missing, please let us know by creating an issue on Github.

What we don't want to support anymore

The list of unsupported features is still small at this point, although it may be bigger till the feature complete milestone. The single item is listed below.