OK, I did my 'homework'. There don't seem to be any huge changes in mod_security2, only drawbacks. It got more complicated, the rules are so complicated they had to create a gui application (my server is text only). I guess I'm going with mod_security(1), because I need to protect my server, not my clients (those who need protection pay me for maintaining their software and I'm relatively successful in avoiding huge security holes).
What's new in ModSecurity 2.0 and why should I upgrade if I am already using ModSecurity 1.x?
There are many significant changes and enhancemnts in ModSecurity 2.0 over the 1.x branch, including:
* In order to use the free Core Rules, you must use the 2.x version of ModSecurity as it takes advantage of specific features not available in previous versions.
* Five processing phases (where there were only two in 1.9.x). These are: request headers, request body, response headers, response body, and logging. Those users who wanted to do things at the earliest possible moment can do them now.
* Per-rule transformation options (previously normalization was implicit and hard-coded). Many new transformation functions were added.
* Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
* Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
* Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
* Support for web applications and session IDs.
* Regular Expression back-references (allows one to create custom variables using transaction content).
* There are now many functions that can be applied to the variables (where previously one could only use regular expressions).
* XML support (parsing, validation, XPath).