mod_security, mod_security2

[Karel]

Hello,

I just installed mod_security2 and I have several problems.

I enforce open_basedir on my server (Debian Testing) + have a list of disallowed php functions for every host (exec() and others), but I want to add extra layer of security. Unfortunately, the rules for mod_security2 seem to be quite an overkill (they may be powerful, but also time consuming and performance hog). So, my questions:

• What is the difference between mod_security and mod_security2? Most guides seem to mention mod_security (which has simple, reasonable rules, but is no longer developed). Are there any (big) security holes in mod_security? I wasn't able to find any comparison.
• Is there any other module with similar functionality? (No chroot/jail, it's unmaintainable).
• Are there any simple tests whether mod_security2 is working? I added rules from http://www.gotroot.com/mod_security+rules, which should prevent simple attacks like reading /etc/passwd, but even though it logged some false positives, mod_security2 didn't stop me from displaying this file (not did it log an attack). Maybe the rules didn't work, but they are several lines of regexp each, so it's impossible to check each of them - on contrary to simple rules of mod_security(1).

[Karel]

OK, I did my 'homework'. There don't seem to be any huge changes in mod_security2, only drawbacks. It got more complicated, the rules are so complicated they had to create a gui application (my server is text only). I guess I'm going with mod_security(1), because I need to protect my server, not my clients (those who need protection pay me for maintaining their software and I'm relatively successful in avoiding huge security holes).

What's new in ModSecurity 2.0 and why should I upgrade if I am already using ModSecurity 1.x?

There are many significant changes and enhancemnts in ModSecurity 2.0 over the 1.x branch, including:

* In order to use the free Core Rules, you must use the 2.x version of ModSecurity as it takes advantage of specific features not available in previous versions.
* Five processing phases (where there were only two in 1.9.x). These are: request headers, request body, response headers, response body, and logging. Those users who wanted to do things at the earliest possible moment can do them now.
* Per-rule transformation options (previously normalization was implicit and hard-coded). Many new transformation functions were added.
* Transaction variables. This can be used to store pieces of data, create a transaction anomaly score, and so on.
* Data persistence (can be configured any way you want although most people will want to use this feature to track IP addresses, application sessions, and application users).
* Support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
* Support for web applications and session IDs.
* Regular Expression back-references (allows one to create custom variables using transaction content).
* There are now many functions that can be applied to the variables (where previously one could only use regular expressions).
* XML support (parsing, validation, XPath).