Latest release


@zimmerle zimmerle released this Feb 3, 2016 · 28 commits to master since this release

New features

  • Added support to generate audit logs in JSON format.

    [Issue #914, #897, #656 - Robert Paprocki]
  • Extended Lua support to include version 5.3

    [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
  • mlogc: Allows user to choose between TLS versions (TLSProtocol option

    [Issue #881 - Ishwor Gurung]
  • Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.

    [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]

Bug fixes

  • Creating AuditLog serial file (or parallel index) respecting the
    permission configured with SecAuditLogFileMode. Previously, it was
    used only to save the transactions while in parallel mode.

    [Issue #852 - @littlecho and ModSecurity team]
  • Checking for hashing injection response, to report in case of failure.

    [Issue #1041 - ModSecurity team]
  • Stop buffering when the request is larger than SecRequestBodyLimit
    in ProcessPartial mode

    [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
  • Refactoring conditional #if/#defs directives.

    [Issue #996 - Wesley M and ModSecurity team]
  • fix searching SecAuditLogStorageDir
    files with Apache 2.4

    [Issue #775 - Elia Pinto]
  • Understands IIS 10 as compatible on Windows installer.

    [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
  • Fix apache logging limitation by using correct Apache call.

    [Issue #840 - Christian Folini]
  • Fix apr_crypto.h check on 32-bit Linux platform

    [Issue #882, #883 - Kurt Newman]
  • Fix variable resolution duration (Content of the DURATION variable).

    [Issue #662 - Andrew Elble]
  • Fix crash while adding empty keys to persistent collections.

    [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
  • Remove misguided call to srand()

    [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
  • Fix compilation problem while ssdeep is installed in non-standard

    [Issue #872 - Kurt Newman]
  • Fix invalid storage reference by apr_psprintf at msc_crypt.c

    [Issue #609 - Jeff Trawick]

Known issues

  • Instabilities of nginx add-on are still expected. Please use the "nginx
    refactoring" branch and stay tuned for the ModSecurity version 3.




@zimmerle zimmerle released this Dec 15, 2014 · 87 commits to master since this release

Bug fixes

  • OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
    Curl with WinSSL.
    [Gregg Smith, Steffen and ModSecurity team]
  • ModSecurity now informs about external resources loaded/failed while reloading Apache.
    [ModSecurity team]
  • Adds missing 'ModSecurity:' prefix in some warnings messages.
    [Walter Hop and ModSecurity team]
  • External resources download is now more verbose. Holding the message
    to be displayed when Apache is ready to write on the error_log.
    [ModSecurity team]
  • Remote resources loading process is now failing in case of HTTP error.
    [Walter Hop and ModSecurity team]
  • Fixed start up crash on Apache with mod_ssl configured. Crash was happening
    during the download of remote resources.
    [Christian Folini, Walter Hop and ModSecurity team]
  • Curl is not a mandatory dependency to ModSecurity core anymore.
    [Rainer Jung and ModSecurity team]

Archives also available at:




@zimmerle zimmerle released this Nov 18, 2014

New features

  • 'pmFromFile' and 'ipMatchFromFile' operators are now accepting HTTPS served files as parameter.
  • 'SecRemoteRules' directive - allows you to specify a HTTPS served file that may contain rules in the SecRule format to be loaded into your ModSecurity instance.
  • 'SecRemoteRulesFailAction' directive - allows you to control whenever the user wants to Abort or just Warn when there is a problem while downloading rules specified with the directive: `SecRemoteRules'.
  • 'fuzzyHash' operator - allows to match contents using fuzzy hashes.
  • 'FILES_TMP_CONTENT' collection - make available the content of uploaded files.
  • InsecureNoCheckCert - option to validate or not a chain of SSL certificates on mlogc connections.

Bug fixes

  • ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. [Issue #676 - Kris Kater and ModSecurity team]
  • Fixed signature on "status call": ModSecurity is now using the original server signature. [Issues #702 - Linas and ModSecurity team]
  • YAJL version is printed while ModSecurity initialization. [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
  • Fixed subnet representation using slash notation on the @ipMatch operator. [Issue #706 - Walter Hop and ModSecurity team]
  • Limited the length of a status call. [Issue #714 - 'cpanelkurt' and ModSecurity team]
  • Added the missing -P option to nginx regression tests. [Issue #720 - Paul Yang]
  • Fixed automake scripts to do not use features which will be deprecated in the upcoming releases of automake [Issue #760 - ModSecurity team]
  • apr-utils's LDFALGS is now considered while building ModSecurity. [Issue #782 - Daniel J. Luke]
  • IIS installer is not considering IIS 6 as compatible anymore. [Issue #790 - ModSecurity team]
  • Fixed yajl build script: now looking for the correct header file. [Issue #804 - 'rpfilomeno' and ModSecurity team]
  • mlgoc is now forced to use TLS 1.x. [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]

Archives also available at:



@zimmerle zimmerle released this Apr 1, 2014 · 158 commits to master since this release

New features

  • JSON Parser is no longer under tests. Now it is part of our mainline.
  • Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
  • New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
  • ModSecurity status is now part of our mainline.
  • New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
  • Append and prepend are now supported on nginx (Ref: #635);
  • SecServerSignature is now available on nginx (Ref: #637);


  • Regression tests are not able to expect different values according to the platform;
  • Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
  • New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
  • Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620, #619);
  • Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
  • IIS installer is now using the correct 32/64bits folders to install;
  • IIS Installer 32bits now refuses to install on 64bits environments;
  • IIS: Using new WiX options to build the package in the correct architecture;
  • While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
  • CRS from IIS version was upgraded to 2.2.9;
  • IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
  • ModSecurity now warns the user who tries to use "proxy" in IIS or Nginx. Proxy is Apache only;
  • Remove warnings from the build process (Ref: #617);
  • Apache configuration in regression tests was changed making it more platform independent;
  • Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
  • Regression tests were refactored to be more Nginx friendly;
  • Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636);
    • Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
    • Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence;
    • Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
    • Increased the timeout while reading the auditlog;
    • SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
    • Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
    • Fixed regression tests scripts paths, to make it MacOS friendly;
    • Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail; 
  • Updates to fix errors found by Parfait static code analysis (Ref: #612);
  • Cleaning up on the repository, by removing unused files;
  • IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
  • IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).

Bug fix

  • Correctly handling inet_pton in IIS version;
  • Nginx was missing a terminator while the charset string was mounted (Ref: #148);
  • Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
  • Added missing environment variables to regression tests;
  • Build system is now more flexible by looking at liblua at: /usr/local/lib;
  • Fixed typo in README file.
  • Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
  • Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
  • Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
  • Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
  • Avoiding segmentation fault by checking if a structure is null before access its members;
  • Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
  • Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
  • If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645); 
  • Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
  • IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref #632).

Archives also available at:


Release 2.7.6

@zimmerle zimmerle released this Dec 16, 2013

Besides the bug fixes this release also includes modification on the build system that counts on QA mechanisms such as coding style checker and static analysis. All ports and all platforms had some changes that may reduce the possibility of errors while trying to compile the project. Regression tests and unit tests are now more independent of platform or utilities versions. There is a new installer for MS Windows. Libinjection was updated. For more information about the fixed bugs or to report a new one, have a look at our Issues.

  • Organizes all - 1cde4d2
    Now using one file per line (sorted). This is the better way to handle it, since it reduces the possibility of merge conflicts.
  • nginx: generates config file using configure input. - 351b9cc
    The nginx config file was looking for depedencies by its own, by doing that it was ignoring the options that were passed to configure script. This commit deletes this config file and adds a meta-config which is populated by configure whenever the standalone-module is enabled.
  • nginx: adds lua support - da16d9e
  • iis: Cosmetics fixies on sqli. - 5046c83
    This is needed to get it compiled with VS2011 on Windows8
  • Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) - ae252ee
  • nginx: Trying apxs and apxs2 while compiling nginx module - 65d9272
  • nginx: Trying apxs and apxs2 while compiling nginx module - 35fd75d
  • macos: Using glibtoolize instead of libtoolize - 751a9f4
  • regression-tests: makes configuration compatible with 2.2 and 2.4 - 6fc4cac
  • Regression test: get it working with apache 2.4 - e9813cd
    Changes in to get it working with apache 2.4
  • Code cosmetics. - 7366f35
    Changed to reduce the number of possible fails during Build Bot compilation.
  • iis: Waiting for 5 seconds before move curl directory - 9bf2959
    Testing buildbot.
  • Redefines unixd_set_global_mutex_perms on tests - f70f6f4
    Avoding conflicts with the standalone implementation
  • test: Avoids conflict of fuctions definition - cef7285
  • test: Makes the unit tests to work again - cc982ae
    The unit tests was not working due to lack update. This patch adds the necessary stuff to have it work again.
  • iis: Avoids directory link while building - ad330a4
    Build scripts was creating links allowing the project to be loaded into Visual Studio without care about the dependencies versions. Sometimes windows refuse to delete those links leading the script to fail. This patch moves the sources directories instead of create links to it.
  • QA: Avoids the utilization of 3rd filedescriptor - 69c5cca
    No need to use a 3rd description on the quality check scripts. Stderr is now redirected to stdout and filtered as needed.
  • Supports WarningCountingShellCommand in cppcheck and vera - baaf502
    WarningCountingShellCommand allow us to have some measurements on the buildbot waterfall.
  • Adds verbose quality check - 3889434
    Vera++ and ccpcheck are not outputing to the stderr instead stdout allowing the buildbot to extract some numbers about it.
  • Adds support for coding style and quality check - b77e901
    Initial effort to get the code on shape. This will be executed by the buildbots as soon as they get ready for it.
  • iis: Using base_rules instead of activated_rules - 7b15370
  • iis: New improvements on the Wix installer - 2ea5a74
    • Now the installation is divided in modules: ModSecurity and CRS.
    • Added default configuration
    • Configuration was moved to "Program Files" folder
    • Build_msi script now using candle available in %PATH%
  • iis: Removes the installer helper dependency - 1a12648
    Now using appcmd directly with WiX instead of calling the installer helper.
  • iis: Remove readme.html - 550d5aa
    This HTML is about "Creating a Native Module for IIS7" not straight related to ModSecurity itself.
  • iis: Adds batch script to compile Wix - a2c5fc8
    This batch script can be used to generate our msi installer.
  • iis: Adds Wix installer resources - 3604763
    This is all about cosmetic changes.
  • iis: Fix inet_pton build problem - a420214
    There is a function named inet_pton on windows API, with different signature. This patch just override the windows function and point the inet_pton to our implementation.
  • iis: Adds Wix installer xml file.c - b32cb7d
    This commit adds the Wix template to our git repository.
  • iis: build_modsecurity.bat fixies - 7e03e3f
    This commit enable a cleanup on the mod_security build directory avoiding symbols with different architectures.
  • iis: Adds release script - 9477118
  • iis: fixies the Installer.cpp coding style - 79875b1
  • iis: Removes AppWizard remade file - 91738f9
    Apparently the AppWizard was used to generate part of this Installer, the ReadMe.txt created by the AppWizard was removed by this commit
  • iss: Removes pre-compiled headers - adfbeb8
    No need to use the pre-compiled headers in InstallerHelper, removing it, in order to keep the project lean.
  • iis: Moves installer to InstallerHelper - 6adf256
    To organize the folder the Installer application was renamed to installer helper. It is not the real installer, it is just an helper which is executed during the installation phase.
  • iss: Removes fart dependencies - 8c3b8d8
    This commit removes the dependency of the fart.exe utility. The utility was responsible to rename contents inside some dependencies build files. Those modifications are not longer needed.
  • iss: Better err handling in build scripts. - 192599b
    Now checking for errors in every step of the build phase
  • iis: Moves build_module.bat to build_modsecurity.bat - e25c6b2
    The build_modsecurity.bat is now on the iis sub-directory, not in the dependencies anymore. Its content was also changed fixing all the paths.
  • iis: Fix mlogc build on windows - 9b7663f
    The libcurl path was not pointing to the correct directory
  • iss: Removes Post-Build event. - 28bbde1
    There was a copy on Post-Build event using a hard coded path. This patch removes this Post-Build event.
  • iis: Relative paths on the VS project file - 368617d
    There are a ModSecurityIIS solution and project files, those were using hard coded paths to meet the dependencies. As consequence of the last update in our build scripts, now we are able to built the dependencies and load it to our Visual Studio project using relative paths.
  • iis: Identifies arch before unzip apache - cf5de78
    Currently we need the Apache binary which could be used in 32 or 64 bits. This patch makes usage of 'cl' to identify which architecture is set.
  • iis: Renamves winbuild to dependencies - 1447766
    Since the directory becomes all about dependencies there is no need to call it winbuild anymore.
  • iis: Removes unnecessary files from winbuild dir - 9f8cbf6
    Those .mak files seems to be part of an old build system. Since the script are now working fine, this commit removes all those .mac files and also a CMakeList.txt and the
  • iis: Improves the iis build system - b277e53
    Now checking for common errors while building. Refactoring on the build scripts, now there is this build_dependencies.bat script on the iis sub-folder. By calling this script all the dependencies should be build under the winbuild/. This commit also removes build scripts that were not needed anymore.
  • iis: Fixes the vcxproj file - a946a16
    Versions of the dependencies were changed, as long as the version of the Visual Studio, now 12.
  • iis: Removes unecessary files from the build system - 26738d2
    The following files were removed:
    • VCVarsQueryRegistry.bat
    • vcvars64.bat
    • vsvars32.bat
      The visual studio files can be called direcltly, not necessary to distribute those files, at least in VS12.
  • iss: Changes httpd version 2.4.6 - 0a772cb
    Apache version was changed to 2.4.6 to sync with the current apache lounge version.
  • iis: Changes the version of the dependencies - 3e6fb41
    • pcre from 8.30 to 8.33
    • zlib from 1.2.7 to 1.2.8
    • libxml2 from 2.7.7 to 2.9.1
    • curl from 7.24 to 7.33.0
  • Removes standalone/ - e3c19d5 is recommended to be in the repository whenever it is edit manually, in our case the automatically generated is ok.
  • Fix #154, Uses addn instead of apr_table_setn - 1734221
    The headers are represented in the format of an apr_table, which is able to handle elements with the same key, however the function apr_table_setn checks if the key exists before add the element, if so it replaces the old value with the new one. This was making our implementation to just keep the last added Cookie. The apr_table_addn function, which is now used, just add a new item without check for olders one.
  • Merge pull request #579 from zimmerle/revert_139 - 61e54f2
    Revert merge request #139
  • Revert "Merge pull request #139 from chaizhenhua/remotes/trunk" - 7f7d00f
    This reverts commit 10fd40f, reversing changes made to 414033a.
  • Merge pull request #578 from client9/remotes/trunk - b0c3977
    libinjection sync to v3.8.0
  • libinjection sync - a5f175d
  • Merge pull request #152 from client9/remotes/trunk - 88ebf8a
    Sync to libinjection v3.7.1
  • libinjection sync - fcb6dc1
  • libinjection sync - f52242a
  • Merge pull request #148 from zimmerle/bugfix_charset_missing_string_terminator - b76e26d
    Bugfix: missing string terminator while mounting the charset (nginx)
  • Bugfix: missing string terminator while mounting the charset (nginx) - ff19dcd
    The charset in headers is mounted using ngx_snprintf which does not place the string terminator. This patch adds the terminator at the end of the string. The size was correctly allocated, just missing the terminator.
  • Merge pull request #141 from client9/remotes/trunk - 9a630ee
    libinjection sync to v3.6.0
  • libinjection sync - 1121720
  • Fix Chunked string case sensitive issue - CVE-2013-5705 - f8d441c
  • Revert "Fix Chuncked string case sensitive issue" - 3901128
    This reverts commit 16a815a.
  • Fix Chuncked string case sensitive issue - 16a815a
  • Merge pull request #139 from chaizhenhua/remotes/trunk - 10fd40f
    Fixed fd leackage after reload
  • Merge pull request #138 from client9/remotes/trunk - 414033a
    libinjection sync
  • Fixed fd leackage after reload - e0993fc
  • libinjection sync - 2268626
  • Fix logical disjunction and conjunction issues - 7e0a9ec