From 650614c0d5103c01aabb446fd87ae4927bb0f2d3 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Tue, 2 Aug 2016 22:57:13 -0300 Subject: [PATCH] Created ModSecurity version 3 (earlier release candidate 1) (markdown) --- ...version-3-(earlier-release-candidate-1).md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 ModSecurity-version-3-(earlier-release-candidate-1).md diff --git a/ModSecurity-version-3-(earlier-release-candidate-1).md b/ModSecurity-version-3-(earlier-release-candidate-1).md new file mode 100644 index 0000000..e8eea21 --- /dev/null +++ b/ModSecurity-version-3-(earlier-release-candidate-1).md @@ -0,0 +1,48 @@ +# What is the version 3 earlier release candidate + +**ModSecurity version 3 (earlier-rc1) was not released yet.** This wikipage highlights the most important differences between ModSecurity version 2 and v3-erc1 (earlier release candidate 1) **[to be released]**. + +The earlier release candidate of ModSecurity version 3 does not target all the features from version 2. Instead, it is targeting to fully support the "OWASP Core Rules Set version 3". Some of the missing pieces have a very low audience, and they will be target in the upcoming releases candidates. The missing pieces are listed in this wikipage. + +## Collections update interval. + +ModSecurity's persistent collections are saved per thread (or process). From time to time the different values from each thread (or process) are merged into a global storage. A simple counter (for instance: IP:counter) will have different values for the different web server "workers", depending on the process that answers the request. That behavior happens in both versions of ModSecurity (2 and 3). But, the time that is expected to merge the collections is higher in ModSecurity version 2. In practical aspect it means that in ModSecurity version 3 the values for the threads should me more precise. + +Another important point to notice is the fact that ModSecurity version 3 does not expire the values for the collections. The collection was built to be very small, thus no need to expire. The expiration maybe taken in care by the backend, once it considers the database to be bigger than expected. + +## Missing pieces (Towards version 3 feature complete). + +All the missing features belong to a milestone: Feature complete. This milestone can be listed here: https://github.com/SpiderLabs/ModSecurity/milestone/9 +For easy reading, they are also listed below. + +### Actions + - exec - https://github.com/SpiderLabs/ModSecurity/issues/1050 + +### Variables + - WEBAPPID - https://github.com/SpiderLabs/ModSecurity/issues/1027 + - STREAM_INPUT_BODY - https://github.com/SpiderLabs/ModSecurity/issues/1021 + - STREAM_OUTPUT_BODY - https://github.com/SpiderLabs/ModSecurity/issues/1022 + - USERAGENT_IP - https://github.com/SpiderLabs/ModSecurity/issues/1025 + - STATUS_LINE - https://github.com/SpiderLabs/ModSecurity/issues/1020 + - SCRIPT_* - https://github.com/SpiderLabs/ModSecurity/issues/1017 + - PERF_* - https://github.com/SpiderLabs/ModSecurity/issues/1011 + - RESOURCE - https://github.com/SpiderLabs/ModSecurity/issues/1014 + +### Operators + - verifySSN - https://github.com/SpiderLabs/ModSecurity/issues/1007 + - verifyCPF - https://github.com/SpiderLabs/ModSecurity/issues/1006 + - fuzzyHash - https://github.com/SpiderLabs/ModSecurity/issues/997 + - gsbLookup - https://github.com/SpiderLabs/ModSecurity/issues/998 + - inspectFile - https://github.com/SpiderLabs/ModSecurity/issues/999 + - rsub - https://github.com/SpiderLabs/ModSecurity/issues/1001 + - validateHash - https://github.com/SpiderLabs/ModSecurity/issues/1004 + +### Others + - Support to Lua Scripts - https://github.com/SpiderLabs/ModSecurity/issues/994 + +## What we don't want to support anymore + +The list of unsupported features is very minimal at this point, although it may be bigger till the feature complete milestone. The single item is listed below. + +- WEBSERVER_ERROR_LOG - https://github.com/SpiderLabs/ModSecurity/issues/1028 + - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#WEBSERVER_ERROR_LOG \ No newline at end of file