Category Archives: modsecurity

WAF-FLE 0.6.0 final(ly)

Dear WAF-FLE users,

after a long time working in many things no waf-fle related (time still short), and with the help of many valuable users, I’m releasing the version 0.6.0 (final) of WAF-FLE (download: waf-fle_0.6.0.tar.gz)

This version keeps all features and improvements from of 0.6.0-rc, and making room for new features in next version. I’d like to say a thank you to all users that had submitted bug reports and helped to improve this version.

All users should considering upgrade to this version once it corrected many bugs (from version 0.5.x and 0.6.0-rcX).

The most important change was a better parsing of logs.

Read the ChangeLog file a complete list of bug fixed.

Good WAF-FLing,

Klaubert Herr
WAF-FLE Project

Version 0.6.0-rc1 available

Today the WAF-FLE Project is proud to release a new version of WAF-FLE: 0.6.0-RC1 (Release Candidate 1). This is a major release, with many new features, improvements and bug fixes (see ChangeLog for a complete list of changes).

The more relevant features in this version are:

  • Filter enabled Dashboard: Now you can use the filter in dashboard, all charts and tables are clickable, enabling the drill-down data on dashboard, updating the charts and tables to reflect the filter.
  • Delete events by filter: now you can use the filter to delete events at once, turning much more easier, for example exclude false positive events.
  • Compression of full events: You can choice if you want to compress full events (used to download raw events), make a huge difference in disk space used by database (saving around 60% of space).
  • You can define if WAF-FLE should use a header like X-Forwarded-For or X-Real-IP like source of source address in events. Very useful when you have a reverse proxy in front of ModSecurity. You can customize wich header should be used.
  • Support to ModSecurity 2.7 Engine-Mode variable, to let you know if an event has allowed (but logged) or if the sensor are in detection-only mode.
  • GeoIP support in dashboard, event and filter.
  • Setup script: to help in dependencies check, database creation/migration, making much more quick a setup in platforms where installation dependencies are not easily known.
  • mlog2waffle: a daemon to work as a replacement to mlogc. It is written in perl, and can work as service feeding events to WAF-FLE in real-time or scheduled in crontab. It must to be considered in beta stage, but seen to be reliable and fast.
  • Sensors and users management interface much improved, with more information and options.
  • Improved ModSecurity events parsing, supporting some new fields like stopwatch2.

You can download it in http://www.waf-fle.org/download/

You can access WAF-FLE demo in http://www.waf-fle.org/demo/

Any issue in this release can be filled http://www.waf-fle.org/support/ (issue tracker or mailinglist)

Best regards and good waf-fling,

Klaubert Herr
The WAF-FLE Project

WAF-FLE 0.5, initial release

WAF-FLE logoToday I’m happy to release, the first version of WAF-FLE (version 0.5), at OWASP AppSec’11 Latam, a new console for Modsecurity , that fills the gap for a OpenSource console for modsecurity.

The code is (as probably all initial releases) subject to bugs, and should be used with care, but my own use shows that it can handle lots of events even in an old  server. Supporting peaks of 180 events per second, keeping more than 10 million events  in the database (with tittle performance degradation).

I believe that the Filter (used to drill down events) is the most significant feature in this release, once it allows the user to quickly find an event or filter out what he doesn’t want.

Your feedback is very important to improve its quality.

Klaubert Herr
The WAF-FLE Project