Tag Archives: ModSecurity Console

WAF-FLE 0.6.0 final(ly)

Dear WAF-FLE users,

after a long time working in many things no waf-fle related (time still short), and with the help of many valuable users, I’m releasing the version 0.6.0 (final) of WAF-FLE (download: waf-fle_0.6.0.tar.gz)

This version keeps all features and improvements from of 0.6.0-rc, and making room for new features in next version. I’d like to say a thank you to all users that had submitted bug reports and helped to improve this version.

All users should considering upgrade to this version once it corrected many bugs (from version 0.5.x and 0.6.0-rcX).

The most important change was a better parsing of logs.

Read the ChangeLog file a complete list of bug fixed.

Good WAF-FLing,

Klaubert Herr
WAF-FLE Project

WAF-FLE: Deployment Guide, now available

Deployment Guide

I just publish the “WAF-FLE: Deployment Guide” (on the Documentation page). Is an extensive and step-by-step guide (but I know, is incomplete, at least in this first release). Is the first of an endless writing and editing.

It is directed to both new and current WAF-FLE users.

The topics covered range from Deployment scenarios, WAF-FLE installation and upgrade, Sensor Setup and Definition, using Event Feeder Configuration to help sensor side configuration (mlog2waffle and mlogc), and has Quick How-To for CentOS/RedHat, Debian/Ubuntu and FreeBSD . Finishing with some tips for Sizing and MySQL Tunning.

Comments, corrections and additions are very welcome and can be sent as a new issue ticket.

Version 0.6.3

Today I release WAF-FLE 0.6.3, it include many fixes reported by users. See ChangeLog for more details. Below the most relevant:

  • Better delete of events when using filters;
  • Better handling of events from bad formed requests;
  • fixed version of mlog2waffle, working better in batch mode;
  • mlog2wafle now support send events to waf-fle in SSL with self-signed certificate;
  • improved setup for permission of non localhost database;

You can download it in download page, or directly in waf-fle-0.6.3.tar.gz 

The WAF-FLE Project.

Version 0.6.0-rc1 available

Today the WAF-FLE Project is proud to release a new version of WAF-FLE: 0.6.0-RC1 (Release Candidate 1). This is a major release, with many new features, improvements and bug fixes (see ChangeLog for a complete list of changes).

The more relevant features in this version are:

  • Filter enabled Dashboard: Now you can use the filter in dashboard, all charts and tables are clickable, enabling the drill-down data on dashboard, updating the charts and tables to reflect the filter.
  • Delete events by filter: now you can use the filter to delete events at once, turning much more easier, for example exclude false positive events.
  • Compression of full events: You can choice if you want to compress full events (used to download raw events), make a huge difference in disk space used by database (saving around 60% of space).
  • You can define if WAF-FLE should use a header like X-Forwarded-For or X-Real-IP like source of source address in events. Very useful when you have a reverse proxy in front of ModSecurity. You can customize wich header should be used.
  • Support to ModSecurity 2.7 Engine-Mode variable, to let you know if an event has allowed (but logged) or if the sensor are in detection-only mode.
  • GeoIP support in dashboard, event and filter.
  • Setup script: to help in dependencies check, database creation/migration, making much more quick a setup in platforms where installation dependencies are not easily known.
  • mlog2waffle: a daemon to work as a replacement to mlogc. It is written in perl, and can work as service feeding events to WAF-FLE in real-time or scheduled in crontab. It must to be considered in beta stage, but seen to be reliable and fast.
  • Sensors and users management interface much improved, with more information and options.
  • Improved ModSecurity events parsing, supporting some new fields like stopwatch2.

You can download it in http://www.waf-fle.org/download/

You can access WAF-FLE demo in http://www.waf-fle.org/demo/

Any issue in this release can be filled http://www.waf-fle.org/support/ (issue tracker or mailinglist)

Best regards and good waf-fling,

Klaubert Herr
The WAF-FLE Project

WAF-FLE 0.5, initial release

WAF-FLE logoToday I’m happy to release, the first version of WAF-FLE (version 0.5), at OWASP AppSec’11 Latam, a new console for Modsecurity , that fills the gap for a OpenSource console for modsecurity.

The code is (as probably all initial releases) subject to bugs, and should be used with care, but my own use shows that it can handle lots of events even in an old  server. Supporting peaks of 180 events per second, keeping more than 10 million events  in the database (with tittle performance degradation).

I believe that the Filter (used to drill down events) is the most significant feature in this release, once it allows the user to quickly find an event or filter out what he doesn’t want.

Your feedback is very important to improve its quality.

Klaubert Herr
The WAF-FLE Project