forked from klaubert/waf-fle
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
193 lines (181 loc) · 9.42 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
WAF-FLE ChangeLog
Version 0.6.4: 2014
-------------
Bug: Lack of output enconding in some filter fields (filter dialog and
current filter), when a bogus hostname present in event, cause
improper html rendering. Thanks to Marcus Semblano to report and
supply with samples.
Improve: mlog2waffle requirements better clarified em their README, and
now is possible to use it with old version of libwww-perl, but
no self-signed certificate in that case;
Improve: Better error message in case of database error;
Improve: mlog2waffle now has a crontab script;
Improve: you can disable/enable error log in mlog2waffle in
mlog2waffle.conf;
Improve: waf-fle.conf minor text adjustment
Improve: Corrected push-mlogc.sh template in Event Feeder Wizard;
Improve: Filter for preserved events added. Thanks to Juraj Sakala;
Bug: Custom Tags has his ID's starting in 1000, to avoid conflict with
native tags (thanks to juraj sakala);
Bug: Typo corrected in mlog2waffle.conf (thanks to Juraj Sakala)
Bug: Typo corrected in event feeder wizard;
Bug: Text revised in event feeder wizard;
Bug: Better URL handling in request, patch from Juraj Sakala);
Bug: Typo correction in functions.php, patch from Juraj Sakala);
Bug: This change addresses the issue 43 at
http://code.google.com/p/waf-fle/issues/. It reflects problem with
parsing of the modsec index file line where is empty or malformed
Host header. Patch from Juraj Sakala
Version 0.6.3: Jan, 30 2014
-------------
Bug: mlog2waffle in batch mode dont exit after finish. Fixed.
Bug: fixed mlog2waffle.ubuntu init script to allow start as a daemon in
batch mode.
Bug: Fixed issues #21 and #25, when an incomplete request is rejected by
waf-fle's database schema, producing an error 500;
Bug: Fixed filter dialog showed in login page when accessed with a valid
session
Bug: Fixed issue #20, setup now handle database privilege when mysql and
waf-fle are in diferent hosts. Now you can specify the client
hostname/address or even a wildcard on setup.
Bug: Fixed issue #26, where the timming filters are not filtering
properly.
Bug: Fixed issue #28, delete events by filter hit a error 500, when any
filter beyond date range is used.
Improve: Event delete limit ($deleteLimit) and delete wait ($deleteWait)
is now parameters in config.php, as sugested in issue #31. This
parameters also affect Mark as False Positive events of Current
Filter.
Improve: when used with SSL mlog2waffle now allow to define if
certificate need to be validated or not. Needed when a self-
signed certificate is used. Edit mlog2waffle.conf to configure.
Improve: Apache authorization config ajusted to be compatible with
version 2.4+, see waf-fle.conf comments for details.
Improve: Give more enfasis on success message on setup (instructing to
edit config.php when finished).
Improve: ChangeLog reformated
Version 0.6.1: Apr, 23 2013
-------------
Bug: Solve a issue with no standard timezones, like used in Venezuela.
Version 0.6.0: Apr, 23 2013
-------------
Bug: Issue #18 fixed, mysql user permissions corrected in README file,
thanks for Reinhard Sojka for report.
Bug: Fixed the template for mlogc usage, when used Event Feeder Wizard.
Improve: Better handling of missing config.php.
Bug: Issue #15 fixed, delete event in event detail don't work, thanks
for Juraj Sakala for report.
Bug: Issue #14 fixed, when an events is deleted the full event detail
was not deleted, thanks for Juraj Sakala for report.
Bug: Issue #11 fixed, improper use of XFF header when undesired, thanks
for Juraj Sakala for report.
Bug: Issue #10 fixed, bad header parsing when receiving events, thanks
for Juraj Sakala for report.
Bug: Issue #9 fixed, correct the filter dialog to not be showed in login
page, when a sucessful login happen and expected redirection don't
work (by browser configuration, extention blocking redirect etc).
A html link was created to allow user to get in the WAF-FLE in this
situation. Thanks to Stelio Plautz for report the issue.
Version 0.6.0-RC2: Oct, 25 2012
-------------
Bug: Fixed an error that prevent to add a new sensor, by adding the
missed "Use Client IP from header" to "Add New Sensor".
Version 0.6.0-RC1: Oct, 24 2012
-------------
New Feature: mlog2waffle, daemon to push logs from modsecurity to
WAF-FLE
New Feature: add controller mlog2waffle aware with probe response
New Feature: (issue #6) this release include a button to delete events
selected by filter.
New Feature: Is now possible to disable a sensor in management
interface, blocking the event reception until it be enable
again.
New Feature: added support of modsecurity 2.7 Engine-Mode variable:
enabled or detection_only
New Feature: Add GeoIP support with Country Code and Autonomous System
Number, and are filter enabled
New Feature: A wizard was created to make sensor configuration more fast
and simple, providing support to generate a sample config
files make sensor use both: mlogc and mlog2waffle, in
piped, service, and scheduled modes.
New Feature: A setup script was created to help in new installation and
version upgrade.
New Feature: Events can be marked as false positive: event by event, a
group of events, or can mark all events defined by a
filter. You can filter (and exclude from filtering) events
marked as false positive.
New Feature: Dashboard now has new textual tables showing Top events
grouped by: URI Path, Country Code and Autonomous Systems
Number.
New Feature: Dashboard pie chart for severity.
New Feature: Dashboard are now able to use filter, charts and tables are
clickable enabling the drill down data on dashboard.
New Feature: Management 'Info' section added.
New Feature: You can choose to compress full section to store in
database (require PHP Zlib support), that save around 60%
to storage full events
New Feature: You can customize, per sensor, when ModSecurity is behind a
reverse proxy with send a header that contain the client
real ip address, ie. X-Forwarded-For, X-Real-IP.
New Feature: Add support to filter by event TAG
New Feature: Add support to new TAG defined automatically by events with
new tags
Improve: starting with this version, only PHP 5.3 and higher is
supported
Improve: Management interface for Users and Sensors with more
information and better formatted.
Improve: Filter is able to search for absolute and wildcard paths.
Improve: Events list better formatted in a grid table.
Improve: Delete sensor now use the same function of 'delete events on
current filter' above, and avoid to block the database for long
time.
Improve: New, optimized database scheme to speed filters. That change
require a database upgrade when migrate from version 0.5 to
0.6:
- full section of events is now stored in a independent table
- Some columns was changed to better types and sizes
Improve: Changed all database access to PDO, more clear and toward to
database abstraction, resulting in only one database connection
Improve: Add GPL warning in all files
Improve: Now the default admin password need to be changed on first
access
Improve: Some web interface cleanup and rearrange
Improve: Filter Dialog support now the negation of a parameter
Improve: Many Tags has information as a tooltip and link for more
information
Improve: "Phase H" "Message" duplicated are now excluded from database
insert (but still preserved in raw event)
Improve: "Phase H", support added to "Anomaly Score Exceeded" score
value
Improve: HTTP Status code, now following RFC values
Improve: Events "Rules Alert" don't show duplicate entries sometimes
catched by rules
Improve: Add support to all stopwatch2 timers (available in modsecurity
2.6.0+), and add then to filter to help in rules performance
measurement (thanks Breno by idea)
Improve: The sensor ip address can now be a network in CIDR format
Bug: Limit "Phase C" to a max of 100 lines of 4096 bytes each
Bug: "Phase H" "Message" parsing changed to make it is more robust
Bug: "Phase H" better "Action" handling, better filter for "Action"
Bug: "Phase H", adjusted "Apache-Error" regular expression
Bug: Strip unnecessary new line from some fields when insert in database
Bug: Fixed incorrect "events per sensor" query
Bug: Fixed incorrect Filter by "Rule ID" in filter dialog
Bug: Fixed user management form
Bug: (issue #8) Fixed usage of short php tag in some files
Bug: Force the php timezone to system timezone
Bug: Force php display_errors to off to avoid disturb in http headers
Bug: Change user information is now possible without change password
Bug: Fixed the not accepting events when no rule set defined
(modsecurity SecComponentSignature directive), thanks Hanafiah to
help in find this.
Version 0.5.1: Oct, 16 2011
-------------
Bug: Eventview navigation corrected
Bug: Corrected parameters for filter in eventview.php corrected
Bug: Input sanitized in logout page
Bug: Wrong check of timezones before UTC (ie. +0200)
Improve: source code cleaned up and well formatted
Version 0.5: Oct, 07 2011
-----------
Initial release