The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories, including:

SQL Injection (SQLi)
Cross Site Scripting (XSS)
Local File Inclusion (LFI)
Remote File Inclusion (RFI)
Remote Code Execution (RCE)
PHP Code Injection
HTTPoxy
Shellshock
Session Fixation
Scanner Detection
Metadata/Error Leakages
GeoIP Country Blocking

New Features in CRS 3

CRS 3 includes many coverage improvements, plus the following new features:

  • Over 90% reduction of false alerts in a default install
  • A user-defined Paranoia Level to enable additional strict checks
  • Application-specific exclusions for WordPress Core and Drupal
  • Sampling mode runs the CRS on a user-defined percentage of traffic
  • SQLi/XSS parsing using libinjection embedded in ModSecurity

For a full list of changes in this release, see the CHANGES document.