How You Can Help the CRS Project

When I looked into my inbox lately, I found a very kind message where a new user asked how he could support the project. He had listened to a clip on the OWASP 24/7 podcast, got really excited and was now installing CRS3.

I responded with a fairly lengthy message covering all the areas where I think his support would be welcome if not vital. On a second thought, there might be more people who are wondering how to join us, so why not publishing my response if it is of such a general nature.

Here you go:

CRS used to be a one man show for many years. In early 2016, Chaim Sanders took over and invited Walter Hop and me to join the project. We released CRS3 in November 2016 and currently we have like 5-6 regular contributors with 2-3 additional ones doing some really good work as I write this.

So the project is now really growing, we have momentum and we have big plans.

The idea is to make CRS the “1st Line of Defense” that is installed by default by ISPs. We’re nowhere close, but the goal is clear and we think our code / rule set has that potential.

Where do you fit? First, let me be clear that you do not need to be an expert. Contributions can take many forms. The most simple thing is joining the conversation on github and adding your opinion to existing discussions. There is currently a code cleanup project under way. Adding your opinion the rule format standard question can be a valuable contribution. If you are familiar with git or want to get your feet wet, then there are simple tasks in this code cleanup that take work off the back of those contributors who would rather concentrate on other issues.

Testing pull requests and proposed changes is very valuable too. It gives everybody reassurance that the code actually works. Installing proposed rules on your (prod) servers and reporting back with your observations: priceless.

If you want to dig deeper and you want to write rules and regular expressions, there are many open feature requests and / or false negatives that could do with some love. The more people we are, the faster we can put these feature requests into real rules.

We recently started with unit testing. Many, many rules come without unit tests that proof their correct working. Filling this gap would be a huge benefit as it would speed up the development very much.

If you are running off-the-shelf standard web applications, then helping the project by providing a set of default rule exclusions to go with that software would be most welcome.

But contribution to the project is not limited to writing rules and surfing github. We have launched our new website in August and we welcome contributions. What we really need is success stories: We need normal system engineers and sysadmins telling their fellows how they got CRS3 working on their site and how they solved the problems they faced along the way. Every company is different and sharing your personal experiences will invariably help other people.

Our documentation is generally lacking, helping newbies on the CRS mailinglist find their way around is time consuming, so support is most appreciated. Using your contacts to help make CRS more popular is something that will help us all. If you are on twitter, please write about your experience. Ideally with the hashtag #CRS3 and CC @coreruleset. Make other system engineers use CRS, tell the world about it and our project will grow.

An important thing for our community is the monthly project chat on IRC. This is where we talk to each other and where we decide on our plans for the next week. If you could manage to join that session, that would be great.

So that is an overview where we could use some help. I am sure there will be something that fits your interest.

[EDIT]: Very useful comment below from Walter Hop. In fact I thought the same thing when I read through several github comments on the weekend.

Christian Folini / @ChrFolini

1 thought on “How You Can Help the CRS Project”

  1. One thing I would add is that we would welcome experts in various security and exploit topics — our regular contributors have HTTP violations, Unix, SQLi and PHP pretty well covered, Java is growing, but we could definitely use more experts in for instance XSS, Windows…

    Even if you are not an expert on a topic, it would be very helpful to just grab some security scanners, Metasploit modules, sqlmap, or exploit databases that you have used some time. Just fire them off against your webserver running CRS, maybe when running a vulnerable web application. Checking which malicious requests are passed through and creating issues for them on our Github would be lovely… This will definitely help us improve our detection logic.

Leave a Comment

Your email address will not be published. Required fields are marked *