This is the CRS newsletter covering the period from Early November until today.
We held our monthly community chat. We had quite a few people stop by. Special thanks to lifeforms for leading the chat.
Our agenda from before the chat is available here. We had a short chat, during the chat we discussed the following:
- @dune73 will be attending German Open Source Business Awards. Chances look good that CRS will a top performer. More information can be found here
- Using t:lowercase versus (?i) performance and best practice.
- There is currently no definitive answer
- A benchmark can be done using ModSecurity debug logs
- There are an excessive amount of open PRs and Issues
- All but three PRs have been assigned reviewers, we have to make a dent this month.
- The Java rules, that are a key feature of 3.1 need some attention
- The older versions are available here: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/95e7e6b3982eca93989c7948faca4a961737eace/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
- A new ticket will be opened taking into account discussions from https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/881/files
- We may remove the gitter badge because we don’t feel big enough for two chats and IRC is preferred (more discussion next chat)
- We should investigate other functional badges using https://github.com/OWASP/github-template as an example.
- General question about determine if it is possible to determine if user is accessing via HOSTS file.
- It is not
- Travis and FTW PRs assigned to csanders
- #957 rule split Move part to PL3 to prevent JSON false positives
- Fizipi resolved the conflict resolving the conflict on this one
The next community chats will be held on the following dates:
- January 8, 2018 20:30 CET (Note: The change from our normal schedule)
- February 5, 2018 20:30 CET
- March 5, 2018 20:30 CET
Some nice new blog posts have come out on coreruleset.org