Core Rule Set v4.0.0 Release Candidate 1 available

The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page.

CRS 4 contains many important changes, such as:

CRS 4 contains many new detections:

CRS 4 also contains many improvements to lower the amount of false alarms. Also, we fixed a number of bypasses in existing rules. We also addressed various performance and ReDoS issues.

A lot of effort also went into improving our test suite, so that 100% of our rules are now covered by tests!

Finally, we have worked on creating extensive documentation about all aspects of the CRS. You can find it under the Documentation section of our website. If you would like to make improvements, please go to the repository and submit your pull request!

For those wanting to try CRS 4, it is important to quickly touch upon the new plugin architecture. Some parts of CRS 3, such as the application exclusion rules (WordPress, Drupal, etc.), were split off into “plugins”. As an admin, you can choose to install plugins or leave them out. In this way, we can more swiftly update plugins (for instance to deal with application updates), and we decrease the attack surface for admins who are not interested in their functionality. If you used the application exclusions in CRS 3, you will need to download the relevant plugin files and put them in your plugins subdirectory in CRS 4. See here for extended information about working with plugins.

Please see the file for a full list of the more than 200 changes, improvements and fixes. Each CHANGES entry links to the relevant pull requests, so you can dive into the specifics of a certain change.

If you try out our release candidate, we will be very eager to receive your feedback. You can report any issues on GitHub. Be sure to mention the CRS version, so we can handle RC issues as quickly as possible. Depending on the feedback, we will possibly release more Release Candidates, while we get a firmer picture and finalize our schedule for the final release.

If you have questions, the quickest way to get in touch with us directly is to join the #coreruleset channel on the OWASP Slack.

I want to thank all our developers and outside contributors for helping us make the best CRS version yet!

Kind regards,
Walter Hop
Core Rule Set Co-Lead

Walter Hop