Yesterday, we released CRS versions 3.3.3 and 3.2.2 with important security improvements.
Unfortunately, backporting the fixes from our development branch 4.0 introduced a regression which was only found after publication. As a result, some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. This did not harm security but may introduce false alarms for those running in Paranoia Level 1. We have fixed this in two new releases:
Version 3.3.4 — https://github.com/coreruleset/coreruleset/releases/tag/v3.3.4
Version 3.2.3 — https://github.com/coreruleset/coreruleset/releases/tag/v3.2.3
We recommend to install the newest rules to deploy this fix. We apologize for the inconvenience.