November 9, 2017
By
Franziska Buehler
Introduction I would like to explain my work disassembling highly optimized regular expressions. A project like this might discourage many people, but to me, it is very exciting work! I like this kind of investigative work and want to explain what, exactly, I did, why I did it and how!
What’s the problem? The SQLi rules in the core rule set consist of 43 rules. 25 of them have been optimized with the Perl module Regexp::Assemble. This module assembles multiple regular expressions into one regular expression.
The source patterns were lost over the years as they were taken from the old CRS project and partly from other projects, and source code management migrations led to the situation we are facing now.
Unfortunately, there is no tool for disassembling an optimized regex, so we did not have a chance to undo this optimization process and regain the original patterns.
November 7, 2017
By
Chaim Sanders
This is the CRS newsletter covering the period from Early October until today.
We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants:
dune73 fzipi csanders franbuehler emphazer spartantri luketheduke techair jose_ airween athmane bostrt During the chat we discussed the following
Promotion of 3 heavy contributors to developers (@fgsch, @fzipi and @spartantri) Docs will be updated to reflect their promotion, congrats and thank you!!! CRS Summit at AppSecEU in June in Tel Aviv (?) dune73 will setup a project and let us know the status as we move along. fzipi spoke at OWASP Dev Summit about WAF test data. A new license is available (https://cdla.io/) Testing (FTW is working when using with CRS-support/ftw#14) PR is awaiting merge but seems to be working well. dune73 plans to write a blog. Idea to update release poster (with logo in the center) We had some great press about the poster. Need to check balance but Dune73 will finance privately changes. Shooting for by AppSecEU Idea to start to sell the release poster via a printing service like Redbubble Info: CRS nominated for the German Open Source Business award (https://osbar.it) Everyone is excited thank you to Dune73 for nominating us Plans for new blog posts Franbuehler writing up about SQL disassembly dune73 writing about FTW csanders-git writing about Apache vulnerability breakdown. [PR #881] : Java Attacks Will be assigned to csanders-git [PR #884] : SQL injection probing rule split 942370 emphazer is working on a PR for this so it’s in line with franbuelers comments. [PR #896] : Command substitution backquoted version support Splitting into two and fixing conflict when available. [PR #899] : Dokuwiki and Nextcloud exclusion packages (work in progress) Will be done when submitter has time. [PR #905] : Duplicated header bypass fix and chunk support csanders-git and fzipi are going to take the helm on getting this one through. [PR #922] : New developers (see above) Merged, need to add other testers also. remove spratantri from 905 as contributor Many PRs / test updates by @azhao155 (which are awesome). Bring up a question about what to do with Apache versus Nginx behaviors when the underlying engine ‘fixes’ and issue. Going to add support for multiple return status. This should take care of all the test updates. [Issue #924] Tagging of CVE/CWE The conversation centered around the if adding these added increased complexity of writing rules it may also muddy logs Everyone agreed additional information would be nice, CVE CWE, WASC, CAPEC Pushed the conversation back to the issue with regard to CVE. Release 3.1 planning Possible after Java fixes are done. Stickers and maybe shirts (for appsec eu) using Redbubble New ModSecv3 t-shirt were made, current order is empty but more may be coming The next community chats will be held on the following dates:
October 3, 2017
By
Chaim Sanders
This is the CRS newsletter covering the period from Early September until today.
We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants:
dune73 fzipi csanders franbuehler lifeforms emphazer fgs squared spartantri ossie buddyleer During the chat we discussed the following
We will be moving our agenda document to GitHub. In this way all active participants will be easily able to add comments and tag PR’s in an efficient manner. We’ll open the “Agenda Issue” one week before out next meeting. There has been a bottleneck in terms of reviews. In order to address this we’ll be assigning responsible contributors to oversee the smooth flow of issues through the PR process. These contributors will be assigned at monthly meetings. Additionally, in order to give more timely feedback we are encouraging the system of using Github’s reaction system. A number of PR’s were given responsible overseers: #899: Dune73 #905: lifeforms: Should be a quick merge #896: lifeforms #894: Merged #890: Dune73 and lifeforms #887: Dune73 #883: csanders and franbuehler #907 franbuehler, emphazer and lifeforms #881: lifeforms #879: lifeforms: should be a quick merge #871: Closed: Changes only applied to 3.1 Some recognition was given to franbuehler for a whopping PR on the disassembly of SQLi rules (PR #907) We are 13% done with the technical milestone work for CRS 3.1. However given the amount of contributed PR’s we will likely release prior to all that work being completed. There is interest in starting a project to measure rule performance automatically as part of acceptance testing. This will be undertaken soon. Verizon Digital Media Services graciously offered to host coreruleset.org behind their CDN. While we don’t have a tremendous amount of users, we are going to test out the functionality The next community chats will be held on the following dates:
October 3, 2017
By
Christian Folini
(netnea)
The Core Rule Set project (CRS for short) has been nominated for the Swiss DINAcon Awards. I do not think any of you understand what awards I am talking about, so let me explain.
It is hard to promote Open Source Software in Switzerland. This is not necessarily different from any other place, but let’s say there are strong commercial players that effectively block market entry for many open source software projects around here (Christian Folini / @ChrFolini writing this).
September 20, 2017
By
Chaim Sanders
This week we saw the release of another named vulnerability (-_-). This time it was entitled: Optionsbleed. While the name provided is meant in reference to Heartbleed, this vulnerability isn’t nearly as far reaching. The vulnerability only affected Apache hosts with a very particular configuration and as a result only 0.0466% of the Alexa top one million sites were detected as vulnerable. Additionally, considering the requirements for exposing the vulnerability is dependent on a complex and unusual configuration it is less likely to be seen on less popular pages that tend to stick more closely to stock configuration.
September 15, 2017
By
Chaim Sanders
A little background Last month we announced the general availability of the Framework for Testing WAFs (FTW) version 1.0. You can read the whole post here, but this is only the beginning of the story. With the release of OWASP CRS v3.0 we started integrating a more agile, test driven development methodology that we believe has resulted in better quality output.
As of the OWASP CRS 3.0 release, all new rules and most modifications to the rules undertaken will require accompanying unit tests. But how does one use the FTW framework in order to write these tests?
September 13, 2017
By
Christian Folini
(netnea)
When I looked into my inbox lately, I found a very kind message where a new user asked how he could support the project. He had listened to a clip on the OWASP 24/7 podcast, got really excited and was now installing CRS3.
I responded with a fairly lengthy message covering all the areas where I think his support would be welcome if not vital. On a second thought, there might be more people who are wondering how to join us, so why not publishing my response if it is of such a general nature.
September 7, 2017
By
Christian Folini
(netnea)
This is the CRS newsletter covering the period from mid August until today.
What has happened during the last few weeks:
We held our community chat last Monday. Chaim was high in the air so we were only six of us, but Manuel was back so I get the feeling we are slowly growing the project. The big project administration and governance discussions seem to be over for the moment. So we spent a lot of time talking about development, possible roadblocks and code policies.
The next community chats will be held on the following dates:
August 21, 2017
By
Kirk Jackson
Hi, I’m a newcomer to the ModSecurity community and am currently learning about how ModSecurity works with the Core Rule Set and can be used to perform “Virtual Patches” against vulnerable web applications. I have learnt lots reading the rules in the CRS and reading the ModSecurity Handbook written by Christian Folini and Ivan Ristić.
The OWASP ModSecurity Core Rule Set has a lot of protections for common web attacks built in, and is tuned to cause a minimum of false alerts. Use the guidance in the documentation, a high anomaly score threshold, a low paranoia level setting and you’re unlikely to have legitimate traffic blocked when you first install and set up ModSecurity with the CRS.
August 15, 2017
By
Christian Folini
(netnea)
This is the CRS newsletter covering the period from July until today.
What has happened during the last few weeks:
We held our community chat last Monday. There were eight people including Manuel Spartan who participated on the development of the paranoia mode. The big topic was disassembly of the optimized regular expressions that are very hard to read. See below for details. The next community chats will be held on the following dates:
