December 1, 2022
By
Alessandro Monachesi
Pizza, pasta, pesto … pineapple? This was one of the many important topics (and one of the most controversial) discussed at the CRS developer retreat 2022 in Italy. The annual CRS developer team retreat is always a highlight of the year, finally meeting face-to-face again and not just via chat.
This time, the backdrop for the meeting from October 29 to November 5 was the southern foothills of the Alps near Lake Varese, close to the Swiss border. Here, in Villa Cagnola, there was not only good food and drink – there was also a lot of work. The focus was on two items: preparing the rule set for the CRS v4 release and defining a strategy for the future of the project.
November 22, 2022
By
Alessandro Monachesi
Astronaut? Garbage truck driver? Electrical engineer? Metalsmith? In the end, Hungarian Ervin Hegedüs became a software developer. Within the Core Rule Set project, he contributes primarily to tool development and packaging. “New team members should above all be team players,” says Ervin. A man of many talents and names: Ervin Hegedüs aka AirWeen aka HA2OS
Ervin Hegedüs has had no shortage of interesting career ideas in his 51-year life. While the usual childhood dreams of becoming an astronaut or a garbage truck driver vanished as he grew older, Ervin still today sometimes wonders what would have become of him if he hadn’t found his way to IT. He thinks he might have become an electrical engineer since he is a HAM radio operator in his spare time (callsign: HA2OS). More about that later.
October 18, 2022
By
Alessandro Monachesi
He likes to play board games and the guitar, and he loves to fix bypasses to CRS rules: Italian Andrea Menin joined the Core Rule Set team in 2018. The most important requirement for anybody joining the project, he says, is to enjoy it. Andrea Menin with the famous DeLorean: “*Back to the Future *sparked a love of technology and music in me“
September 20, 2022
By
Walter Hop
Yesterday, we released CRS versions 3.3.3 and 3.2.2 with important security improvements.
Unfortunately, backporting the fixes from our development branch 4.0 introduced a regression which was only found after publication. As a result, some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. This did not harm security but may introduce false alarms for those running in Paranoia Level 1. We have fixed this in two new releases:
September 19, 2022
By
Andrew Howe
Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8.
The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of two new CRS versions. Edit: Updated download links now to refer to the fixed versions.
Version 3.3.4 — https://github.com/coreruleset/coreruleset/releases/tag/v3.3.4 Version 3.2.3 — https://github.com/coreruleset/coreruleset/releases/tag/v3.2.3
This is a security release fixing several partial rule set bypasses with HIGH or even CRITICAL severity described in the following CVEs:
July 11, 2022
By
Walter Hop
Dear all,
A few months ago we happily announced the first Release Candidate for Core Rule Set 4.0.
Our original plan was to finish the 4.0 release as fast as possible. However, we found ourselves in a unique situation for our project.
After the Release Candidate, a large CRS user organized a CRS Bug Bounty event, where advanced WAF hackers were tasked to bypass our ruleset to earn prizes. Since a similar earlier event did not uncover any findings, we were expecting to only get a small number of bug reports. But the hackers turned out to be amazing and created more than 100 malicious payloads that bypassed our detection!
April 28, 2022
By
Walter Hop
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page.
CRS 4 contains many important changes, such as:
A plugin architecture for extending CRS and minimizing attack surface. Application exclusion sets and less-used functionality have been migrated from the CRS to plugins. (See our plugin registry for the extensive list of existing plugins.) Early blocking Granular control over reporting levels All formerly PCRE-only regular expressions have been updated to be compatible with Re2/Hyperscan WAF engines We now publish nightly packages of the development branch We refactored and renamed the anomaly scoring variables and paranoia level definitions HTTP/0.9 support has been dropped to resolve false positives. CRS 4 contains many new detections:
March 8, 2022
By
Christian Folini
(netnea)
The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role.
Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for the faculty of engineering for several years and also lectures on security at the University.
March 2, 2022
By
Christian Folini
(netnea)
Early Blocking is a feature that CRS will deliver with the next major release, probably Spring 2022. You can use it immediately when deploying the latest dev / nightly build. This blog post will explain the feature, how to enable it and why it is very useful.
What is Early Blocking? ModSecurity, the engine below CRS, processes requests in multiple phases. The phase 1 is the request header phase, the phase 2 is the request body phase. Normal blocking of attacks happens at the end of phase 2. Now if CRS identifies an attack in phase 1, it will wait until the end of phase 2 to block the request. That is obviously a waste of resources (even if that waste is relatively small). But it is also a missed chance to finish off an attacker in time. But I’ll come to that later.
February 9, 2022
By
Christian Folini
(netnea)
In one of my previous blog posts, I introduced the CRS plugin mechanism that we are rolling out for the next major release. Check out the blog post to learn how you can start using plugins immediately, without waiting for the next release (hint: really simple).
Several plugins are already available. One of them is the Fake Bot Plugin that I put into production recently. It’s a neat little plugin written by CRS dev Azurit / Jozef Sudolsky and it can serve as a perfect illustration of the capabilities of CRS plugins.
