Blog

CRS Version 3.3.4 and 3.2.3 fix a regression

Yesterday, we released CRS versions 3.3.3 and 3.2.2 with important security improvements. Unfortunately, backporting the fixes from our development branch 4.0 introduced a regression which was only found after publication. As a result, some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. This did not harm security but may introduce …

CRS Version 3.3.4 and 3.2.3 fix a regression Read More »

CRS Version 3.3.3 and 3.2.2 (covering several CVEs)

Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8. The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of two new CRS versions.Edit: Updated download links now to refer to the fixed versions. Version 3.3.4 …

CRS Version 3.3.3 and 3.2.2 (covering several CVEs) Read More »

Core Rule Set v4.0.0 Release Candidate 1 available

The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page. CRS 4 contains many important changes, such as: A plugin architecture for extending CRS and minimizing attack …

Core Rule Set v4.0.0 Release Candidate 1 available Read More »

The Case for Early Blocking

Early Blocking is a feature that CRS will deliver with the next major release, probably Spring 2022. You can use it immediately when deploying the latest dev / nightly build. This blog post will explain the feature, how to enable it and why it is very useful. What is Early Blocking? ModSecurity, the engine below …

The Case for Early Blocking Read More »

Comprehensive View of the WAF Market From an Open Source Perspective

The log4j mess allowed everybody to see security shortcomings of the IT industry on a big scale. It also shed light on the shortcomings of the WAF market, a highly contested field with a myriad of commercial players and - well - us, the OWASP ModSecurity Core Rule Set (CRS), the only general purpose open …

Comprehensive View of the WAF Market From an Open Source Perspective Read More »

The CRS Plugin Mechanism

Plugins are not part of the CRS 3.3.x release line. They will be released officially with the next major CRS release 4.x. In the meantime, you can use them with one of the stable releases by following the instructions below. What are Plugins? Plugins are sets of additional rules that you can plug in to …

The CRS Plugin Mechanism Read More »