Blog – Page 2 – OWASP ModSecurity Core Rule Set

CRS Version 3.3.3 and 3.2.2 (covering several CVEs)

By Andrew Howe / September 19, 2022 September 20, 2022

Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8. The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of two new CRS versions.Edit: Updated download links now to refer to the fixed versions. Version 3.3.4 …

CRS Version 3.3.3 and 3.2.2 (covering several CVEs) Read More »

Update on CRS 4.0 release delay

By Walter Hop / July 11, 2022 July 11, 2022

Dear all, A few months ago we happily announced the first Release Candidate for Core Rule Set 4.0. Our original plan was to finish the 4.0 release as fast as possible. However, we found ourselves in a unique situation for our project. After the Release Candidate, a large CRS user organized a CRS Bug Bounty …

Update on CRS 4.0 release delay Read More »

Core Rule Set v4.0.0 Release Candidate 1 available

By Walter Hop / April 28, 2022 July 4, 2022

The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page. CRS 4 contains many important changes, such as: A plugin architecture for extending CRS and minimizing attack …

Core Rule Set v4.0.0 Release Candidate 1 available Read More »

CRS names Felipe Zipitría as third Co-Lead

By Christian Folini / March 8, 2022 March 10, 2022

The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role. Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for …

CRS names Felipe Zipitría as third Co-Lead Read More »

The Case for Early Blocking

By Christian Folini / March 2, 2022 March 3, 2022

Early Blocking is a feature that CRS will deliver with the next major release, probably Spring 2022. You can use it immediately when deploying the latest dev / nightly build. This blog post will explain the feature, how to enable it and why it is very useful. What is Early Blocking? ModSecurity, the engine below …

The Case for Early Blocking Read More »

Introducing the Fake Bot Plugin

By Christian Folini / February 9, 2022 February 10, 2022

In one of my previous blog posts, I introduced the CRS plugin mechanism that we are rolling out for the next major release. Check out the blog post to learn how you can start using plugins immediately, without waiting for the next release (hint: really simple). Several plugins are already available. One of them is …

Introducing the Fake Bot Plugin Read More »

Comprehensive View of the WAF Market From an Open Source Perspective

By Christian Folini / January 20, 2022 January 20, 2022

The log4j mess allowed everybody to see security shortcomings of the IT industry on a big scale. It also shed light on the shortcomings of the WAF market, a highly contested field with a myriad of commercial players and - well - us, the OWASP ModSecurity Core Rule Set (CRS), the only general purpose open …

Comprehensive View of the WAF Market From an Open Source Perspective Read More »

The CRS Plugin Mechanism

By Christian Folini / January 12, 2022 January 13, 2022

Plugins are not part of the CRS 3.3.x release line. They will be released officially with the next major CRS release 4.x. In the meantime, you can use them with one of the stable releases by following the instructions below. What are Plugins? Plugins are sets of additional rules that you can plug in to …

The CRS Plugin Mechanism Read More »

Talking about ModSecurity and the new Coraza WAF

By Christian Folini / December 22, 2021 January 7, 2022

It's time to talk about the ModSecurity engine and to introduce you to Coraza, a new contender on the WAF front. Any rule set is nothing without a WAF engine to run it, so even if our project is focused on the rules, we need to look at the underlying engine(s) from time to time. …

Talking about ModSecurity and the new Coraza WAF Read More »

Public Hunt for log4j / log4shell Evasions / WAF Bypasses

By Christian Folini / December 16, 2021 January 7, 2022

We have been updating our detection for the infamous CVE-2021-44228 vulnerability and its siblings for several days now. With the new experimental rule 1005, we think we really have decent detection capabilities now. Read up on this development in the separate blog post CRS and Log4j / Log4Shell / CVE-2021-44228. Right before the log4j CVE …

Public Hunt for log4j / log4shell Evasions / WAF Bypasses Read More »