Greetings everyone, I am sending this note to let you know that SpiderLabs is working on a number of rule updates for the upcoming release of CRS v2.2.0. Some of the big items are:
Rule Documentation We have a template rule description page here - https://www.owasp.org/index.php/ModSecurity_CRS_Rule_Description_Template. We will continue work on new description pages for each rule, however, we need community help with this effort. Specifically, we have sections for documenting False Positives/False Negatives for each rule. If you are having any issues with CRS rules, please sign-up for the FP Reporting mail-list - https://lists.sourceforge.net/lists/listinfo/mod-security-report-false-positives and send a note with the FP details. If you want to create a rule documentation page on the OWASP wiki site, simply copy the wiki html from the Description Template link above and then type in your browser the path to the new page like this - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX where XXXXX is the Rule ID you are creating the page for. If that page doesn't exist yet, the OWASP wiki page will allow you to EDIT and create it. Then simply paste in the html from the Documentation Template page you fill in the data. Here is an example page - https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911 Rule Tag Updates I have started to add in new rule tag actions which will help users to identify the current accuracy level of each rule. The purpose of this tag is to help the user to decide if this rules has a high FP rate or if it is a strong signature that they can be confident in applying blocking actions. The new tag has the following format - tag:'RULE_ACCURACY_LEVEL/N' Where N is a number between 1-5 with: 1 = Beta/Experimental rule or the rule has a high number of reported false positives (via the mail-list). 5 = Heavily tested rule with no false positives reported (via the mail-list). Again, we need your help!!! SpiderLabs will provide the initial rule accuracy level tagging for the rules, however we need the community to report FP issues so that these rule tags may be adjusted. The advantage of this approach, is that with new ModSecurity v2.6.0, you will be able to systematically remove rules by using data within the TAG action. So, you could easily choose to only run Level 5 accuracy rules on your site. Regression Testing Suite As stated in a separate email thread – I am currently working on updating our rules regression testing suite and we will be releasing it to the community soon. The idea is that the testing suite will have example request payloads that can be actively sent to your ModSecurity install so that can verify that the detection engine is working properly. I will complete the first few testing files and then release it to the public so that we can hopefully get some more help with developing tests. This will also allow end-users to develop their own tests for their own custom rules. This will help to verify that your ModSecurity/CRS installs are working correctly which is vitally important especially after any type of upgrade. Please keep an eye out for email related to these topics. I will be sending emails – related to each rule where we can provide a status on the items discussed. Thanks, Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
