I installed this and am testing. I installed the early release
candidate and fought all the battles there, so this was a super easy
install - just copied the new rules folder and the config file over the
old ones. So far so good.
On 10/21/2016 12:07 AM, Christian Folini wrote:
Dear all,
The 2nd release candidate of the upcoming
OWASP ModSecurity Core Rule Set v3.0.0
has been published.
https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.0-rc2
This RC2 addresses several reported issues and concerns from our users
in order to yield a more usable and complete project. The changes
include:
* Further reduced false positives
* Template prebuilt exclusions for common web applications
(including Wordpress and Drupal)
* A critical fix for usability on Apache 2.2
* Additional documentation updates
* Performance improvements
* Fixes for potential rule bypass issues
Let me explain the template prebuilt exclusions a bit:
We reduced false positive for CRS3 by more than 90% in the default
install. But you still encounter them here and there. In order to
get rid of these false positives, you need to configure rule exclusions
for certain paths and/or parameters. That is instructions to ModSec
to exclude a path or parameter from being inspected by an individual
rule. CRS3-RC2 comes with a set of these rule exclusions for the
default installs of Wordpress and Drupal. This means, you can now
install these CMS suites, publish and consume articles without a
single false positive. This is a brand new feature and maybe we
did not catch everything. So a few test runs would be welcome. But this
is a start. If you have ties in the Wordpress and Drupal communities,
then please spread the word. If this is a successful method to get
Wordpress and Drupal users on board, we may look into expanding these
exclusion templates to other application packages as well.
Ideally, this RC2 is identical with the full release. If there is no
showstopper, we will either release on October 31 or in early November.
Chaim has written a blog post about this release:
https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Version-3-0-RC2-Released
In parallel to this release, I am publishing a series of Apache /
ModSecurity tutorials at https://www.netnea.com/cms/apache-tutorials/
In the end, this will be 12 tutorials. At least. So far, the following
ones appeared:
Tutorial 1: Compiling Apache
Tutorial 2: Configuring a Minimal Apache Web Server
Tutorial 3: Configuring an Apache/PHP Application Server
Tutorial 4: Enabling Encryption with SSL/TLS
Tutorial 5: Extending and Analyzing the Access Log
Tutorial 6: Embedding ModSecurity
Until CRS3 is out, you will also see
Tutorial 7: Including the CRS
Tutorial 8: Tuning the CRS / Writing Exclusion Rules
Not that you would need to learn how to install Apache. But I do know
that the documentation on how to run the Core Rules in real life is
lacking. And I think I have a conceptual view on the issues around
CRS in production that is now ready to share. There will be methods
and scripts that greatly simplify life. Please have a look and please
share your experience.
Reports about your experience with CRS3-RC2 is something we also need.
Positive feedback is what keeps us going. Bug reports is what helps
us improve the quality of the ruleset. Please send them in.
Best regards,
Christian Folini, in the name of the Core Rules team
(Chaim Sanders, Walter Hop and me)
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
