Hello,
The OWASP ModSecurity Core Rule Set project news for February 2019 are out
https://coreruleset.org/20190228/crs-project-news-february-2019/
Retweets are welcome:
https://twitter.com/CoreRuleSet/status/1101226355155496960
This month, we announce the CRS community summit at AppSecGlobal i
Hi there,
This is a friendly reminder of our CRS community / project chat tomorrow
at 20:30 CET.
Access and agenda are listed here:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1291
If you have topics you would like us to cover, then please add them to the
list.
Best,
Christian
Hi there,
The information you are looking for is not in the access log, but in the
error or the audit log.
I you look through my tutorials at https://netnea.com, you will find a few
techniques and scripts that help you with the task at hand.
Otherwise, the JWall Audit Console does a pretty good
Hello Ritesh,
This is likely a false positive. If you do not have control over the
configuration, then you need to complain to your vendor.
If you do have control over the configuration, you will need to educate
yourself about ModSecurity and likely the Core Rule Set a bit.
Our website https://c
Hello,
The OWASP ModSecurity Core Rule Set project news for January 2019 are out
https://coreruleset.org/20190124/crs-project-news-january-2019/
Retweets are welcome:
https://twitter.com/CoreRuleSet/status/1088786400433094656
This month, we announce detailed plans for the Cloudfest Hackathon i
Hello Jai,
That's a good question.
We are not overly happy with the way this is done. So there are discussions to
overhaul this completely.
However, when you have an non-xml request, then ARGS and ARGS_NAMES will be
populated. And there are a few cases where REQUEST_BODY is indeed covered
and th
Hello everybody,
I just published the news of the OWASP ModSecurity Core Rule Set project
for the month of November:
https://coreruleset.org/20181226/crs-project-news-december-2018/
It includes the CRS 3.1 release, updates to the docker container, an
interesting success story and the first CRS 3
Hi there,
This is a friendly reminder for the monthly CRS community chat on Monday
Dec 3 on Slack. Connection and Agenda:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1238
Please add more issues to the agenda if you want them discussed.
The chat meeting is open for everybody, btw.
tives as much as possible in the
default install. We welcome reports of false positives on github.
For more information about our project, please go to https://coreruleset.org.
Sincerely,
Chaim Sanders, Walter Hop and Christian Folini on behalf of the Core Rule Set
development team
-
Hello everybody,
I just published the news of the OWASP ModSecurity Core Rule Set project
for the month of November:
https://coreruleset.org/20181114/crs-project-news-november-2018/
It includes the CRS 3.1-RC2 release, the announcement of the full release for
November 24 and many online articles
Thank you for the hint, Eero.
Would you mind opening an issue (or pull request) at
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/ ?
Best,
Christian
On Fri, Nov 09, 2018 at 07:22:32AM +0200, Eero Volotinen wrote:
> # Detectify https://detectify.com
>
> "Mozilla/5.0 (compatible; *D
Hi there,
This is a friendly reminder for the monthly CRS community chat next Monday
on Slack. Connection and Agenda:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1206
Please add more issues to the agenda if you want them discussed.
The chat meeting is open for everybody, btw.
B
the false positive - the
> request no longer returns a 403. I have yet to see any more lonely anomaly
> score errors in the logs, and hopefully that trend will continue. Thanks
> again for the assistance.
> - Jonah
>
> On Thu, Oct 18, 2018 at 1:55 PM Christian Folini <
>
let you know
> what happens.
>
> Thanks again,
> Jonah
>
> On Wed, Oct 17, 2018 at 2:57 PM Christian Folini <
> christian.fol...@netnea.com> wrote:
>
> > Hey Jonah,
> >
> > I suppose you mean CRS 3.0.2 when you say OWASP v3.
> >
> > I
Hello everybody,
I just published the news of the OWASP ModSecurity Core Rule Set project
for the month of September:
https://coreruleset.org/20180927/crs-project-news-september-2018/
It includes the CRS 3.1-RC1 release obviously and hope for GeoIP on ModSec
2.9.
Best,
Christian
--
A man mu
Hey Silvan,
Thank you for reporting.
Could you send the full payload / request. Ideally as a curl command, so we
can reproduce. It could be that you are up to something here.
Best,
Christian
On Tue, Sep 11, 2018 at 02:07:11PM +0200, Silvan Nagl wrote:
> Hi,
>
> maybe i am wrong but it seams l
channel on the OWASP
slack.
Best,
Christian Folini
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
___
Owasp-modsecurity
Hi there,
I just finished a first blog post about the CRS community summit we ran last
week in London.
https://coreruleset.org/20180712/reporting-from-the-first-crs-community-summit-in-london/
More to come.
Christian
--
https://www.feistyduck.com/training/modsecurity-training-course
https://w
,
Christian Folini
--
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mailto:christian.fol...@netnea.com
twitter: @ChrFolini
___
Owasp-modsecurity-core-rule-set mailing list
Owasp
Hey Taya,
Getting a 500 is a bit odd. But I take it you have made sure it is ModSec and
not something else. The full error log / audit log would help.
Ahoj,
Christian
On Thu, May 24, 2018 at 11:13:12PM +0100, Taisiya Latysh wrote:
> I can provide access to my AWS instance if required.
>
> Tha
Hello Hiranmayi,
Having them would be very interesting of course.
It is not so clear how far you can get. I usually declare that ModSec is no
good fighting standard DoS attacks. As for websockets, you may face a problem
where ModSecurity does not give you proper access to the traffic in question.
is there generally any guidance available on the performance
> measurement metrics for each paranoia level.
>
> From: Hiranmayi Palanki
> Sent: Thursday, March 22, 2018 1:40 PM
> To: 'Manuel Spartan' ; 'Christian Folini'
>
> Cc: 'OWASP CRS'
> Subj
Hey Hiranmayi,
On Wed, Mar 21, 2018 at 02:25:32PM +, Hiranmayi Palanki wrote:
> What is the recommended Paranoia Level for an enterprise Internet facing
> application, that does not break the application functionality?
I'd say you should put it at least on level 2. This will bring some false
; Eero
>
> On Wed, Mar 21, 2018 at 11:53 AM, Christian Folini <
> christian.fol...@netnea.com> wrote:
>
> > Hey Eero,
> >
> > The TRACE method is somewhat special. At least in Apache. The request
> > skips phase 2 and thus the CRS rule covering tx.allowed_
Hi there,
Please save the date of our first Community Summit: July 4, 2018, at 4pm
in London.
https://coreruleset.org/20180320/save-the-date-crs-community-summit-on-july-4-2018/
This is meant to be a get-together of the community. We want to learn about
you and how you use CRS in your setups - a
Hey Eero,
Thank you for the suggestion. I just made this into a pull request.
https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1039
Please try it out and confirm detection works as intended.
Ideally on github.
Ahoj,
Christian
On Tue, Mar 13, 2018 at 02:20:30PM +0200, Eero Volotinen
e via
> the link in your tutorial everything works like it should.
>
> Thanks for the help and sorry for making such a simple mistake :)
>
> Jeroen
>
> -Oorspronkelijk bericht-
> Van: Christian Folini [mailto:christian.fol...@netnea.com]
> Verzonden: donderda
Hey Jeroen,
This is an ancient bug actually:
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/181
It is fixed since the release of CRS 3.
Given you base on my tutorial which follows that version, I do not know
how you could encounter it.
Regs,
Christian
On Wed, Feb 07, 2018 at 01:5
Hello Mark,
On Thu, Feb 01, 2018 at 09:27:13PM +, Mark Blackman wrote:
> Thanks, as an update, a second round of testing where logging was reduced
> and where we used a more proven httpd configuration resulted in more
> sensible results, typically 2 ms for a request without scanning and 4 ms f
Hi there,
My company, netnea.com, is a small consulting / contracting company based in
Berne, the capital of Switzerland. We specialize in network monitoring and
Apache / ModSecurity.
We have an open position for a webserver engineer with a strong interest in
security.
I am the author of the 2nd
Hi Ken,
We used to have ML problems, but it seems at least your message went through.
Hopefully OWASP HQ has fixed it for good.
I confirm the FP here and can only add that 942200 has been set to PL2
for causing FPs from time to time.
Franziska Bühler disassembled the regexes of the SQL rules, so
Mark,
Latency is an issue and the amount depends on the server. Factor 5 is a bit
steep, but still possible.
My mileage is usually a 5-10% hit on the throughput of a reverse proxy. If
your server serves only static files and no backend connection, then your
numbers could be real.
I would want to
Hello Brent,
Thank you for the link to the presentation and the article.
Khalil Bijjou also presented at DeepSec Vienna in November and I have been in
touch with him briefly afterwards.
I used the tool a bit, yet it is not quite easy as the documentation is
lacking in my eyes (--help does not gi
Cristian,
You are getting there. Yet the DebugLogLevel is still not high enough.
Put it to 9and then you grep for the threshold variable in the logfile.
This will allow you to see which rule sets the threshold and in what order.
It is possible it's a phase issue. But when I looked over it in your
ds as if you would have to raise the debug log level and
work your way through the file to see which rule sets which value and in
what order.
Ahoj,
Christian
>
> Ty
>
>
> Il 04/12/2017 14:47, Christian Folini ha scritto:
> > Hey Cristian,
> >
> > No, this works
Hi there,
I just realized, there has not been a reminder with regards to today's project
chat.
Here you go: 20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
If you're interested in learning more about the project or you are
interested in a particular issue/feature, we'd love
Hey Cristian,
No, this works perfectly. Let me tell you why:
The crs-setup.conf does not actually set the threshold. Instead the
REQUEST-901 initialization file sets the threshold to the default value
if it is not set.
You are setting the anomaly score in your rule file in modsecurity, so no
nee
Hey Philippe,
On Thu, Nov 30, 2017 at 10:13:46AM +0100, Philippe Naudin wrote:
> This is because 3.0.0 rules had a tag starting with OWASP_CRS/, and I
> use this tag to exclude all C.R.S. rules in rare cases like :
> ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:sql_query
> But this tag is gone in some
Hi there,
The new edition of the OWASP Top Ten has been released.
https://owasp.blogspot.ch/2017/11/owasp-is-pleased-to-announce-release-of.html
It features ModSecurity and the OWASP ModSecurity Core Rule Set under
A10: Insufficient Logging & Monitoring under "How to Prevent":
"... There are c
Hey Brent,
There is the sanitize group of actions that applies to the Audit log and will
replace certain parameter values with asterisks.
However, the alert message written to the Apache Error-Log and the Debug-Log
(Level 3) are unaffected by this.
It's one of the major issues I have with ModSec
Hello,
I see how this tuning approach via negative scoring is meant to work. However
it is quite botched if you excuse my wording. It actually looks like a huge
backdoor. All you need to do is an alert on 981172 and then submit a
cookie Mycookie1/2/3/4 and then get a discount of -20 anomaly scorin
Hello,
The RC2 for the 2017 edition of OWASP Top 10 is out.
The new issue A10: Insufficient Logging & Monitoring mentions
ModSecurity and CRS.
https://github.com/OWASP/Top10/blob/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf
I think thanks are due to Osama Elnaggar who worked behind the
testing.
Ahoj,
Christian
On Sat, Oct 14, 2017 at 11:56:36AM +0200, Christian Folini wrote:
> Hi there,
>
> Fränzi Bühler and I will take part at the HackNight at the Swiss DINAcon
> next Friday in Berne, from 6pm local time.
>
> We have plenty of PRs to review, but we also plan to
Hey Jeff,
Could you raise you SecDebugLogLevel to 9 and then post your payload and
select that part of the debug log that handles the rule 942100?
Also: Said libinjection rules does not work on the raw request body (your
post implies this somehow). But it only works on argument names and
argument
Hey Aurel,
We have a pull request waiting for my review that addresses Nextcloud.
https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/899
The idea is to get a rule exclusion package for Nextcloud. Ideally you could
give that contributed pull request a go and report back your experience
in t
Hi there,
Fränzi Bühler and I will take part at the HackNight at the Swiss DINAcon
next Friday in Berne, from 6pm local time.
We have plenty of PRs to review, but we also plan to work on new ideas.
Having more people join us on site would of course be fun, but participating
remotely could also b
Hi there,
Just caught a tweet about a position for a Security Researcher
with Trustwave:
https://jobs.jobvite.com/careers/trustwave/job/oHPI5fw3?__jvst=Employee&__jvsd=sTFykfwa&__jvsc=Twitter&bid=ntlpMBw5
Would be cool if some active member from the community would apply.
Cheers,
Christian
--
Obviously, one should not copy&paste too much.
I meant Monday, October 2. The first Monday of every month, actually.
On Mon, Oct 02, 2017 at 06:42:46AM +0200, Christian Folini wrote:
> Tonight is our monthly project chat. Monday, September 4, we'll do our
> regular
> Core Rul
Hi there,
Tonight is our monthly project chat. Monday, September 4, we'll do our regular
Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
The development is taking up speed with new contributors submitting
PRs (and a lot of review work to be done
Hi,
There is a new blog post at
https://coreruleset.org/20170913/how-you-can-help-the-crs-project/
Cheers,
Christian
--
ModSecurity courses Oct 2017 in London and Zurich
https://www.feistyduck.com/training/modsecurity-training-course
https://www.feistyduck.com/books/modsecurity-handbook/
mail
Dear all,
This is the CRS newslettering covering the period from mid August until
today.
It is also available on the website at
https://coreruleset.org/20170907/crs-project-news-september-2017/
What has happened during the last few weeks:
- We held our community chat last Monday. Chaim was high
Hi there,
I almost forgot the reminder for our monthly chat.
Monday, September 4, we'll do our regular Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
Hope to see / read many of you tomorrow!
Cheers,
Christian
--
ModSecurity courses Oct 2017
On Wed, Aug 23, 2017 at 10:31:17PM +0200, Osama Elnaggar wrote:
>Try changing the phase to phase 1 as phase 4 rules are for processing the
>response body and the request has already reached your backend by phase 4.
Yeah, but the rule in question is also phase 4:
modsecurity_crs_50_outboun
Hi there,
Is this the full "H" part of the Audit Log?
Are you sure it's not an extension filter defined on the application
itself?
Did you try this without CRS? Without ModSec?
Just questions that mean to guide you...
Ahoj,
Christian
On Wed, Aug 23, 2017 at 09:30:30AM +0200, Ervin Hegedüs wr
Hey Georgi,
The
"Message: Audit log: Failed to lock global mutex: Permission denied"
in combination with the SecRequestBodyAccess is a bad sign.
You should try and solve that permission problem. I would not be
surprised if it would be linked.
Ahoj,
Christian
On Tue, Aug 22, 2017 at 07:27:11
izes at
https://www.owasp.org/index.php/ModSecurity_CRS_Logo
We will put this on the new site too as soon as we receive the SVG
version of the logo.
Best regards,
Christian Folini, for the CRS team
--
ModSecurity courses Oct 2017 in Lond
Hey Georgi,
On Thu, Aug 17, 2017 at 07:27:49PM +0300, Georgi Georgiev wrote:
> 1. Is really paranoia level 1 less false postitive for a shared hosting
>environment and in such time enough for protection?
That depends on your assessment of your data, its value and the threat
model.
I thi
Hey Kirk,
Thank you for your fully documented recipe. Glad it works.
This is almost ready for a complete blogpost on the subject:
- Step 1: Running rules only on certain parameters
- Step 2: Running rules only on certain parameters on certain paths
Interested to write that?
Ahoj,
Christian
On
m wrong?
>
> # Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
> SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
> "id:901100,\
> phase:1,\
> pass,\
> nolog,\
> setvar:tx.inbound_anomaly_score_threshold=5&qu
Hey Kirk,
Thank you for trying this out so quickly. This is very helpful.
On Tue, Aug 15, 2017 at 09:12:37PM +1200, Kirk Jackson wrote:
> I think by "steering commando rules" you mean the rules that check which
> paranoia level is set, and then jump to the marker at the end of the file?
Exactly.
ve ratelimits and I prefer to start with most common
> Wordpress / Joomla hacks rule that can stop some part of the hacks,
> because this is the biggest problem
>
> Best regards, Georgi Georgiev .
> > On Aug 15, 2017, at 9:52 AM, Christian Folini
> > wrote:
> >
> &g
Kirk,
This is a tricky one. Actually your recipe should work. But then it does
not. I dug a bit deeper and found out an issue.
SecRuleUpdateTargetByID 942000-942999 "ARGS:SearchTerm"
adds the arg SearchTerm to all rules including steering commando rules
used for Paranoia Levels. And this seems t
Hello Georgi,
CRS3 comes with default rule exclusions for WP and Drupal that solve
many of the base installations FPs. Collaborating with the project on
a set of Joomla rule exclusions would be most helpful.
Starting with a higher anomaly threshold while you weed out the false
positives is a meth
Arthur,
The IP Reputation rules of CRS is not the strongest part of the rule
set. However, the group consists of several different rules with the
IP Blacklisting based on Spiderlabs Honeypot recommendation being
disabled by default.
So there is some use in this group of rules, but it is limited.
Dear all,
This is the CRS newsletter covering the period from July until today.
What has happened during the last few weeks:
- We held our community chat last Monday. We have been eight people
including Manuel Spartan who participated on the development
of the paranoia mode.
The big topic
Hi there,
Next Monday, August 7, we'll do our regular Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
It's holiday season (I'm currently in Finland), but we'll see who
will have time. There are quite a few PRs we need to cover and then
the launch
Hi there,
OWASP London informed me that my CRS3 presentation will be life-streamed
on Facebook at https://www.facebook.com/OWASPLondon/
My talk will begin around 8pm UK time.
The presentation will be very similar to the one I held at AppSecEU
in Belfast, but this time, we have a backup plan fo
Hey Cristian,
On Mon, Jul 17, 2017 at 12:29:16PM +0200, Cristian Mammoli wrote:
> Hi, I'm using crs 3 in "anomaly score mode" and I would like to add a couple
> of custom rules to "lower" the anomaly score before the final evaliuation
Makes sense. I thought about such scenarios as well, but I nev
Hey Ervin,
It certainly does not hurt to be on the same page.
Cheers,
Christian
On Mon, Jul 10, 2017 at 09:59:03AM +0200, Ervin Hegedüs wrote:
> Hi Christian,
>
> many thanks for your reply,
>
> On Mon, Jul 10, 2017 at 07:30:29AM +0200, Christian Folini wrote:
> > Hey E
7, 2017 at 8:24 AM, Ervin Hegedüs wrote:
> >
> > > Hi Christian and Chaim,
> > > other CRS users,
> > >
> > >
> > > here is my previous e-mail with an issue (with more issues
> > > exactly, but this one whis is interesting now)
> >
Dear all,
This is the CRS newsletter covering the period from June until today.
I was not sure I had the time to compile this message in time as I
am currently attending a medieval reenactment event with the
Company of St. George. But the camp is now set up for the weekend,
all is quite and I sne
Hi there,
Next Monday, July 3, we'll do our regular Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
We plan to talk about possible new rules / feature requests for 3.1,
the new website, new logo and whatever pops up.
If there is an open feature
in touch via PM.
I have experience with some of this and I would love to receive funding
to work on the rest.
Best,
Christian Folini
On Fri, Jun 16, 2017 at 09:19:09AM +, noel.kpa...@orange.com wrote:
> Hello team,
>
> Could you revert to us about below request?
>
> Thank yo
Dear all,
This is the CRS newsletter covering the period from Mai until today.
What has happened during the last few weeks:
- We held our 4th community chat last Monday. We have been eight people
again including surprise guest ModSecurity / CRS debian packager
Alberto Gonzalez Iniesta.
We
Ramesh,
Please take a look at the set of ModSecurity / Core Rule Set tutorials
hosted at netnea.com. They cover exactly this case: Disabling a rule
for a certain path.
Cheers,
Christian
On Fri, Jun 09, 2017 at 09:24:41AM -0400, Ramesh wrote:
> Hello all,
>
> I have the following error in my mo
Hello Ed,
This looks a lot like Issue 794.
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/794
We think it is an issue in ModSecurity (and not with libinjection
as the rule ID suggests).
Could you create a full debug log of the false positive and attach
it with 794 like I did for the
Hi there,
Next Monday, June 5, we'll do our regular Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
The topics will be the launch of the 3.1 development, the idea to create
our own CRS website, a severe SQLi that passes CRS3 (-> issue 782)
and wh
Ervin,
Thank you for that quick status. Looking forward to hear of your tests.
On Thu, Jun 01, 2017 at 09:36:18PM +0200, Ervin Hegedüs wrote:
> > Validating the byte range in combination with UTF8 and friends is
> > something we might have to drop for PL1. We let ASCII 0 stay in the
> > default i
Bird wrote:
> Thanks! I've just tried it again as per your example and it seems to work (so
> I can only assume I had the rules in the wrong order when I first tried it).
>
> -Original Message-
> From: Christian Folini [mailto:christian.fol...@netnea.com]
> Sent:
Brian,
I think you are doing it wrong. It works like out of the box for me:
Here is part of my config:
Include crs-rules/*.conf
SecRuleUpdateActionById 920440:1 "setvar:tx.anomaly_score=+100"
Then I made the following call, which triggers the rule 920440.
$> curl localhost/inde
Ervin,
You are touching multiple issues in your latest message. I would like
to dig on the bottom of this one:
On Wed, May 31, 2017 at 08:32:03AM +0200, Ervin Hegedüs wrote:
> And there is an another issue with 3.0.2 (but may be that affects
> another versions too).
>
> The request is similar th
the sessions. Lots of good presentations (all application security
> specific), including one on the OWASP CRS by Christian Folini -
> https://www.youtube.com/watch?v=eO9gBAmKS58&index=27&list=PLpr-xdpM8wG8RHOguwOZhUHkKiDeWpvFp
>
>
> The full video list is available over here -
Ed,
On Tue, May 23, 2017 at 03:30:27PM -0400, Ed Greenberg wrote:
> When a web server throws an error (>399) does that automagically trigger an
> entry in modsec_audit.log?
It depends on your setting of SecAuditLogRelevantStatus (and
also the setting of SecAuditEngine).
Ahoj,
Christian
--
T
+1
On Tue, May 23, 2017 at 10:06:00AM -0400, Ed Greenberg wrote:
> We've deployed 3.0.2 today. I had it in testing, and forgot that I needed to
> push it out. I'll keep an eye on things.
>
> Thanks,
> Ed
>
> On 05/23/2017 10:03 AM, Christian Folini wrote:
> &
hould hand the false positives. The tutorials at netnea.com
can teach you how.
Ahoj,
Christian
On Tue, May 23, 2017 at 09:40:07AM -0400, Ed Greenberg wrote:
> On 05/23/2017 09:37 AM, Christian Folini wrote:
> > Hey Ed,
> >
> > It is hard to help you without seeing the rule aler
Hey Ed,
It is hard to help you without seeing the rule alert. The alerts you
showed us are only the evaluation at the end.
Ahoj,
Christian
On Tue, May 23, 2017 at 09:06:21AM -0400, Ed Greenberg wrote:
> Something I don't understand. Here is a sample:
>
>
>
> --6e7a4c70-E--
>
> --6e7a4c70-H-
Hi there,
Spot on. Thanks for reporting.
We noticed this issue last night and are currently preparing 3.0.2.
In the default install, a request passes that debug message.
A custom crs-setup.conf can lead to a block, though.
The messup came via mis-merging of a commit to solve the github issue
71
Dear all,
This is the CRS newsletter covering the period from April until today.
What has happened during the last few weeks:
- We held our 3rd community chat last Monday. We have been eight people
and we had an extremely efficient meeting. We sorted out a strategy
for the remaining 3.0dev i
Hi there,
Next Monday, May 1, we'll do our regular Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
The topics will be the last preparations for the upcoming CRS 3.0.1
which is almost done now, then better support for Travis testing,
the possibil
Arthur,
On Sat, Apr 22, 2017 at 09:42:42AM -0700, Arthur E. Johnston wrote:
> Does a CRS ver.3.0 exist for Joomla!
>
> The only version currently available for Joomla! is 2.9 and that is very
> outdated/not usable with current versions.
Honestly, I do not really understand what you are trying
Hi Ed,
This is totally the right place. Just speak up!
Cheers,
Christian
On Fri, Apr 21, 2017 at 08:11:27AM -0400, Ed Greenberg wrote:
> If this is not the right place for me to ask about rule violations, and
> false positives and such, can somebody point me to a better forum?
>
>
> Thanks,
Osama,
Thank you for the link. I was not aware of that development.
I love the new risk matrix and the added content. Very good read.
Ahoj,
Christian
On Mon, Apr 10, 2017 at 09:31:56PM -0400, Osama Elnaggar wrote:
> Hi,
>
> Not sure if you guys saw this, but the new OWASP Top 10 (2017 RC1) was
This might be of interest for this mailinglist too.
Cheers,
Christian
- Forwarded message from Osama Elnaggar -
Date: Mon, 10 Apr 2017 21:31:56 -0400
From: Osama Elnaggar
To: mod-security-us...@lists.sourceforge.net
Subject: [mod-security-users] OWASP Top 10 2017 RC1
Reply-To: mod-sec
Dear all,
This is the CRS newsletter covering the period from March until today.
What has happened during the last few weeks:
- We held our 2nd community chat last Monday. We have been six people
this time around and what feels even more important: five out of those
accepted tasks to solve
Hello,
Just a reminder, the chat is up in 6.5 hours.
I have been notified that will be 20:30 CEST (not 20:30 CET as I
previously stated).
Ahoj,
Christian
out, that the correct name of the time zone is CEST not CET
On Fri, Mar 31, 2017 at 06:50:11AM +0200, Christian Folini wrote:
> Hi th
Hi there,
Next Monday, April 3, we'll do our regular Core Rule Set project chat.
20:30 CET (14:30 EDT, 18:30 GMT)
on Freenode IRC, channel #modsecurity
The topics will be preparations for the upcoming CRS 3.0.1 release
and anything else that springs to mind. If you have other things to
discuss t
want to do?) I assume I would do that in the RESPONSE-999-EXCLUSION
> conf file.
>
> Thanks,
> -Sheldon
>
> -Original Message-
> From: fol...@netnea.com [mailto:fol...@netnea.com]
> Sent: Wednesday, March 01, 2017 5:28 PM
> To: Briand, Sheldon (NRC/CNRC)
> C
me know and share
this message).
Best regards,
Christian Folini, for the OWASP ModSecurity Core Rule Set team
--
CRS website: https://www.modsecurity.org/crs
CRS at OWASP:
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
CRS tutori
t is a real positive and the
response should be blocked.
Did I convince you? If not, please explain where I make a mistake
in my thinking. An example response with an error ignored by CRS
(-> false negative) or a false positive would really help.
Ahoj,
Christian
>
> On Tuesday, Marc
Hi there,
Ooops. What is the problem? Here is the rule in question?
SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
"phase:response,\
id:951100,\
rev:'5',\
ver:'OWASP_CRS/3.0.0',\
pass,\
nolog,\
tag:'application-multi',\
tag:'l
1 - 100 of 286 matches
Mail list logo
