[Owasp-modsecurity-core-rule-set] Don't the new rules deserve an bigger version number increase?
rcbarnett at gmail.com
Wed Aug 19 22:07:54 EDT 2009
The new CRS are a big deal which is why we designated it a the 2.0 level.
While traditionally we had bundled the CRS with the Mod source code, we may
want to rethink that for a few reasons -
1) CRS is now an OWASP project and it will more than likely be developed on
its own path separate from ModSecurity. Yes, we need to have some
interactions so that new rules can utilize new features, but they should be
developed on their own outside of the Mod source code.
2) The release cycles of the CRS are going to be much more frequent and tying
it back into adding to the Mod source archive seems like a lot of extra work.
3) We will soon be utilizing the rules-updater.pl script to allow users to
automatically download the latest rules from our site. I would guess that
this will become the most often used method for obtaining rules.
I think that we should take a cue from Snort and keep the source code and the
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
On Wednesday 19 August 2009 04:33:35 pm Ivan Ristic wrote:
> It seems to me that the new rules are a big deal, yet they are
> released as part of 2.5.10, which is primarily a bug-fix release. If
> the new rules are production ready, why not release them with
> ModSecurity 2.6?
> If they are not ready, perhaps 2.5.10 could be released with two rule
> sets, with 2.6 released once the rules are ready?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set