[Owasp-modsecurity-core-rule-set] Don't the new rules deserve an bigger version number increase?

Ryan Barnett rcbarnett at gmail.com
Wed Aug 19 22:07:54 EDT 2009


The new CRS are a big deal which is why we designated it a the 2.0 level.  
While traditionally we had bundled the CRS with the Mod source code, we may 
want to rethink that for a few reasons -

1) CRS is now an OWASP project and it will more than likely be developed on 
its own path separate from ModSecurity.  Yes, we need to have some 
interactions so that new rules can utilize new features, but they should be 
developed on their own outside of the Mod source code.

2) The release cycles of the CRS are going to be much more frequent and tying 
it back into adding to the Mod source archive seems like a lot of extra work.

3) We will soon be utilizing the rules-updater.pl script to allow users to 
automatically download the latest rules from our site.  I would guess that 
this will become the most often used method for obtaining rules.

I think that we should take a cue from Snort and keep the source code and the 
rules separate.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

On Wednesday 19 August 2009 04:33:35 pm Ivan Ristic wrote:
> It seems to me that the new rules are a big deal, yet they are
> released as part of 2.5.10, which is primarily a bug-fix release. If
> the new rules are production ready, why not release them with
> ModSecurity 2.6?
>
> If they are not ready, perhaps 2.5.10 could be released with two rule
> sets, with 2.6 released once the rules are ready?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090819/142284ca/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list