[Owasp-modsecurity-core-rule-set] Don't the new rules deserve an bigger version number increase?

Brian Rectanus Brian.Rectanus at breach.com
Thu Aug 20 02:12:28 EDT 2009


I had intended to still package up the latest CRS with modsec whenever I 
make a release.  The CRS is now in its own tree under SVN, so I just 
pull the latest CRS and include it in the modsec release.

-B

Ryan Barnett wrote:
> The new CRS are a big deal which is why we designated it a the 2.0
> level. While traditionally we had bundled the CRS with the Mod source
> code, we may want to rethink that for a few reasons -
>
>
> 1) CRS is now an OWASP project and it will more than likely be developed
> on its own path separate from ModSecurity. Yes, we need to have some
> interactions so that new rules can utilize new features, but they should
> be developed on their own outside of the Mod source code.
>
>
> 2) The release cycles of the CRS are going to be much more frequent and
> tying it back into adding to the Mod source archive seems like a lot of
> extra work.
>
>
> 3) We will soon be utilizing the rules-updater.pl script to allow users
> to automatically download the latest rules from our site. I would guess
> that this will become the most often used method for obtaining rules.
>
>
> I think that we should take a cue from Snort and keep the source code
> and the rules separate.
>
>
> --
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
> On Wednesday 19 August 2009 04:33:35 pm Ivan Ristic wrote:
>  > It seems to me that the new rules are a big deal, yet they are
>  > released as part of 2.5.10, which is primarily a bug-fix release. If
>  > the new rules are production ready, why not release them with
>  > ModSecurity 2.6?
>  >
>  > If they are not ready, perhaps 2.5.10 could be released with two rule
>  > sets, with 2.6 released once the rules are ready?
>
>

-- 
Brian Rectanus
Breach Security


More information about the Owasp-modsecurity-core-rule-set mailing list