[Owasp-modsecurity-core-rule-set] Don't the new rules deserve an bigger version number increase?
Brian.Rectanus at breach.com
Thu Aug 20 02:12:28 EDT 2009
I had intended to still package up the latest CRS with modsec whenever I
make a release. The CRS is now in its own tree under SVN, so I just
pull the latest CRS and include it in the modsec release.
Ryan Barnett wrote:
> The new CRS are a big deal which is why we designated it a the 2.0
> level. While traditionally we had bundled the CRS with the Mod source
> code, we may want to rethink that for a few reasons -
> 1) CRS is now an OWASP project and it will more than likely be developed
> on its own path separate from ModSecurity. Yes, we need to have some
> interactions so that new rules can utilize new features, but they should
> be developed on their own outside of the Mod source code.
> 2) The release cycles of the CRS are going to be much more frequent and
> tying it back into adding to the Mod source archive seems like a lot of
> extra work.
> 3) We will soon be utilizing the rules-updater.pl script to allow users
> to automatically download the latest rules from our site. I would guess
> that this will become the most often used method for obtaining rules.
> I think that we should take a cue from Snort and keep the source code
> and the rules separate.
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> On Wednesday 19 August 2009 04:33:35 pm Ivan Ristic wrote:
> > It seems to me that the new rules are a big deal, yet they are
> > released as part of 2.5.10, which is primarily a bug-fix release. If
> > the new rules are production ready, why not release them with
> > ModSecurity 2.6?
> > If they are not ready, perhaps 2.5.10 could be released with two rule
> > sets, with 2.6 released once the rules are ready?
More information about the Owasp-modsecurity-core-rule-set