[Owasp-modsecurity-core-rule-set] OWASP CRS Version 3.0 RC1 Released

Christian Folini christian.folini at netnea.com
Wed Aug 17 08:02:24 UTC 2016

Hi there,

CRS3 has been in the making for several years. Ryan Barnett laid the
base and instructed Chaim on how to work on the project. Last Winter,
Chaim took Walter and me into the project and the development
accelerated a big deal. Chaim and Walter invested their Summer holidays
into this release and I was close to throwing the towel as I could not
keep up anymore. This was also thanks to various other community members
like @ygrek, Vladimir Ivanov, Franziska Bühler, Noël Zindel, Christian
Peron (to name but a few) providing excellent pull requests and putting
their fingers on nasty issues we could no longer ignore.

But now the release candidate is out and ready for your testing.

Download a tarball from
and start with a look into the INSTALL file.

Chaim's blog post demonstrates the impressive reduction of false
positives with an out of the box Wordpress installation. A few small
ones remain, namely with requests that contain PHP code. 
However, if you look at it from a production perspective, where the
admin traffic is small in comparison with user traffic, then the
percentage of requests causing false positives will be even lower
than in Chaim's demo.

We have introduced multiple Paranoia Levels. In default install, you
run with Paranoia Level 1. This is the level which brings the desired
security baseline with very little false positives. You can raise the
Paranoia Level to 2, 3 or 4 to enable more aggressive rules. This will
bring a higher security level but comes with the price of more false

You could argue, that the shifting of dozens of aggressive rules into
higher Paranoia Levels leads to a reduction in detection capabilities.
But that is not the case, actually. The support for libinjection
rules and the great work by Walter Hop around Remote Command Execution
and PHP Injections counter the effect. So a default CRS3 is a worthy
successor of CRS2 and the Paranoia Mode allows to lock down high
security sites with very, very aggressive rules what make it
extremely tough to smuggle a request past the ruleset.

The release notes speak of enabling the CRS for only a limited
percentage of request to try out the rules on an existing service. The
case is clear: You suspect ModSecurity to be a performance hog and
rumour has it, the Core Rules will stall your service immediately. The
new Sampling Mode permits to limit ModSecurity and the CRS requests at
say 1% of the traffic. That way you can be sure, your server will
continue to work and you have time to look at potential issues without
much harm.  Afterwards, when you are confident that it works, you raise
the percentage to 5%, 10%, 20%, 50%, and finally 100%, which naturally
is the default sampling value. Please be aware, that any value below
100% opens your site to malign attackers by disabling ModSecurity

With that being said, please give this release candidate a shot: Every
issue we can resolve now, will no longer hamper the full release.
This is especially true with false positives: Every false positive
in the default install, which we are able to weed out, will simplify the
life of countless sysadmins when the install the full release.

Please submit your issues here on the Mailinglist or via the github
issue tracker.



mailto:christian.folini at netnea.com
twitter: @ChrFolini

More information about the Owasp-modsecurity-core-rule-set mailing list