[Owasp-modsecurity-core-rule-set] CRS3-RC1 not working on Apache 2.2

Barry Pollard barry_pollard at hotmail.com
Fri Aug 19 21:01:56 UTC 2016

Christian I think you missed possibly the two main reasons for lack of comments:

1. People haven't had a chance to try it yet. It's been out 3 days! While you guys have spent a lot of time on this, and I honestly appreciate that, ModSecurity is not my full time job and while I personally do intend to have a look I've simply not had the time yet. I subscribe to this mailing list to keep abreast of changes, be aware of issues and help out when I can but that doesn't mean I'm going to jump immediately at any changes - particularly big ones like this.

2. Is there a benefit in upgrading? Now before you take offence at that let me explain what I mean by that: I've invested a lot of time tuning the older CRS on the websites I look after to the point it doesn't false alert much. It works for me, I'm happy with it and it's not missing any features that CRS3 will give me AFAIK. Would installing ModSecurity have been easier if CRS3 was about then? Absolutely! And if adding ModSecurity to a new site going forward then I'll almost certainly go straight with version 3, but for me, one of the main benefits of this upgrade is the ease of installing it - as it shouldn't be full of false positives when installed with default settings like 2.9 and previous were. As I say, I've already got 2.9 working now, so that doesn't benefit me as much. I've also a certain amount of fear of time it would take to configure, and make me have to reimplement my tuning, for little extra benefit at this point. Do let me know if I'm missing something and you feel there's some big benefits to me that should make me jump this up my priority list.

I think the work done here seems great. I think it seems to lay a good foundation for future development of the CRS. And I appreciate the time gone into it and the frustration the radio silence since release must feel like. I followed with interest the discussions on this but never actually installed the version 3 rules while they were being developed for above reasons so, for me, it's not as simple as upgrading to RC1 and giving further feedback.

Will feedback when I get a chance to look and hopefully others, that have taken time to have a go with this, will give you some of the feedback you're looking for.


> On 19 Aug 2016, at 20:39, Christian Folini <christian.folini at netnea.com> wrote:
> Dear all,
> We had the first major bug report for CRS3-RC1 today.
> https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/542
> The maximum line length of Apache 2.2 is too short for two of the
> new Remote Command Execution rules which come in at over 10K bytes.
> Expect a fix on github in the next few days; certainly for RC2.
> Meanwhile Apache 2.4 is doing great and github user @emphazer who
> discovered this bug reports of over 100 production machines running
> CRS3-RC1.
> But the list here has remained silent over the release. I see several
> possible reasons:
> - Nobody gives a shit
> - It fails so miserably on your server you removed it immediately and
>  you do not want to talk about CRS anymore
> - It worked like a charm without any false positives, so you forgot
>  about its existence instantly.
> Either way, some feedback would be nice. This is an opensource project.
> Chaim and Walter worked day and night for this, and if not even the
> project mailinglist has some positive or negative feedback, then I
> wonder why anybody is doing this at all.
> Best,
> Christian Folini
> -- 
> https://www.feistyduck.com/training/modsecurity-training-course
> mailto:christian.folini at netnea.com
> twitter: @ChrFolini
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

More information about the Owasp-modsecurity-core-rule-set mailing list