[Owasp-modsecurity-core-rule-set] CRS3-RC1 not working on Apache 2.2

Christian Folini christian.folini at netnea.com
Sat Aug 20 03:10:04 UTC 2016


Hi there,

Thanks Barry. I certainly did not expect many people to jump into this
immediately. It's a release candidate after all and there are many
constraints for existing servers.

I agree that a new service is better of starting with the CRS3
immediately, than deploying CRS2 and migrating sooner or later.

What felt bad was the radio silence here on the list. A thumbs up 
would be nice. A "thanks for the RC. Looking forward to install it
when I find the time" style message. I guess you get the idea.

Ahoj,

Christian




On Fri, Aug 19, 2016 at 09:01:56PM +0000, Barry Pollard wrote:
> Christian I think you missed possibly the two main reasons for lack of comments:
> 
> 1. People haven't had a chance to try it yet. It's been out 3 days! While you guys have spent a lot of time on this, and I honestly appreciate that, ModSecurity is not my full time job and while I personally do intend to have a look I've simply not had the time yet. I subscribe to this mailing list to keep abreast of changes, be aware of issues and help out when I can but that doesn't mean I'm going to jump immediately at any changes - particularly big ones like this.
> 
> 2. Is there a benefit in upgrading? Now before you take offence at that let me explain what I mean by that: I've invested a lot of time tuning the older CRS on the websites I look after to the point it doesn't false alert much. It works for me, I'm happy with it and it's not missing any features that CRS3 will give me AFAIK. Would installing ModSecurity have been easier if CRS3 was about then? Absolutely! And if adding ModSecurity to a new site going forward then I'll almost certainly go straight with version 3, but for me, one of the main benefits of this upgrade is the ease of installing it - as it shouldn't be full of false positives when installed with default settings like 2.9 and previous were. As I say, I've already got 2.9 working now, so that doesn't benefit me as much. I've also a certain amount of fear of time it would take to configure, and make me have to reimplement my tuning, for little extra benefit at this point. Do let me know if I'm missing something and y!
>  ou feel there's some big benefits to me that should make me jump this up my priority list.
> 
> I think the work done here seems great. I think it seems to lay a good foundation for future development of the CRS. And I appreciate the time gone into it and the frustration the radio silence since release must feel like. I followed with interest the discussions on this but never actually installed the version 3 rules while they were being developed for above reasons so, for me, it's not as simple as upgrading to RC1 and giving further feedback.
> 
> Will feedback when I get a chance to look and hopefully others, that have taken time to have a go with this, will give you some of the feedback you're looking for.
> 
> Thanks,
> Barry
> 
> > On 19 Aug 2016, at 20:39, Christian Folini <christian.folini at netnea.com> wrote:
> > 
> > Dear all,
> > 
> > We had the first major bug report for CRS3-RC1 today.
> > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/542
> > 
> > The maximum line length of Apache 2.2 is too short for two of the
> > new Remote Command Execution rules which come in at over 10K bytes.
> > 
> > Expect a fix on github in the next few days; certainly for RC2.
> > 
> > Meanwhile Apache 2.4 is doing great and github user @emphazer who
> > discovered this bug reports of over 100 production machines running
> > CRS3-RC1.
> > 
> > But the list here has remained silent over the release. I see several
> > possible reasons:
> > - Nobody gives a shit
> > - It fails so miserably on your server you removed it immediately and
> >  you do not want to talk about CRS anymore
> > - It worked like a charm without any false positives, so you forgot
> >  about its existence instantly.
> > 
> > Either way, some feedback would be nice. This is an opensource project.
> > Chaim and Walter worked day and night for this, and if not even the
> > project mailinglist has some positive or negative feedback, then I
> > wonder why anybody is doing this at all.
> > 
> > Best,
> > 
> > Christian Folini
> > 
> > 
> > -- 
> > https://www.feistyduck.com/training/modsecurity-training-course
> > mailto:christian.folini at netnea.com
> > twitter: @ChrFolini
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list