[Owasp-modsecurity-core-rule-set] News from the Core Rule Set (2017-07-07)

Christian Folini christian.folini at netnea.com
Fri Jul 7 08:25:35 UTC 2017


Dear all,

This is the CRS newsletter covering the period from June until today.

I was not sure I had the time to compile this message in time as I
am currently attending a medieval reenactment event with the
Company of St. George. But the camp is now set up for the weekend,
all is quite and I sneaked off to write the newsletter. Hope
nobody sees me any my notebook...

What has happened during the last few weeks:

- We held our community chat last Monday. Outside of administrative
  topics, we looked into some of the open issues and talked about
  plans for the 3.1 release.
  The next community chats will be held on the following dates:
  - Aug 7, 2017, 20:30 CEST (14:30 EST, 19:30 GMT)
  - Sep 4, 2017, 20:30 CEST
  - Oct 2, 2017, 20:30 CEST
  - Nov 6, 2017, 20:30 CET
  - Dec 4, 2017, 20:30 CET

- So what are the plans for 3.1?
  - Chaim thinks that the whole SQL rules are hard to overview and even
  chaotic despite a consolidation effort by Ryan Barnett around the
  2.2.4 release. So Chaim wants to review and possibly re-organise
  sqli detection.
  - Walter is sick of not detecting Java exploits and he plans to
  write new rules to stop that attack vector.
  - Franziska volunteered to try and disassemble the roughly three dozens
  of highly optimized regular expressions in CRS. She worked on issue
  811 and thinks that this archaeological work is just her thing. Given 
  my background in history, I appreciate all efforts in rule archaeologicy.
  - And finally, we all agreed that the situation with false positives
  with non-western languages is unbearable. Victor has made some
  very useful observations, we think that some ModSecurity transformations
  might be at fault here too and we want to come up a clean and
  workable solution here. But this is going to be tough.

  Generally, there has to be a balance between closing existing holes with the
  detection and extending the detection capabilities towards new areas. It
  looks as if the scanning of uploaded files with Fuzzy Hashing was not 
  immediately on the table (unless somebody thinks this would be great and 
  takes up the task to implement it).

- When I talked about a couple of weeks until we have the new logo
  I did not define "couple". What I can say now is that a couple of
  weeks is more than 4 and that it's only a matter of a couple of days
  now until the new logo. But the latest drafts are really promising.

- Our twitter account @CoreRuleSet is online, but we did not start tweeting
  yet. We want to wait for the logo, because who want's to tweet from a
  naked account.

- The new project website is being prepared as I write this. Walter 
  settled on a design theme and he is actively looking into creating 
  content together with Chaim. The idea is to use the website actively
  as a site for blogging about the project.
  Walter is aiming for a launch of the site in early August.

- In May, we announced Franziska Buehler (franbuehler) and Christoph
  Hansen (emphazer) had joined the project as developers. In the
  meantime, we also added Victor Hora to the rooster. However, we
  encountered difficulties when granting them commit permission. The
  case with Victor was easy. Given he is a Trustwave employee, he
  is part of Trustwave Spiderlabs and got immediate commit rights
  on our project as our repository is hosted on github under the
  Spiderlabs organisation. Bringing new people into our projects
  means they need to be granted commit rights by the Spiderlabs
  admins. This was never an issue as long as project lead Chaim
  worked for Spiderlabs, but he quit and now we depend on the
  goodwill of Trustwave with this. We could move the repository
  of course, but that is a huge hassle for little gain.
  After lobbying for several weeks, Franziska and Christoph
  finally got the requested permissions on Wednesday and we have
  been promised that granting the permissions to non-Spiderlabs
  developers was now generally resolved and the next
  ones will be easier. Keeping our fingers crossed.
  We thank Franziska and Christoph for their patience. And we
  also thank Trustwave / Spiderlabs for the goodwill they continue
  to show towards our project. Trustwave has been stewarding 
  ModSecurity and CRS for many years and when Chaim quit his job 
  in February, we knew there might be hassles. But we are still in 
  close contact and resolving issues as this helps building the 
  mutual trust.

- The groups of new bypasses reported here last month is still open.
  There is a new ModSecurity release pending that will include an
  updated libinjection with better detection capabilities. But there
  is also going to be a new rule or several rules in CRS. It's just
  not ready yet.

Upcoming stuff

- Having attended my CRS talk at AppSecEU, the OWASP chapter London
  has invited me to present at their regular chapter meeting on
  July 27.
  https://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-thursday-27th-july-2017-630pm-tickets-33237474180
  There is a limited number of seats, so reserve it in time.
  However, they are also planning to a livestream of the event.
  Please check out OWASP London on twitter on infos about this.

- OWASP Switzerland has also invited me to their meeting in Zurich
  in August. This is likey to happen on August 19, but the date
  is not fixed. And there is also a CRS presentation at OWASP Geneva
  planned in September or so.

- Feisty Duck and I announced two two-day courses about ModSecurity
  and CRS. These are the dates:
  - London: 4-5 October 2017
  - Zurich: 11-12 October 2017
  https://www.feistyduck.com/training/modsecurity-training-course
  We have early bird subscriptions open until the end of the month.
  Afterwards, the price will raise by 25%. Obviously, I would be
  very happy if we would have large and diverse classes that
  allow for interesting discussions from people with different
  perspectives (that's the best part of the courses for me :) 

- Next CRS chat: August 7, 2017, 20:30 CEST on Freenode IRC, channel
  #modsecurity (14:30 EST, 19:30 GMT)

So, I hope I did not forget too many things. It's time to walk back
into our medieval camp and I wish you all a lovely July!

Christian

-- 
https://www.feistyduck.com/training/modsecurity-training-course
mailto:christian.folini at netnea.com
twitter: @ChrFolini


More information about the Owasp-modsecurity-core-rule-set mailing list