[Owasp-leaders] [Owasp-modsecurity-core-rule-set] Announcing release of OWASP Modsecurity CRS v2.0.9

Ryan Barnett ryan.barnett at owasp.org
Thu Nov 18 10:23:42 EST 2010


          Greetings everyone,
> I am pleased to announce the release of the OWASP ModSecurity Core Rule Set
> (CRS) v2.0.9.
> 
> The most significant change is that users can now easily toggle between
> Traditional or Anomaly Scoring Detection modes.
> http://blog.modsecurity.org/2010/11/advanced-topic-of-the-week-traditional-vs-
> anomaly-scoring-detection-modes.html
> 
> CHANGE LOG -
> --------------------------
> Version 2.0.9 - 11/17/2010
> --------------------------
> 
> Improvements:
> - Changed the name of the main config file to
> modsecurity_crs_10_config.conf.example so that
>   it will not overwrite existing config settings.  Users should rename this
> file to activate
>   it.
> - Traditional detection mode is now the current default
> - Users can now more easily toggle between traditional/standard mode vs.
> anomaly scoring mode
>   by editing the modsecurity_crs_10_config.conf file
> - Updated the disruptive actions in most rules to use "block" action instead
> of "pass".  This
>   is to allow for the toggling between traditional vs. anomaly scoring modes.
> - Removed logging actions from most rules so that it can be controlled from
> the SecDefaultAction
>   setting in the modsecurity_crs_10_config.conf file
> - Updated the anomaly scores in the modsecurity_crs_10_config.conf file to
> more closely match
>   what is used in the PHPIDS rules.  These still have the same factor of
> severity even though
>   the numbers themselves are smaller.
> - Updated the 49 and 59 blocking rules to include the matched logdata
> - Updated the TAG data to further classify attack/vuln categories.
> - Updated the SQL Injection filters to detect more boolean logic attacks
> - Moved some files to optional_rules directory (phpids, Emerging Threats
> rules)
> 
> Bug Fixes:
> - Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf
> is missing 1 single quote
>   https://www.modsecurity.org/tracker/browse/CORERULES-63
> - Moved all skipAfter actions in chained rules to the rule starter line (must
> have ModSec v2.5.13 or higher)
>   https://www.modsecurity.org/tracker/browse/MODSEC-159
> - Fixed restricted file extension bug with macro expansion
>   https://www.modsecurity.org/tracker/browse/CORERULES-60
> - Updated the SQLI TX variable macro expansion data in the 49 and 60 files so
> that
>   it matches what is being set in the sql injection conf file
> - Fixed typo in SQL Injection regexs - missing backslash for word boundary
> (\b)
>   https://www.modsecurity.org/tracker/browse/CORERULES-62
> 
> --------------------------
> DOWNLOADING
> --------------------------
> Manual Downloading:
> You can always download the latest CRS version here -
> https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
> 
> Automated Downloading:
> Use the rules-updater.pl script in the CRS /util directory
> 
> # Get a list of what the repository contains:
> $ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -l
> 
> Repository: http://www.modsecurity.org/autoupdate/repository
> 
> modsecurity-crs {
>           2.0.0: modsecurity-crs_2.0.0.zip
>           2.0.1: modsecurity-crs_2.0.1.zip
>           2.0.2: modsecurity-crs_2.0.2.zip
>           2.0.3: modsecurity-crs_2.0.3.zip
>           2.0.4: modsecurity-crs_2.0.4.zip
>           2.0.5: modsecurity-crs_2.0.5.zip
>           2.0.6: modsecurity-crs_2.0.6.zip
>           2.0.7: modsecurity-crs_2.0.7.zip
>           2.0.8: modsecurity-crs_2.0.8.zip
>           2.0.9: modsecurity-crs_2.0.9.zip
> }
> 
> # Get the latest stable version of "modsecurity-crs":
> $ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/
> -prules -Smodsecurity-crs
> Fetching: modsecurity-crs/modsecurity-crs_2.0.9.zip ...
> $ ls -R rules
> modsecurity-crs
> 
> rules/modsecurity-crs:
> modsecurity-crs_2.0.9.zip    modsecurity-crs_2.0.9.zip.sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101118/eb3e906f/attachment.html 


More information about the OWASP-Leaders mailing list