[Owasp-modsecurity-core-rule-set] OWASP ModSecurity CRS Version 3.0 RC3 Released

Christian Folini christian.folini at netnea.com
Thu Nov 3 08:01:52 UTC 2016

Dear all,

The 3rd release candidate of the upcoming
OWASP ModSecurity Core Rule Set v3.0.0
has been published.


This is essentially RC2 with 
* more false positives weeded out (Walter Hop + github user
* Added rules to detect Shellshock attack (Walter Hop / RedHat)

We somehow missed out on the shellshock probes / exploits until very
late in our release cycle. RedHat kindly allowed us to re-use their
ModSec rules in CRS, so we added them to the RCE rules.

However, being a "new" group of rules we decided it is better to
issue another RCA. This allows us to do the final release very similar
to the last RC and no surprise with the full release.

So we are still aiming for November 8, 2016, with gold.

FYI: Chaim might start to re-arrange the github repository somewhat
a day or two in advance. You have been warned.

As indicated yesterday, I have updated my CRS tutorial to work with
CRS 3.0.0-rc3:
I will make sure it is ready for CRS 3.0.0 when it comes out.

I'm also writing an extensive tutorial with practical advice on how
to weed out false positives with a Core Rule Set installation. Hope
I get this over until the release.


Christian Folini

mailto:christian.folini at netnea.com
twitter: @ChrFolini

More information about the Owasp-modsecurity-core-rule-set mailing list