[Owasp-modsecurity-core-rule-set] News from the Core Rules (2016-11-24)

Christian Folini christian.folini at netnea.com
Thu Nov 24 06:44:03 UTC 2016

Hi there,

CRS3 has been released two weeks ago. Time for a status update.

We had a successful release with people enjoying the poster, a few
blog posts about the release, a successful reddit thread and eventually
we even hit Slashdot:


We are also seeing 50-100 visitors on the tutorials per day and I
have followed up with a guide on how to secure Drupal with ModSecurity


Still in the queue is an article on Linux Weekly News which will 
give an introduction into the project and an overview of the new
features in CRS3.

We have fixed a bug in the comments / recommendations in the rule files
and we are working on a handful of false positives:


Namely the occurrence of semicolons in filenames (html encoding!)
is quite nasty as the semicolon is a very powerful character in attacks
and it usually serves as an indicator something bad is happening.

The other false positives we heard of are a bit less problematic. 

We are certainly relieved that, there has not been an avalanche
of new false positives being reported. So far, we are able to manage.

We are looking into fixing the open issues with false positives and do a
3.0.1 release eventually. The idea is to do maintenance and security
releases on the 3.0 release tree (mainly fixing false positives), while
new features will go into 3.1-dev.

We have also started to clean up the issues on github. About 30 of them
We still have 13 older issues that we would like to tackle:
And then of course 58 ideas of what might go into 3.1.

So even if we have 83 open issues, only 20 or so of them are really
relevant as of now. The rest is feature requests / ideas.

If you are interested you can go to github and chime in on the
discussion of the new features. What is interesting to you, what
does not have any merit and what other features are you missing?
Please add your comments on github.

Helping to fix the other issues is highly welcome too. Especially
LDAP knowledge is needed with two of the older issues. I am afraid
fixing those might lead to false positives unless we really know
what we are doing (and I don't).

Finally, in order to see the CRS spread wide and wider, we need
success stories. That is reports and blog posts of people successfully
using CRS3 on their servers. I am willing to send printed copies
of the release poster to anyone posting a good report as a gimmick
or thank you.



mailto:christian.folini at netnea.com
twitter: @ChrFolini

More information about the Owasp-modsecurity-core-rule-set mailing list