[Owasp-modsecurity-core-rule-set] News from the Core Rule Set (2017-07-07)
christian.folini at netnea.com
Fri Jul 7 08:25:35 UTC 2017
This is the CRS newsletter covering the period from June until today.
I was not sure I had the time to compile this message in time as I
am currently attending a medieval reenactment event with the
Company of St. George. But the camp is now set up for the weekend,
all is quite and I sneaked off to write the newsletter. Hope
nobody sees me any my notebook...
What has happened during the last few weeks:
- We held our community chat last Monday. Outside of administrative
topics, we looked into some of the open issues and talked about
plans for the 3.1 release.
The next community chats will be held on the following dates:
- Aug 7, 2017, 20:30 CEST (14:30 EST, 19:30 GMT)
- Sep 4, 2017, 20:30 CEST
- Oct 2, 2017, 20:30 CEST
- Nov 6, 2017, 20:30 CET
- Dec 4, 2017, 20:30 CET
- So what are the plans for 3.1?
- Chaim thinks that the whole SQL rules are hard to overview and even
chaotic despite a consolidation effort by Ryan Barnett around the
2.2.4 release. So Chaim wants to review and possibly re-organise
- Walter is sick of not detecting Java exploits and he plans to
write new rules to stop that attack vector.
- Franziska volunteered to try and disassemble the roughly three dozens
of highly optimized regular expressions in CRS. She worked on issue
811 and thinks that this archaeological work is just her thing. Given
my background in history, I appreciate all efforts in rule archaeologicy.
- And finally, we all agreed that the situation with false positives
with non-western languages is unbearable. Victor has made some
very useful observations, we think that some ModSecurity transformations
might be at fault here too and we want to come up a clean and
workable solution here. But this is going to be tough.
Generally, there has to be a balance between closing existing holes with the
detection and extending the detection capabilities towards new areas. It
looks as if the scanning of uploaded files with Fuzzy Hashing was not
immediately on the table (unless somebody thinks this would be great and
takes up the task to implement it).
- When I talked about a couple of weeks until we have the new logo
I did not define "couple". What I can say now is that a couple of
weeks is more than 4 and that it's only a matter of a couple of days
now until the new logo. But the latest drafts are really promising.
- Our twitter account @CoreRuleSet is online, but we did not start tweeting
yet. We want to wait for the logo, because who want's to tweet from a
- The new project website is being prepared as I write this. Walter
settled on a design theme and he is actively looking into creating
content together with Chaim. The idea is to use the website actively
as a site for blogging about the project.
Walter is aiming for a launch of the site in early August.
- In May, we announced Franziska Buehler (franbuehler) and Christoph
Hansen (emphazer) had joined the project as developers. In the
meantime, we also added Victor Hora to the rooster. However, we
encountered difficulties when granting them commit permission. The
case with Victor was easy. Given he is a Trustwave employee, he
is part of Trustwave Spiderlabs and got immediate commit rights
on our project as our repository is hosted on github under the
Spiderlabs organisation. Bringing new people into our projects
means they need to be granted commit rights by the Spiderlabs
admins. This was never an issue as long as project lead Chaim
worked for Spiderlabs, but he quit and now we depend on the
goodwill of Trustwave with this. We could move the repository
of course, but that is a huge hassle for little gain.
After lobbying for several weeks, Franziska and Christoph
finally got the requested permissions on Wednesday and we have
been promised that granting the permissions to non-Spiderlabs
developers was now generally resolved and the next
ones will be easier. Keeping our fingers crossed.
We thank Franziska and Christoph for their patience. And we
also thank Trustwave / Spiderlabs for the goodwill they continue
to show towards our project. Trustwave has been stewarding
ModSecurity and CRS for many years and when Chaim quit his job
in February, we knew there might be hassles. But we are still in
close contact and resolving issues as this helps building the
- The groups of new bypasses reported here last month is still open.
There is a new ModSecurity release pending that will include an
updated libinjection with better detection capabilities. But there
is also going to be a new rule or several rules in CRS. It's just
not ready yet.
- Having attended my CRS talk at AppSecEU, the OWASP chapter London
has invited me to present at their regular chapter meeting on
There is a limited number of seats, so reserve it in time.
However, they are also planning to a livestream of the event.
Please check out OWASP London on twitter on infos about this.
- OWASP Switzerland has also invited me to their meeting in Zurich
in August. This is likey to happen on August 19, but the date
is not fixed. And there is also a CRS presentation at OWASP Geneva
planned in September or so.
- Feisty Duck and I announced two two-day courses about ModSecurity
and CRS. These are the dates:
- London: 4-5 October 2017
- Zurich: 11-12 October 2017
We have early bird subscriptions open until the end of the month.
Afterwards, the price will raise by 25%. Obviously, I would be
very happy if we would have large and diverse classes that
allow for interesting discussions from people with different
perspectives (that's the best part of the courses for me :)
- Next CRS chat: August 7, 2017, 20:30 CEST on Freenode IRC, channel
#modsecurity (14:30 EST, 19:30 GMT)
So, I hope I did not forget too many things. It's time to walk back
into our medieval camp and I wish you all a lovely July!
mailto:christian.folini at netnea.com
More information about the Owasp-modsecurity-core-rule-set