I am beginning to update the modsecurity_crs_10_setup.conf file contents. I will be sending out each section as I update it for feedback.
The first section I am adding to the beginning of this file is a reference to the recommended base configuration file that comes with the ModSecurity source archive. We have found that many users are not using this file and there are some impacts to the rules. For example, if you have not defined SecRequestBodyAccess On, then the CRS rules will not be able to inspect request body ARGS. I added the following comment text at the beginning of the file to ensure that CRS users are aware of the recommended base config file. # # -- [[ Recommended Base Configuration ]] ------------------------------------------------- # # The configuration directives/settings in this file are used to control # the OWASP ModSecurity CRS. These settings do **NOT** configure the main # ModSecurity settings such as: # # - SecRuleEngine # - SecRequestBodyAccess # - SecAuditEngine # - SecDebugLog # # You should use the modsecurity.conf-recommended file that comes with the # ModSecurity source code archive. # # Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended # Comments welcome. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
