Question for the lists – if you are not running the latest version of ModSecurity (v.2.6.7), what are the reasons why you have not upgraded?
I ask this question because we are constantly adding new features to ModSecurity that can then be leveraged with the OWASP ModSecurity CRS. For example, we have added some new actions: * ver – which will hold the rule package data. Example - "id:'959901',ver:'OWASP_CRS/2.2.5',…" * maturity – which will give the user a better idea of how well tested the rule is. Example - "id:'959901',ver:'OWASP_CRS/2.2.5',maturity:'9'…" * accuracy – which will give the user a better idea of the potential false positive/false negative rates. Example - "id:'959901',ver:'OWASP_CRS/2.2.5',maturity:'9',accuracy:'9'…" These new features are valuable and I am looking to add them to the OWASP CRS however there is no good way to make this backward compatible. If you are using an older version of ModSecurity then it will fail on an Apache restart as it won't recognize these new actions. So, I am looking to better understand why users are not always upgrading the latest versions. One issue might be that many users simply use the OS repos to install ModSecurity rather than compiling from source. If this is the case, then perhaps we can work better with these repo owners to get the latest/greatest versions out in the repos sooner. Thanks. -- Ryan Barnett Trustwave SpiderLabs ModSecurity Project Leader OWASP ModSecurity CRS Project Leader ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
