Hey kause, I'll take a look at the install and update it today :) thanks for bringing that up. In general we are trying to deal with how PCRE deals with unicode characters... most of the problem is that many arabic chars (and others as you mentioned) are considered non-worst characters (/W) by PCRE... this is backwards (from our perspective) and a serious problem that requires us manually specifying large swaths of char sets in our rules... currently a good solution hasn't been suggested yet. If you have any input I'd love to hear it.
From: kause lotski <kause...@yahoo.com<mailto:kause...@yahoo.com>> Reply-To: kause lotski <kause...@yahoo.com<mailto:kause...@yahoo.com>> Date: Wednesday, September 16, 2015 at 4:24 AM To: Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>>, "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Using 3.0 ruleset Hi, I was referring to this file https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-dev/INSTALL<http://scanmail.trustwave.com/?c=4062&d=rqf51bXRy3x_GvmCPADdd0iyNXviY6YH2Vzd-6RKyQ&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fowasp-modsecurity-crs%2fblob%2fv3%2e0%2e0-dev%2fINSTALL> which mentions directories that don't exist in 3.0 branch (base_rules, experimental_rules etc ) - is it safe to presume rules directory is the same as base_rules in 2.x ? Problem I hope to be at least somehow better ( I got this impression by reading tickets on github ) in 3.0 is that with 2.2.9 I basically need to disable most sql injection rules for any form field with user generated content (text fields, textareas etc) as this rules get triggered by UTF-8 encoded characters from Latin Extended-A - Wikipedia, the free encyclopedia<http://scanmail.trustwave.com/?c=4062&d=rqf51bXRy3x_GvmCPADdd0iyNXviY6YH2QCI8P4czA&s=5&u=https%3a%2f%2fen%2ewikipedia%2eorg%2fwiki%2fLatin%5fExtended-A> subset. Latin Extended-A - Wikipedia, the free encyclopedia<http://scanmail.trustwave.com/?c=4062&d=rqf51bXRy3x_GvmCPADdd0iyNXviY6YH2QCI8P4czA&s=5&u=https%3a%2f%2fen%2ewikipedia%2eorg%2fwiki%2fLatin%5fExtended-A> Latin Extended-A is a block of the Unicode Standard. View on en.wikipedia.org<http://scanmail.trustwave.com/?c=4062&d=rqf51bXRy3x_GvmCPADdd0iyNXviY6YH2QCI8P4czA&s=5&u=https%3a%2f%2fen%2ewikipedia%2eorg%2fwiki%2fLatin%5fExtended-A> Preview by Yahoo ________________________________ From: Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> To: kause lotski <kause...@yahoo.com<mailto:kause...@yahoo.com>>; "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Sent: Tuesday, September 15, 2015 7:44 PM Subject: Re: [Owasp-modsecurity-core-rule-set] Using 3.0 ruleset The installation instructions are exactly identical, simply drop the folder structure in an area readable by your web server, include the .conf files from httpd.conf or equivalent, and go through the recommended configuration file and configure your options. At this point in fact 3.0 is by a large margin the preferred ruleset as far as OWASP CRS is concerned. We have hesitated to push 3.0 to main branch for two reasons right now... 1) is that it requires 2.8 or greater in order to run (thanks to things like @detectxss)(only recently has 2.8 become available in things like yum/apt-get repos) and two it has known high(but less high then 2.x) false positives rate for SQL injection. We want to address these false positives before we push it to the master branch. Does that answer your questions? From: <owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org>> on behalf of kause lotski <kause...@yahoo.com<mailto:kause...@yahoo.com>> Reply-To: kause lotski <kause...@yahoo.com<mailto:kause...@yahoo.com>> Date: Monday, September 14, 2015 at 2:19 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] Using 3.0 ruleset Hi, as it seems 3.0 greatly improves extended character sets in unicode handling (false positives due to this characters), I would like to give it a try. But as structure has totally changed INSTALL instructions aren't correct anymore in 3.0 branch, can someone give me a quick guide? is there any ETA for 3.0 ? Regards, Kause ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
