Dear all, We had the first major bug report for CRS3-RC1 today. https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/542
The maximum line length of Apache 2.2 is too short for two of the new Remote Command Execution rules which come in at over 10K bytes. Expect a fix on github in the next few days; certainly for RC2. Meanwhile Apache 2.4 is doing great and github user @emphazer who discovered this bug reports of over 100 production machines running CRS3-RC1. But the list here has remained silent over the release. I see several possible reasons: - Nobody gives a shit - It fails so miserably on your server you removed it immediately and you do not want to talk about CRS anymore - It worked like a charm without any false positives, so you forgot about its existence instantly. Either way, some feedback would be nice. This is an opensource project. Chaim and Walter worked day and night for this, and if not even the project mailinglist has some positive or negative feedback, then I wonder why anybody is doing this at all. Best, Christian Folini -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
