Thanks for that positive report Bill!
On Fri, Oct 21, 2016 at 04:11:44PM -0500, Bill Miller wrote: > I installed this and am testing. I installed the early release > candidate and fought all the battles there, so this was a super easy > install - just copied the new rules folder and the config file over > the old ones. So far so good. > > On 10/21/2016 12:07 AM, Christian Folini wrote: > >Dear all, > > > >The 2nd release candidate of the upcoming > >OWASP ModSecurity Core Rule Set v3.0.0 > >has been published. > > > >https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.0-rc2 > > > >This RC2 addresses several reported issues and concerns from our users > >in order to yield a more usable and complete project. The changes > >include: > > > >* Further reduced false positives > >* Template prebuilt exclusions for common web applications > > (including Wordpress and Drupal) > >* A critical fix for usability on Apache 2.2 > >* Additional documentation updates > >* Performance improvements > >* Fixes for potential rule bypass issues > > > >Let me explain the template prebuilt exclusions a bit: > >We reduced false positive for CRS3 by more than 90% in the default > >install. But you still encounter them here and there. In order to > >get rid of these false positives, you need to configure rule exclusions > >for certain paths and/or parameters. That is instructions to ModSec > >to exclude a path or parameter from being inspected by an individual > >rule. CRS3-RC2 comes with a set of these rule exclusions for the > >default installs of Wordpress and Drupal. This means, you can now > >install these CMS suites, publish and consume articles without a > >single false positive. This is a brand new feature and maybe we > >did not catch everything. So a few test runs would be welcome. But this > >is a start. If you have ties in the Wordpress and Drupal communities, > >then please spread the word. If this is a successful method to get > >Wordpress and Drupal users on board, we may look into expanding these > >exclusion templates to other application packages as well. > > > >Ideally, this RC2 is identical with the full release. If there is no > >showstopper, we will either release on October 31 or in early November. > > > >Chaim has written a blog post about this release: > >https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Version-3-0-RC2-Released > > > >In parallel to this release, I am publishing a series of Apache / > >ModSecurity tutorials at https://www.netnea.com/cms/apache-tutorials/ > >In the end, this will be 12 tutorials. At least. So far, the following > >ones appeared: > > Tutorial 1: Compiling Apache > > Tutorial 2: Configuring a Minimal Apache Web Server > > Tutorial 3: Configuring an Apache/PHP Application Server > > Tutorial 4: Enabling Encryption with SSL/TLS > > Tutorial 5: Extending and Analyzing the Access Log > > Tutorial 6: Embedding ModSecurity > > > >Until CRS3 is out, you will also see > > Tutorial 7: Including the CRS > > Tutorial 8: Tuning the CRS / Writing Exclusion Rules > > > >Not that you would need to learn how to install Apache. But I do know > >that the documentation on how to run the Core Rules in real life is > >lacking. And I think I have a conceptual view on the issues around > >CRS in production that is now ready to share. There will be methods > >and scripts that greatly simplify life. Please have a look and please > >share your experience. > > > >Reports about your experience with CRS3-RC2 is something we also need. > >Positive feedback is what keeps us going. Bug reports is what helps > >us improve the quality of the ruleset. Please send them in. > > > >Best regards, > > > >Christian Folini, in the name of the Core Rules team > >(Chaim Sanders, Walter Hop and me) > > > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
