Dear all, The 3rd release candidate of the upcoming OWASP ModSecurity Core Rule Set v3.0.0 has been published.
https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.0-rc3 This is essentially RC2 with * more false positives weeded out (Walter Hop + github user @shimshon70) * Added rules to detect Shellshock attack (Walter Hop / RedHat) We somehow missed out on the shellshock probes / exploits until very late in our release cycle. RedHat kindly allowed us to re-use their ModSec rules in CRS, so we added them to the RCE rules. However, being a "new" group of rules we decided it is better to issue another RCA. This allows us to do the final release very similar to the last RC and no surprise with the full release. So we are still aiming for November 8, 2016, with gold. FYI: Chaim might start to re-arrange the github repository somewhat a day or two in advance. You have been warned. As indicated yesterday, I have updated my CRS tutorial to work with CRS 3.0.0-rc3: https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ I will make sure it is ready for CRS 3.0.0 when it comes out. I'm also writing an extensive tutorial with practical advice on how to weed out false positives with a Core Rule Set installation. Hope I get this over until the release. Cheers, Christian Folini -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set