Hi there, It's been a few weeks, and I thought I'd do another status update.
The CRS3 release was six weeks ago. We were a bit afraid, that adoption would lead to many reports of new false positives. That is clearly not the case. Feeling better now. You can check the open issues with CRS 3.0.0 on github: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues?q=is%3Aissue+is%3Aopen+label%3A%22v3.0-dev+Development%22 There is a mini-tutorial at How-To-Forge on how to run CRS3 with ISPConfig. We may look into integrating the documented rule exclusions in a future CRS version. https://www.howtoforge.com/community/threads/mini-howto-modsecurity-crs-3-0-on-debian-jessie.74898 Longtime Debian packager Alberto Gonzalez Iniesta has packaged CRS3 for debian and published the new package. I worked with him on package optimization (better paths, simpler includes, better description, etc.). That work will be uploaded right before Debian Stretch (the next Debian release) will be frozen. The Debian package is of course very important as it will be picked up by many other distributions depending on Debian. https://packages.debian.org/jessie-backports/modsecurity-crs The tutorials about Apache/ModSecurity that I updated for CRS3 have been translated to German. You can get them here: https://www.netnea.com/cms/apache-tutorials-de/ While staying at a hotel in Germany during a ModSec course I ran, I hacked together a Core Rule Set inventory. It gives you an overview over all CRS3 rules and serves as link to the definition of the rule on github. There are also options for easy access like typing "crs 942100" in the address bar of the browser and being taken to the right rule entry in the rule inventory immediately. So if you face an alert, you can type the rule id in the browser and it gives you all you need to know about the rule that triggered the alarm: https://www.netnea.com/cms/core-rule-set-inventory The next course will be in Zurich, Switzerland, near the end of February. There is now a single early bird ticket left. And afterwards a hand full of regular price tickets: https://www.feistyduck.com/training/modsecurity-training-course Chaim, Walter and I are planning to make an appearance at the OWASP AppSecEurope conference in Belfast in May. We are planning various talks and activities around the Core Rule Set. If you want to join (or support and contribute!), you can follow our plans on the OWASP wiki: https://www.owasp.org/index.php/CRSAppSecEU2017 And finally, Linux Weekly News published an article on ModSecurity last week: https://lwn.net/Articles/708673/ A second one about CRS3 came out yesterday. It is paywalled for seven days, afterwards it will become freely available. If you are not a subscriber, but you want instant access nevertheless, then let me know and I can send you a subscriber's link. That's all that springs to mind right now. All the best! Christian -- CRS website: https://www.modsecurity.org/crs CRS at OWASP: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project CRS tutorials: https://netnea.com/apache-tutorials _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
