Dear all, In late 2016 I sent two messages with news from the Core Rule Set Project. Lately we had a developer meeting on IRC and we decided to make this a regular newsletter, aiming for a once a month publication.
What has happened during the last few weeks: - Project lead Chaim Sanders, Walter Hop and I met on IRC and we decided to run regular IRC meetings about CRS. The gatherings are for those interested in the development of the project and the rules. These meetings will happen once a month on the first Monday at 20:30 MET (14:30 EST, 19:30 GMT) on Freenode IRC, channel #modsecurity The dates for 2017 are thus: April 3, 2017, 20:30 MET May 1, 2017, 20:30 MET June 5, 2017, 20:30 MET Jul 3, 2017, 20:30 MET Aug 7, 2017, 20:30 MET Sep 4, 2017, 20:30 MET Oct 2, 2017, 20:30 MET Nov 6, 2017, 20:30 MET Dec 4, 2017, 20:30 MET - The weeding out of false positives in v3.0.0 has started. We aim to cover the lower paranoia levels as far as possible and issue a 3.0.1 in the next two months; possibly without closing _all_ known false positives. https://github.com/SpiderLabs/owasp-modsecurity-crs - Angelo Conforti published a pair of modsec-replay scripts. The client script takes an audit log entry and fires the request against a server. The server script advertises a listener. It looks up the requests it receives in the audit log and responds with the appropriate response. This allows for the testing of rule set changes with a mock backend with correct responses. The identification of the corresponding answer to a request works via a hash submitted as a HTTP request header. Please give it a spin and let us know if it works for you. https://github.com/angeloxx/modsec-replay - There is going to be a CRS3 introduction talk at the OWASP AppSecEU conference in Belfast. The conference takes place May 11/12, 2017. https://2017.appsec.eu - Chaim also submitted two talks to AppSecEU. But it is not yet sure if he is accepted as a speaker or not with one of these submissions. - Chaim and I (Christian speaking here) will attend the AppSecEU conference and we hope to meet other members of the community and Core Rule Set users. In fact Chaim and I have never met before, so we have something to celebrate after our arrival; likely May 9 or 10. - We also want to use the opportunity and organise a CRS summit at AppSecEU. That is going to be a meeting where we will talk CRS with users and ideally also the vendors using ModSecurity Core Rule Set as part of their products. The date is not yet fixed, but May 10 sounds like a good choice. We will try and get in touch with vendors individually, but if you read this, then please take note. We want to meet you and have a chat over the Core Rule Set and it's future. We are interested in your experience, your issues and how you use the Core Rule Set. This is not a "We need corporate sponsors" event. It's an event meant to get to know each other, talk CRS and drink a few beers afterwards. - Typo3 security team member Adrian von Arx joined with me to look into default Rule Exclusions for Typo3. The idea is to develop a similar set of optional Rule Exclusions that we have for Wordpress and Drupal. https://www.netnea.com/cms/2017/01/13/starting-to-build-a-set-of-rule-exclusions-or-typo3/ - Damiano Esposito from the University of Applied Sciences in Zurich is conducting an extensive number of tests with various Security Scanners targetting a vulnerable Application protected by CRS3 at various paranoia levels. The first test runs look promising. I have written a blog post detailing the ModSecurity CRS3 setup. https://www.netnea.com/cms/2017/02/24/optimized-lab-setup-to-attack-modsecurity-with-security-sanners/ - In December, I talked about a paywalled Core Rule Set article at LinuxWeeklyNews. Said article is now freely available and brings an overview of CRS3 aimed at new users. https://lwn.net/Articles/709693/ - We have a lot of open issues on github thanks to dozens of feature requests for CRS 3.1 and beyond. This makes it somewhat hard to navigate the issues. In order to help you find your way around, there is now a set of shortcuts to individual queries. https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Getting_Involved The shortcuts involve: - Open Issues 3.0.x - False Positives - False Negatives - Feature Requests for 3.1 - Published research affecting project - Open Issues without a label / tag - Open Issues with a label, but without assignee - Open Issues before 2015 - Open Issues before 2016 - Open Issues before 2017 - And finally, let me remind you of a neat service at netnea.com which brings you information about individual rules and links to the definition of the rule. Here is an example: https://www.netnea.com/crs/949110 If your browser supports smart bookmarks (Firefox does), then you can define one as follows: https://www.netnea.com/crs/%s with keyword crs and then call it with lookup like "crs 949110" in the address bar of the browser. Very helpful and I use this several time as day. I also plan to expand the information displayed in this list. What are the bits of infos that you think should be included? Please respond on the list or in private. What's coming in the next few weeks: - Damiano and I hope to give you a sneek preview of some research results. - We're closing false positives based on the issues reported on github. - More details of the CRS summit at AppSecEU will be defined and published. - Next CRS3 chat: April 3, 2017, 20:30 MET on Freenode IRC, channel #modsecurity (14:30 EST, 19:30 GMT) So this is it for the first CRS newsletter. If I missed something, please let me know. Feedback - good and bad - is much appreciated (which means: If you like this, then please let me know and share this message). Best regards, Christian Folini, for the OWASP ModSecurity Core Rule Set team -- CRS website: https://www.modsecurity.org/crs CRS at OWASP: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project CRS tutorials: https://netnea.com/apache-tutorials _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
