Dear all, This is the CRS newsletter covering the period from March until today.
What has happened during the last few weeks: - We held our 2nd community chat last Monday. We have been six people this time around and what feels even more important: five out of those accepted tasks to solve open issues. The next community chats will be held on the following dates: - May 1, 2017, 20:30 CEST (14:30 EST, 19:30 GMT) - June 5, 2017, 20:30 CEST - Jul 3, 2017, 20:30 CEST - Aug 7, 2017, 20:30 CEST - Sep 4, 2017, 20:30 CEST - Oct 2, 2017, 20:30 CEST - Nov 6, 2017, 20:30 CET - Dec 4, 2017, 20:30 CET - We settled on a general release policy. Point releases (3.0.1, 3.0.2, etc.) will be maintenance releases concentrating on reducing false positives. No new rules will be introduced in a point release, unless we split a rule to solve a false positive. We will of course also look into bugs and documentation issues, but the idea with point release is to reduce strain on users updating CRS and give them confidence that no new blocks of legitimate traffic will occur. It is thus safe to update. The next release with new rules / features will be 3.1.0. - We plan to take up development for an eventual 3.1.0 after the 3.0.1 release. - 3.0.1 will come out in the next few weeks. We have assigned the remaining issues https://github.com/SpiderLabs/owasp-modsecurity-crs/issues?q=is%3Aissue+is%3Aopen+label%3A%22v3.0-dev+Development%22 and are confident to solve them quite fast now. We will also freeze for new false positives on Monday, April 10. This means: False positives reported until April 10 will likely be fixed in time for 3.0.1. FPs reported after that date will have to wait for 3.0.2. - We discovered a new bug on rule 941150. Github user @UncleIS had pointed to a bug in this rule before, but now we realised that this PL1 rule raises the incoming anomaly score without writing an alert. FPs are relatively rare here, but you might not notice unless you pay very close attention to the anomaly scores. You can follow the discussions via github issue 704: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/704 - Github user @emphazer points to RFC 3902 and the fact that SOAP requests are meant to be sent with content-type application/soap+xml We will adopt the allowed content-types accordingly, but you also have to define the value in the offical base rules of the ModSecurity project itself, where you defing the XML request body processor based on the content-type request header. https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/721 - CRS project lead Chaim Sanders has quit his job at Trustwave and continues his commitment to our project. We remain in close touch with Trustwave via ModSecurity lead developer Felipe and new TW team member Victor. - The TYPO 3 side project kind of stalled, but lately github user @emphazer contributed with new TYPO3 pull requests against my CRS/TYPO3 branch. - The testing of CRS3 with several security scanners is making good progress, though. We have done Burp, Kkipfish and the bleeding edge Zap 2.6.0. Arachni is being tested as I write this. - We have been pondering over the idea to have a CRS project logo. We want to lean on the OWASP logo and getting OWASP's permission to do so took a surprisingly long time. But now Hugo Costa, the designer of the CRS3 release poster, is working on the project. What is thus planned for the next few weeks: - The release of CRS 3.0.1, maybe with a preliminary RC first. - First results of the security scanner tests. - More news from the logo project. - The CRS meetup at AppSecEU is going to be on Wednesday May 10 in Belfast. Time and place not yet defined. - My Core Rule Set 3.0 Intro talk at AppSecEU in Belfast has been scheduled for Thursday May 11, 4.15pm. Would be cool to see you. - Next CRS chat: May 1, 2017, 20:30 CEST on Freenode IRC, channel #modsecurity (14:30 EST, 19:30 GMT) Ahoj, Christian -- https://www.feistyduck.com/training/modsecurity-training-course mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
