[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: [mod-security-users] Core Rule Set v4.0.0 Release Candidate 1 available
From: Walter Hop <modsec () spam ! lifeforms ! nl>
Date: 2022-04-28 19:54:21
Message-ID: D400707C-E629-410D-AB08-7B57B1688BDB () spam ! lifeforms ! nl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 \
for the upcoming CRS v4.0.0 release.
The release candidate is available from our installation page: \
https://coreruleset.org/installation/ <https://coreruleset.org/installation/>
CRS 4 contains many important changes, such as:
- A plugin architecture for extending CRS and minimizing attack surface. Application \
exclusion sets and less-used functionality have been migrated from the CRS to \
plugins: https://coreruleset.org/docs/configuring/plugins/ \
<https://coreruleset.org/docs/configuring/plugins/> (See our plugin registry at \
https://github.com/coreruleset/plugin-registry \
<https://github.com/coreruleset/plugin-registry> for the extensive list of existing \
plugins.)
- Early blocking: https://coreruleset.org/20220302/the-case-for-early-blocking/ \
<https://coreruleset.org/20220302/the-case-for-early-blocking/>
- Granular control over reporting levels
- All formerly PCRE-only regular expressions have been updated to be compatible with \
Re2/Hyperscan WAF engines
- We now publish nightly packages of the development branch: \
https://github.com/coreruleset/coreruleset/releases \
<https://github.com/coreruleset/coreruleset/releases>
- We refactored and renamed the anomaly scoring variables and paranoia level \
definitions
- HTTP/0.9 support has been dropped to resolve false positives.
CRS 4 contains many new detections:
- Detect Log4j / Log4Shell
- Detect Spring4Shell
- Detect JavaScript prototype pollution
- Detect common webshells by inspecting response
- Detect path traversal in file upload
- Detect common IP-based SSRF targets
- Detect email protocol attacks
- Improved RCE detection
- Improved SQLi detection
- Expanded blocklists to prevent access to AWS cli files, /proc and /sys files, and \
many other sensitive files
- Detect many new scanners and bots
CRS 4 also contains many improvements to lower the amount of false alarms. Also, we \
fixed a number of bypasses in existing rules. We also addressed various performance \
and ReDoS issues.
A lot of effort also went into improving our test suite, so that 100% of our rules \
are now covered by tests!
Finally, we have worked on creating extensive documentation about all aspects of the \
CRS. You can find it under the Documentation section of our website: \
https://coreruleset.org/docs/ <https://coreruleset.org/docs/>. If you would like to \
make improvements, please go to the repository \
https://github.com/coreruleset/documentation/ \
<https://github.com/coreruleset/documentation/> and submit your pull request!
For those wanting to try CRS 4, it is important to quickly touch upon the new plugin \
architecture. Some parts of CRS 3, such as the application exclusion rules \
(WordPress, Drupal, etc.), were split off into "plugins". As an admin, you can choose \
to install plugins or leave them out. In this way, we can more swiftly update plugins \
(for instance to deal with application updates), and we decrease the attack surface \
for admins who are not interested in their functionality. If you used the application \
exclusions in CRS 3, you will need to download the relevant plugin files and put them \
in your plugins subdirectory in CRS 4. See here for extended information about \
working with plugins: https://coreruleset.org/docs/configuring/plugins/ \
<https://coreruleset.org/docs/configuring/plugins/>
Please see the CHANGES file for a full list of the more than 200 changes, \
improvements and fixes: \
https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES \
<https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES>. Each CHANGES \
entry links to the relevant pull requests, so you can dive into the specifics of a \
certain change.
If you try out our release candidate, we will be very eager to receive your feedback. \
You can report any issues on GitHub: \
https://github.com/coreruleset/coreruleset/issues/new/choose \
<https://github.com/coreruleset/coreruleset/issues/new/choose>. Be sure to mention \
the CRS version, so we can handle RC issues as quickly as possible. Depending on the \
feedback, we will possibly release more Release Candidates, while we get a firmer \
picture and finalize our schedule for the final release.
If you have questions, the quickest way to get in touch with us directly is to join \
the #coreruleset channel on the OWASP Slack: \
https://coreruleset.org/20181003/owasp-crs-slack/ \
<https://coreruleset.org/20181003/owasp-crs-slack/>
I want to thank all our developers and outside contributors for helping us make the \
best CRS version yet!
Kind regards,
Walter Hop
Core Rule Set Co-Lead
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; line-break: after-white-space;" class=""><span style="caret-color: rgb(0, 0, \
0); color: rgb(0, 0, 0);" class="">The OWASP ModSecurity Core Rule Set team is proud \
to announce the Release Candidate 1 for the upcoming CRS v4.0.0 \
release. </span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">The release \
candidate is available from our installation page: </span><a \
href="https://coreruleset.org/installation/" \
class="">https://coreruleset.org/installation/</a><br style="caret-color: rgb(0, 0, \
0); color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">CRS 4 contains many important changes, such as:</span><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- A plugin \
architecture for extending CRS and minimizing attack surface. Application exclusion \
sets and less-used functionality have been migrated from the CRS to \
plugins: </span><a href="https://coreruleset.org/docs/configuring/plugins/" \
class="">https://coreruleset.org/docs/configuring/plugins/</a><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""> (See our \
plugin registry at </span><a \
href="https://github.com/coreruleset/plugin-registry" \
class="">https://github.com/coreruleset/plugin-registry</a><span style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""> for the extensive list of existing \
plugins.)</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- \
Early blocking: </span><a \
href="https://coreruleset.org/20220302/the-case-for-early-blocking/" \
class="">https://coreruleset.org/20220302/the-case-for-early-blocking/</a><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- Granular control \
over reporting levels</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">- All formerly PCRE-only regular expressions have been updated to be \
compatible with Re2/Hyperscan WAF engines</span><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">- We now publish nightly packages of the development \
branch: </span><a href="https://github.com/coreruleset/coreruleset/releases" \
class="">https://github.com/coreruleset/coreruleset/releases</a><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- We refactored and \
renamed the anomaly scoring variables and paranoia level definitions</span><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- HTTP/0.9 support \
has been dropped to resolve false positives.</span><br style="caret-color: rgb(0, 0, \
0); color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">CRS 4 contains many new detections:</span><br style="caret-color: rgb(0, 0, \
0); color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">- Detect Log4j / Log4Shell</span><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">- Detect Spring4Shell</span><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">- Detect JavaScript prototype pollution</span><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- Detect common \
webshells by inspecting response</span><br style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">- Detect path traversal in file upload</span><br style="caret-color: rgb(0, \
0, 0); color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class="">- Detect common IP-based SSRF targets</span><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- Detect email \
protocol attacks</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">- \
Improved RCE detection</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">- Improved SQLi detection</span><br style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">- Expanded blocklists to prevent access to AWS cli files, /proc and /sys \
files, and many other sensitive files</span><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">- Detect many new scanners and bots</span><br style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">CRS 4 also contains many improvements to lower the amount of false \
alarms. Also, we fixed a number of bypasses in existing rules. We also addressed \
various performance and ReDoS issues.</span><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">A lot of effort also went into improving our test suite, so that 100% of our \
rules are now covered by tests!</span><br style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">Finally, we have worked on creating extensive documentation about all \
aspects of the CRS. You can find it under the Documentation section of our \
website: </span><a href="https://coreruleset.org/docs/" \
class="">https://coreruleset.org/docs/</a><span style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class="">. If you would like to make improvements, please go to \
the repository </span><a href="https://github.com/coreruleset/documentation/" \
class="">https://github.com/coreruleset/documentation/</a><span style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""> and submit your pull \
request!</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">For those wanting to \
try CRS 4, it is important to quickly touch upon the new plugin architecture. Some \
parts of CRS 3, such as the application exclusion rules (WordPress, Drupal, etc.), \
were split off into "plugins". As an admin, you can choose to install plugins or \
leave them out. In this way, we can more swiftly update plugins (for instance to deal \
with application updates), and we decrease the attack surface for admins who are not \
interested in their functionality. If you used the application exclusions in CRS 3, \
you will need to download the relevant plugin files and put them in your plugins \
subdirectory in CRS 4. See here for extended information about working with \
plugins: </span><a href="https://coreruleset.org/docs/configuring/plugins/" \
class="">https://coreruleset.org/docs/configuring/plugins/</a><br style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">Please see the CHANGES file for a full list of the more than 200 \
changes, improvements and fixes: </span><a \
href="https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES" \
class="">https://github.com/coreruleset/coreruleset/blob/v4.0/main/CHANGES</a><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">. Each CHANGES entry \
links to the relevant pull requests, so you can dive into the specifics of a certain \
change. </span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">If you try out our \
release candidate, we will be very eager to receive your feedback. You can report any \
issues on GitHub: </span><a \
href="https://github.com/coreruleset/coreruleset/issues/new/choose" \
class="">https://github.com/coreruleset/coreruleset/issues/new/choose</a><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">. Be sure to mention \
the CRS version, so we can handle RC issues as quickly as possible. Depending on the \
feedback, we will possibly release more Release Candidates, while we get a firmer \
picture and finalize our schedule for the final release.</span><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">If you have \
questions, the quickest way to get in touch with us directly is to join the \
#coreruleset channel on the OWASP Slack: </span><a \
href="https://coreruleset.org/20181003/owasp-crs-slack/" \
class="">https://coreruleset.org/20181003/owasp-crs-slack/</a><br style="caret-color: \
rgb(0, 0, 0); color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, \
0, 0);" class="">I want to thank all our developers and outside contributors for \
helping us make the best CRS version yet!</span><br style="caret-color: rgb(0, 0, 0); \
color: rgb(0, 0, 0);" class=""><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">Kind regards,</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, \
0);" class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class="">Walter Hop</span><br style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" \
class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">Core \
Rule Set Co-Lead</span><div class=""><span style="caret-color: rgb(0, 0, 0); color: \
rgb(0, 0, 0);" class=""><br class=""></span></div></body></html>
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic