OWASP ModSecurity Core Rule Set version 3.3.4

[BillyS]

This is the OWASP ModSecurity Core Rule Set version 3.3.4.

Release v3.3.4 · coreruleset/coreruleset

This is the OWASP ModSecurity Core Rule Set version 3.3.4. Important Notice: From CRS 3.2.2, 3.3.3 and up, ModSecurity 2.9.6 or 3.0.8 (or versions with backported patches) are required due to the a...

github.com

Important Notice: From CRS 3.2.2, 3.3.3 and up, ModSecurity 2.9.6 or 3.0.8 (or versions with backported patches) are required due to the addition of new protections. We recommend upgrading your ModSecurity as soon as possible. If your ModSecurity is too old, your webserver will refuse to start with an Unknown variable: &MULTIPART_PART_HEADERS error. If you are in trouble, you can temporarily delete file rules/REQUEST-922-MULTIPART-ATTACK.conf as a workaround and get your server up, however, you will be missing some protections. Therefore we recommend to upgrade ModSecurity before deploying this release.

 

[BillyS]

I am confused when I look at the Custom Build options, I see

Build LibModSecurity

Install/update LibModSecurity (ModSecurity 3.0).

Version 3.0.8.

But when I try to run it, I get

• LibModSecurity connector is only available for nginx and apache right now.

I am running openlitespeed and it looks like the connector is 3.0.5

"modsecurity": "ModSecurity v3.0.5 (Linux)",

 

[Dettol]

Also the old ModSecurity find a 0day to bypass:

WAF bypasses via 0days

based on findings from a live hacking event

terjanq.medium.com

 

[BillyS]

LibModSecurity connector is only available for nginx and apache right now.

I see a similar post on this issue in the past here:

LibModSecurity connector is only available for nginx right now.

Hi; I have an update pending in the CustomBuild of LibModSecurity - but every time I try to update the package to version 3.0.4 the error occurs: Executing /usr/local/directadmin/plugins/custombuild/admin/build libmodsecurity... LibModSecurity connector is only available for nginx right now...

forum.directadmin.com

@smtalk Should I be asking this question on the openlitespeed forum? Do we need them to issue an update?

 

[IXPLANET]

I see a similar post on this issue in the past here:

LibModSecurity connector is only available for nginx right now.

Hi; I have an update pending in the CustomBuild of LibModSecurity - but every time I try to update the package to version 3.0.4 the error occurs: Executing /usr/local/directadmin/plugins/custombuild/admin/build libmodsecurity... LibModSecurity connector is only available for nginx right now...

forum.directadmin.com

@smtalk Should I be asking this question on the openlitespeed forum? Do we need them to issue an update?

Openlitespeed already support for libmodsecurity , and for V.3.0.5 has been added since OLS 1.7.14 but not available if install via custombuild

 

[BillyS]

Openlitespeed already support for libmodsecurity , and for V.3.0.5 has been added since OLS 1.7.14

Gotcha - so that means we cannot install the new OWASP rules until OLS includs libmodsecurity V3.05

 

[kam821]

@BillyS @Dettol @IXPLANET
I submitted a mod_security update request on openlitespeed's github page:

Update Modsecurity module to 3.0.8 · Issue #337 · litespeedtech/openlitespeed

mod_security has recently received a security update/functionality extension, which e.g. coreruleset currently uses to protect against certain types of attacks: https://github.com/SpiderLabs/ModSec...

github.com

It has just been resolved and the version of mod_security in the third-party.git repository has been updated.
Currently it is necessary to manually compile openlitespeed from sources or wait for a newer version of openlitespeed, which should have an updated, pre-build plugin included.

 

[BillyS]

Thanks @kam821 for following up on this one. I tried to create an account on OpenLiteSpeed's forum, but that's broken. I did ask a question on LiteSpeed's forum on Saturday, but no response.