OWASP v4.0.0 RC1

[BillyS]

Just really a heads up on this one if DA is going to continue to support OWASP core ruleset. Some pretty big changes in the upcoming version and I don't know how they affect DA, in particular the plugin approach mentioned below.

Core Rule Set v4.0.0 Release Candidate 1 available – OWASP ModSecurity Core Rule Set

coreruleset.org

CRS 4 contains many important changes, such as:

• A plugin architecture for extending CRS and minimizing attack surface. Application exclusion sets and less-used functionality have been migrated from the CRS to plugins. (See our plugin registry for the extensive list of existing plugins.)
• Early blocking
• Granular control over reporting levels
• All formerly PCRE-only regular expressions have been updated to be compatible with Re2/Hyperscan WAF engines
• We now publish nightly packages of the development branch
• We refactored and renamed the anomaly scoring variables and paranoia level definitions
• HTTP/0.9 support has been dropped to resolve false positives

 

[BillyS]

More information

The CRS Plugin Mechanism – OWASP ModSecurity Core Rule Set

coreruleset.org

GitHub - coreruleset/plugin-registry: Registry for OWASP ModSecurity Core Rule Set plugins, official and 3rd party

Registry for OWASP ModSecurity Core Rule Set plugins, official and 3rd party - GitHub - coreruleset/plugin-registry: Registry for OWASP ModSecurity Core Rule Set plugins, official and 3rd party

github.com

 

[BillyS]

Got an update on this one today. Good news is a bug bounty found a lot of holes, bad news is it will delay the release of 4.0 while they work on patching the holes.

Update on CRS 4.0 release delay – OWASP ModSecurity Core Rule Set

coreruleset.org