Just really a heads up on this one if DA is going to continue to support OWASP core ruleset. Some pretty big changes in the upcoming version and I don't know how they affect DA, in particular the plugin approach mentioned below.
coreruleset.org
CRS 4 contains many important changes, such as:
Core Rule Set v4.0.0 Release Candidate 1 available
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page. CRS 4 contains many important changes, such as: A plugin architecture...
CRS 4 contains many important changes, such as:
- A plugin architecture for extending CRS and minimizing attack surface. Application exclusion sets and less-used functionality have been migrated from the CRS to plugins. (See our plugin registry for the extensive list of existing plugins.)
- Early blocking
- Granular control over reporting levels
- All formerly PCRE-only regular expressions have been updated to be compatible with Re2/Hyperscan WAF engines
- We now publish nightly packages of the development branch
- We refactored and renamed the anomaly scoring variables and paranoia level definitions
- HTTP/0.9 support has been dropped to resolve false positives
