ModSecurity Core Rule Set or CRS is a pluggable ruleset which enables a base level of protection from web attacks in your web application. The module is created and maintained by Open Web Application Security Project or OWASP.
What is OWASP ModSecurity Core Rule Set (CRS)?
OWASP CRS is a ruleset designed to enhance your web application’s protection against web attacks. It works by providing a customized ruleset that enhances detection of common web attacks on a web application. It is compatible with ModSecurity and other web application firewalls. OWASP CRS provides enhanced security against:
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Remote Code Execution (RCE)
- PHP Code Injection
- HTTP Protocol Violations
- Session Fixation
- Scanner Detection
- Metadata/Error Leakages
- Project Honey Pot Blacklist
- GeoIP Country Blocking
Currently, OWASP CRS is on version 3. In this version, CRS includes many improvements such as:
- Over 90% reduction of false alerts in a default install
- A user-defined Paranoia Level to enable additional strict checks
- Application-specific exclusions for WordPress Core and Drupal
- Sampling mode runs the CRS on a user-defined percentage of traffic
- SQLi/XSS parsing using libinjection embedded in ModSecurity
**quoted directly from OWASP CRS website
For a full changelog in the current release (v3), kindly see the changes document.
Alternatively, you can find OWASP CRS official web page over here.
Who developed OWASP CRS?
OWASP CRS is a community driven project with contributions from different people in the industry. To ensure quality, the following people oversee the project:
- Chaim Sanders (csanders-git) – Project Lead
- Walter Hop (lifeforms) – Core Developer
- Christian Folini (Twitter: @ChrFolini, GitHub: dune73) – Core Developer
Who is OWASP?
The Open Web Application Security Project or OWASP is a worldwide, not-for-profit organization with the goal of improving application security. In addition, they want to make software security visible by providing guidance towards individuals and organizations in making informed decisions with their applications. OWASP is a community of like-minded professionals providing their talents and skills for free in order to develop security tools, manuals, and guidance on how to improve overall application security.
You can learn more about OWASP here.
Can I trust OWASP?
Yes. OWASP is the organization behind OWASP top 10 and other projects that push application security to business and individuals. OWASP top 10 is the main source of best practices when it comes to application security. They are regarded as the baseline when it comes to application security and a lot of companies implement their recommendations.
In addition, their projects are open source and is freely available for everyone to check. If ever you need to check the legitimacy of their code, you can always go to their GitHub page.
What is the price of OWASP CRS?
OWASP CRS is free. Free to use, download, and fork.
So how do I install it?
It is recommended to use these rulesets with ModSecurity (an open source web application firewall). However, there is nothing prohibiting you from using the OWASP CRS in other compatible web application firewall.
- For installation instructions, head to https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/
- For including OWASP CRS in Apache Web server, head to: https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/
- For handling false positives, head to https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/
Is there a community or support personnel we can contact if we need help?
Yes.You can always head to the following channels if you need help or you have bugs to report:
- GitHub: for report false positive or false negative issues.
- Mailing list: for asking general usage questions and participating in CRS discussions.
- IRC: #modsecurity channel on Freenode IRC for chatting about CRS.
So what are your thoughts on OWASP CRS? Let us know below.