Groups

OWASP CRS project

1–30 of 97

Welcome to the OWASP CRS project mailing list. Feel free to ask support and general questions about the projects or associated issues and we will do our best to support you.

- CRS Project Leads

0 selected

Michael Bullut, … Jozef Sudolsky3

12/2/25

ModSecurity CRS Deployment with WordPress Security Plugins (Wordfence / WP Cerber)...

Hi Michael, some of my customers are running WordPress with Wordfence on my infrastructure, which is

unread,

ModSecurity CRS Deployment with WordPress Security Plugins (Wordfence / WP Cerber)...

Hi Michael, some of my customers are running WordPress with Wordfence on my infrastructure, which is

12/2/25

kkondo, Jozef Sudolsky4

10/28/25

False Positive with Rule 942100 when matching text "大阪大"

I cannot tell for sure so, it MAY create holes in the firewall. I recommend to create an exclusion

unread,

False Positive with Rule 942100 when matching text "大阪大"

I cannot tell for sure so, it MAY create holes in the firewall. I recommend to create an exclusion

10/28/25

TM, … Jozef Sudolsky5

10/27/25

Performance impact of CRS rules (with ModSecurity v3 Nginx Connector).

Hi Jozef, I did test with the last v4 release (4.19.0) : > I also tested with the latest CRS v4 (

unread,

Performance impact of CRS rules (with ModSecurity v3 Nginx Connector).

Hi Jozef, I did test with the last v4 release (4.19.0) : > I also tested with the latest CRS v4 (

10/27/25

Michael Bullut, … Christian Folini3

9/22/25

Request For Guides on Testing ModSecurity C.R.S. Deployment Effectiveness...

Hi Michael, This is an excellent question or rather request. I am hosting CRS Community Call later

unread,

Request For Guides on Testing ModSecurity C.R.S. Deployment Effectiveness...

Hi Michael, This is an excellent question or rather request. I am hosting CRS Community Call later

9/22/25

Emilio Campos, Ervin Hegedüs2

6/17/25

crs 3.3/master vs crs4.0/main

Hi Emilio, > I do mention the following rulesets, not included in 4.0: > > REQUEST-922-

unread,

crs 3.3/master vs crs4.0/main

Hi Emilio, > I do mention the following rulesets, not included in 4.0: > > REQUEST-922-

6/17/25

Michael Bullut, Ervin Hegedüs2

6/16/25

Inquiry About Upgrading ModSecurity Version Bundled with Ubuntu...

Hi Michael, On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core

unread,

Inquiry About Upgrading ModSecurity Version Bundled with Ubuntu...

Hi Michael, On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core

6/16/25

Michael Bullut, … Emilio Campos6

5/21/25

Inquiry Regarding Use of ModSecurity in Production Environments Post End-of-Life...

Regarding the CRS ruleset and modsecurity presentation "2021-04-14_OWASP_ModSec-CRS-Intro.pdf

unread,

Inquiry Regarding Use of ModSecurity in Production Environments Post End-of-Life...

Regarding the CRS ruleset and modsecurity presentation "2021-04-14_OWASP_ModSec-CRS-Intro.pdf

5/21/25

Blason R, Andrew Howe2

3/17/25

Can we enabled ICAP with modsecurity?

Hi Blason, > ...possible to activate the ICAP client... Is that to say you *have* a specific ICAP

unread,

Can we enabled ICAP with modsecurity?

Hi Blason, > ...possible to activate the ICAP client... Is that to say you *have* a specific ICAP

3/17/25

Michael Bullut, … Andrew Howe4

3/17/25

Inquiry About Project Honeypot Integration with ModSecurity...

Hello Michael, My apologies for the delay in getting this reply and information to you. The Project

unread,

Inquiry About Project Honeypot Integration with ModSecurity...

Hello Michael, My apologies for the delay in getting this reply and information to you. The Project

3/17/25

3/9/25

Enhance Your ModSecurity with Session-Based Security Monitoring

Dear ModSecurity Community, I'd like to share a project that complements ModSecurity by

unread,

Enhance Your ModSecurity with Session-Based Security Monitoring

Dear ModSecurity Community, I'd like to share a project that complements ModSecurity by

3/9/25

11/6/24

SecAction "id:10102,phase:1,drop,nolog,noauditlog" does logging

Dear All, I hope it's OK to post some questions in this group. If not be so kind and advise me

unread,

SecAction "id:10102,phase:1,drop,nolog,noauditlog" does logging

Dear All, I hope it's OK to post some questions in this group. If not be so kind and advise me

11/6/24

10/30/24

CRS versions 4.8.0 and 3.3.7 released

The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7. For

unread,

CRS versions 4.8.0 and 3.3.7 released

The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7. For

10/30/24

Rahul Thakkar, Christian Folini2

4/19/24

How to implement rate limit using Mod Security Rule

Hey Rahul, Getting this up and running is very hard with ModSecurity and it takes a lot of experience

unread,

How to implement rate limit using Mod Security Rule

Hey Rahul, Getting this up and running is very hard with ModSecurity and it takes a lot of experience

4/19/24

F, Ervin Hegedüs2

4/10/24

CRS and SSTI with Velocity

Hi Max, On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote: > Hi > > We found a Server Side

unread,

CRS and SSTI with Velocity

Hi Max, On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote: > Hi > > We found a Server Side

4/10/24

Blason R, … Jozef Sudolsky4

4/7/24

Can we remove these parts from logs?

Thanks folks let me try that out. On Sun, Apr 7, 2024, 12:26 Jozef Sudolsky <jo...@sudolsky.sk>

unread,

Can we remove these parts from logs?

Thanks folks let me try that out. On Sun, Apr 7, 2024, 12:26 Jozef Sudolsky <jo...@sudolsky.sk>

4/7/24

mahh m, … Christian Folini3

4/3/24

removed rules in CRS4

Hi there, We have stripped down CRS and moved non-essential functionality into plugins. The Anti-DoS

unread,

removed rules in CRS4

Hi there, We have stripped down CRS and moved non-essential functionality into plugins. The Anti-DoS

4/3/24

Sudharshan K S, … Andrew Howe8

3/16/24

Including CRS inside Location/If directive doesn't work

Hi Sudharshan, > Observation: The inclusion of crs-setup.conf and the other rules doesn't work

unread,

Including CRS inside Location/If directive doesn't work

Hi Sudharshan, > Observation: The inclusion of crs-setup.conf and the other rules doesn't work

3/16/24

Jozef Sudolsky, … Jean-Charles OLLAT6

3/8/24

Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

Setting tx.geoip-plugin_country_code is used only when tx.geoip-plugin_custom_lookup is set to 1 and

unread,

Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

Setting tx.geoip-plugin_country_code is used only when tx.geoip-plugin_custom_lookup is set to 1 and

3/8/24

Jean-Charles OLLAT

3/4/24

Welcome & GeoIP

Hello everyone, I wanted to extend a warm thank you for welcoming me to this discussion group.

unread,

Welcome & GeoIP

Hello everyone, I wanted to extend a warm thank you for welcoming me to this discussion group.

3/4/24

Christian Folini

2/15/24

CRS version 4.0.0 is out

Let CRS 4 be your valentine! The OWASP CRS team is proud to announce the release of CRS 4.0. * https:

unread,

CRS version 4.0.0 is out

Let CRS 4 be your valentine! The OWASP CRS team is proud to announce the release of CRS 4.0. * https:

2/15/24

mahh m, Franziska Buehler2

1/21/24

Custom charsets in the rules 920600 and 922110

Hi! Thanks for asking and sorry for your inconvenience. Unfortunately, I can't see from your

unread,

Custom charsets in the rules 920600 and 922110

Hi! Thanks for asking and sorry for your inconvenience. Unfortunately, I can't see from your

1/21/24

Théo B., Ervin Hegedüs2

1/20/24

Hi Théo, perhaps this can help you: https://github.com/coreruleset/modsecurity-crs-docker/blob/

unread,

Hi Théo, perhaps this can help you: https://github.com/coreruleset/modsecurity-crs-docker/blob/

1/20/24

1/12/24

Future of ModSecurity

Hi all, (sorry if someone received crosspost) Perhaps most users read the news: Trustwave transfers

unread,

Future of ModSecurity

Hi all, (sorry if someone received crosspost) Perhaps most users read the news: Trustwave transfers

1/12/24

Andrew Howe, … Christian Folini4

1/2/24

CRS version 4.0.0 release candidate 2 available

Hello Emiliom Nobody has been picking this up, so let's give it a shot. On Fri, Dec 29, 2023 at

unread,

CRS version 4.0.0 release candidate 2 available

Hello Emiliom Nobody has been picking this up, so let's give it a shot. On Fri, Dec 29, 2023 at

1/2/24

Jakub Kuchar, … Christian Folini8

9/8/23

Hello Andrew thanks for sharing information, and yes this is staging machine, if there is usage 75%

unread,

Hello Andrew thanks for sharing information, and yes this is staging machine, if there is usage 75%

9/8/23

saratoga, Christian Folini4

8/7/23

Setting tx.paranoia_level too late?

Hello, On Mon, Aug 07, 2023 at 12:55:42PM +0200, s wrote: > > Could it be your integrator does

unread,

Setting tx.paranoia_level too late?

Hello, On Mon, Aug 07, 2023 at 12:55:42PM +0200, s wrote: > > Could it be your integrator does

8/7/23

7/24/23

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For

unread,

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For

7/24/23

jarofi, Christian Folini2

6/21/23

Using a regular expression in a ruleRemoveTargetById command

Hey Jarda, It's most unfortunate, but the ruleRemoveTargetById does not allow for regular

unread,

Using a regular expression in a ruleRemoveTargetById command

Hey Jarda, It's most unfortunate, but the ruleRemoveTargetById does not allow for regular

6/21/23

冰封飞飞, Andrew Howe2

6/7/23

Has ModSecurity 3 achieved full compatibility with CRS now?

Hello, ModSecurity Core Rule Set Developer on Duty here. ModSecurity v2 remains the reference

unread,

Has ModSecurity 3 achieved full compatibility with CRS now?

Hello, ModSecurity Core Rule Set Developer on Duty here. ModSecurity v2 remains the reference

6/7/23

Systems Admin, Franziska Buehler4

4/27/23

Configuration variables overwriting

Glad to hear that it works! No need to say sorry. I'm happy to help! Everyone was a newbie at

unread,

Configuration variables overwriting

Glad to hear that it works! No need to say sorry. I'm happy to help! Everyone was a newbie at

4/27/23

Search

Clear search

Close search

Google apps

Main menu