ModSecurity Core Rule Set project

1–30 of 87

Welcome to the OWASP Core Rule Set (CRS) project mailing list. Feel free to ask support and general questions about the projects or associated issues and we will do our best to support you.

- CRS Project Leads

0 selected

2:46 PM

SecAction "id:10102,phase:1,drop,nolog,noauditlog" does logging

Dear All, I hope it's OK to post some questions in this group. If not be so kind and advise me

unread,

SecAction "id:10102,phase:1,drop,nolog,noauditlog" does logging

Dear All, I hope it's OK to post some questions in this group. If not be so kind and advise me

2:46 PM

Oct 30

CRS versions 4.8.0 and 3.3.7 released

The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7. For

unread,

CRS versions 4.8.0 and 3.3.7 released

The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7. For

Oct 30

Rahul Thakkar, Christian Folini2

Apr 19

How to implement rate limit using Mod Security Rule

Hey Rahul, Getting this up and running is very hard with ModSecurity and it takes a lot of experience

unread,

How to implement rate limit using Mod Security Rule

Hey Rahul, Getting this up and running is very hard with ModSecurity and it takes a lot of experience

Apr 19

F, Ervin Hegedüs2

Apr 10

CRS and SSTI with Velocity

Hi Max, On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote: > Hi > > We found a Server Side

unread,

CRS and SSTI with Velocity

Hi Max, On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote: > Hi > > We found a Server Side

Apr 10

Blason R, … Jozef Sudolsky4

Apr 7

Can we remove these parts from logs?

Thanks folks let me try that out. On Sun, Apr 7, 2024, 12:26 Jozef Sudolsky <jo...@sudolsky.sk>

unread,

Can we remove these parts from logs?

Thanks folks let me try that out. On Sun, Apr 7, 2024, 12:26 Jozef Sudolsky <jo...@sudolsky.sk>

Apr 7

mahh m, … Christian Folini3

Apr 3

removed rules in CRS4

Hi there, We have stripped down CRS and moved non-essential functionality into plugins. The Anti-DoS

unread,

removed rules in CRS4

Hi there, We have stripped down CRS and moved non-essential functionality into plugins. The Anti-DoS

Apr 3

Sudharshan K S, … Andrew Howe8

Mar 16

Including CRS inside Location/If directive doesn't work

Hi Sudharshan, > Observation: The inclusion of crs-setup.conf and the other rules doesn't work

unread,

Including CRS inside Location/If directive doesn't work

Hi Sudharshan, > Observation: The inclusion of crs-setup.conf and the other rules doesn't work

Mar 16

Jozef Sudolsky, … Jean-Charles OLLAT6

Mar 8

Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

Setting tx.geoip-plugin_country_code is used only when tx.geoip-plugin_custom_lookup is set to 1 and

unread,

Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

Setting tx.geoip-plugin_country_code is used only when tx.geoip-plugin_custom_lookup is set to 1 and

Mar 8

Jean-Charles OLLAT

Mar 4

Welcome & GeoIP

Hello everyone, I wanted to extend a warm thank you for welcoming me to this discussion group.

unread,

Welcome & GeoIP

Hello everyone, I wanted to extend a warm thank you for welcoming me to this discussion group.

Mar 4

Christian Folini

Feb 15

CRS version 4.0.0 is out

Let CRS 4 be your valentine! The OWASP CRS team is proud to announce the release of CRS 4.0. * https:

unread,

CRS version 4.0.0 is out

Let CRS 4 be your valentine! The OWASP CRS team is proud to announce the release of CRS 4.0. * https:

Feb 15

mahh m, Franziska Buehler2

Jan 21

Custom charsets in the rules 920600 and 922110

Hi! Thanks for asking and sorry for your inconvenience. Unfortunately, I can't see from your

unread,

Custom charsets in the rules 920600 and 922110

Hi! Thanks for asking and sorry for your inconvenience. Unfortunately, I can't see from your

Jan 21

Théo B., Ervin Hegedüs2

Jan 20

Hi Théo, perhaps this can help you: https://github.com/coreruleset/modsecurity-crs-docker/blob/

unread,

Hi Théo, perhaps this can help you: https://github.com/coreruleset/modsecurity-crs-docker/blob/

Jan 20

Jan 12

Future of ModSecurity

Hi all, (sorry if someone received crosspost) Perhaps most users read the news: Trustwave transfers

unread,

Future of ModSecurity

Hi all, (sorry if someone received crosspost) Perhaps most users read the news: Trustwave transfers

Jan 12

Andrew Howe, … Christian Folini4

Jan 2

CRS version 4.0.0 release candidate 2 available

Hello Emiliom Nobody has been picking this up, so let's give it a shot. On Fri, Dec 29, 2023 at

unread,

CRS version 4.0.0 release candidate 2 available

Hello Emiliom Nobody has been picking this up, so let's give it a shot. On Fri, Dec 29, 2023 at

Jan 2

Jakub Kuchar, … Christian Folini8

9/8/23

Hello Andrew thanks for sharing information, and yes this is staging machine, if there is usage 75%

unread,

Hello Andrew thanks for sharing information, and yes this is staging machine, if there is usage 75%

9/8/23

saratoga, Christian Folini4

8/7/23

Setting tx.paranoia_level too late?

Hello, On Mon, Aug 07, 2023 at 12:55:42PM +0200, s wrote: > > Could it be your integrator does

unread,

Setting tx.paranoia_level too late?

Hello, On Mon, Aug 07, 2023 at 12:55:42PM +0200, s wrote: > > Could it be your integrator does

8/7/23

7/24/23

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For

unread,

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For

7/24/23

jarofi, Christian Folini2

6/21/23

Using a regular expression in a ruleRemoveTargetById command

Hey Jarda, It's most unfortunate, but the ruleRemoveTargetById does not allow for regular

unread,

Using a regular expression in a ruleRemoveTargetById command

Hey Jarda, It's most unfortunate, but the ruleRemoveTargetById does not allow for regular

6/21/23

冰封飞飞, Andrew Howe2

6/7/23

Has ModSecurity 3 achieved full compatibility with CRS now?

Hello, ModSecurity Core Rule Set Developer on Duty here. ModSecurity v2 remains the reference

unread,

Has ModSecurity 3 achieved full compatibility with CRS now?

Hello, ModSecurity Core Rule Set Developer on Duty here. ModSecurity v2 remains the reference

6/7/23

Systems Admin, Franziska Buehler4

4/27/23

Configuration variables overwriting

Glad to hear that it works! No need to say sorry. I'm happy to help! Everyone was a newbie at

unread,

Configuration variables overwriting

Glad to hear that it works! No need to say sorry. I'm happy to help! Everyone was a newbie at

4/27/23

Blason R, Ervin Hegedüs2

4/24/23

Custom Modsec rule is not working

Hi Blason R, On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote: [...] > Am I doing anything

unread,

Custom Modsec rule is not working

Hi Blason R, On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote: [...] > Am I doing anything

4/24/23

Blason R, Ervin Hegedüs7

4/17/23

Protection Against Slowloris and HTTP POST DoS Attack

Hi, On Mon, Apr 17, 2023 at 06:09:56AM +0530, Blason R wrote: > Fail2ban - Hmm that's

unread,

Protection Against Slowloris and HTTP POST DoS Attack

Hi, On Mon, Apr 17, 2023 at 06:09:56AM +0530, Blason R wrote: > Fail2ban - Hmm that's

4/17/23

Emilio Campos, Christian Folini5

2/22/23

OWASP CRS v4.0 dev

Thanks. We're still working on those. Christian On Wed, Feb 22, 2023 at 01:29:08PM +0100, Emilio

unread,

OWASP CRS v4.0 dev

Thanks. We're still working on those. Christian On Wed, Feb 22, 2023 at 01:29:08PM +0100, Emilio

2/22/23

Jakub Kuchar, Christian Folini6

2/9/23

Newbie question how to deal with WYSIWYG editors

Hey Jakub, Thanks for the update. Yes, any WYSIWYG editor transmitting HTML will run into a ton of

unread,

Newbie question how to deal with WYSIWYG editors

Hey Jakub, Thanks for the update. Yes, any WYSIWYG editor transmitting HTML will run into a ton of

2/9/23

Blason R, Andrew Howe3

1/4/23

Can I implement CRS like this? Please suggest on my topology

Thank for your valuable suggestion. And yes the HA matters the most but I was thinking from cloud

unread,

Can I implement CRS like this? Please suggest on my topology

Thank for your valuable suggestion. And yes the HA matters the most but I was thinking from cloud

1/4/23

stevek, Christian Folini2

1/4/23

Blocking POST requests with payload

Hey Steve, On Tue, Jan 03, 2023 at 12:41:00PM -0500, stevek wrote: > Is it possible to block this

unread,

Blocking POST requests with payload

Hey Steve, On Tue, Jan 03, 2023 at 12:41:00PM -0500, stevek wrote: > Is it possible to block this

1/4/23

Blason R, Andrew Howe9

1/3/23

Am I missing anything here?

Well - Thanks again. This will not work with my setup since I am serving around 15 portals on my

unread,

Am I missing anything here?

Well - Thanks again. This will not work with my setup since I am serving around 15 portals on my

1/3/23

Blason R, Christian Folini2

12/13/22

Has any one test this bypass against CRS

Hey, hey, Yes, we did check and continuing to discuss it in the #coreruleset channel on the OWASP

unread,

Has any one test this bypass against CRS

Hey, hey, Yes, we did check and continuing to discuss it in the #coreruleset channel on the OWASP

12/13/22

12/12/22

team82 WAF bypass abusing JSON...

Hi Just came across https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-

unread,

team82 WAF bypass abusing JSON...

Hi Just came across https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-

12/12/22

Blason R, … Achim3

11/15/22

Am 15.11.22 um 07:20 schrieb Blason R: > Hi Team, > > > This may sound of the forum but I

unread,

Am 15.11.22 um 07:20 schrieb Blason R: > Hi Team, > > > This may sound of the forum but I

11/15/22

Search

Clear search

Close search

Google apps

Main menu