ModSecurity Core Rule Set project

1–30 of 39

Welcome to the OWASP Core Rule Set (CRS) project mailing list. Feel free to ask support and general questions about the projects or associated issues and we will do our best to support you.

- CRS Project Leads

0 selected

Kirk Jackson, Manuel Spartan2

Nov 3

SecAuditLog in a containerised kubernetes environment

Hi Kirk, there are several options the Kubernetes documentation has a section about logging

unread,

SecAuditLog in a containerised kubernetes environment

Hi Kirk, there are several options the Kubernetes documentation has a section about logging

Nov 3

Florian Ockhuysen, … Christian Folini11

Aug 30

How to make Anomaly scores to be shown in Nginx error log?

Thank you very much. Christian On Sat, Aug 28, 2021 at 03:06:44PM -0700, Florian Ockhuysen wrote:

unread,

How to make Anomaly scores to be shown in Nginx error log?

Thank you very much. Christian On Sat, Aug 28, 2021 at 03:06:44PM -0700, Florian Ockhuysen wrote:

Aug 30

Shakil Ahamed, Christian Folini5

Aug 9

I cannot find modsecurity in my /usr/local/ directory

I have solved the issue by reinstalling ModSecurity 3 Regards On Monday, August 9, 2021 at 2:48:30 PM

unread,

I cannot find modsecurity in my /usr/local/ directory

I have solved the issue by reinstalling ModSecurity 3 Regards On Monday, August 9, 2021 at 2:48:30 PM

Aug 9

Kamrul Hasan, Christian Folini2

Jul 28

Which rules to enable from the available 15138 ModSecurity Commercial rules for a Banking App

Hey Kamrul, On Mon, Jul 26, 2021 at 09:31:58PM -0700, Kamrul Hasan wrote: > We have purchased a

unread,

Which rules to enable from the available 15138 ModSecurity Commercial rules for a Banking App

Hey Kamrul, On Mon, Jul 26, 2021 at 09:31:58PM -0700, Kamrul Hasan wrote: > We have purchased a

Jul 28

Christian Folini

Jun 28

Upcoming OWASP ModSecurity Core Rule Set Security Releases

Dear all, A security problem with the OWASP ModSecurity Core Rule Set has been brought to our

unread,

Upcoming OWASP ModSecurity Core Rule Set Security Releases

Dear all, A security problem with the OWASP ModSecurity Core Rule Set has been brought to our

Jun 28

Andrew Howe, Christian Folini4

Apr 13

Why is SecDefaultAction defined twice by default?

On Tue, Apr 13, 2021 at 11:38:45AM +0100, Andrew Howe wrote: > Hi Christian, > > A-hah, that

unread,

Why is SecDefaultAction defined twice by default?

On Tue, Apr 13, 2021 at 11:38:45AM +0100, Andrew Howe wrote: > Hi Christian, > > A-hah, that

Apr 13

Blason R, Christian Folini5

Mar 22

Does CRS support protection from HTTP Request Smuggling attacks?

Awesome and thank you Sire :) On Mon, Mar 22, 2021 at 2:51 PM Christian Folini <christian.folini@

unread,

Does CRS support protection from HTTP Request Smuggling attacks?

Awesome and thank you Sire :) On Mon, Mar 22, 2021 at 2:51 PM Christian Folini <christian.folini@

Mar 22

Larry David, Ervin Hegedüs3

Mar 9

913100 Detecting but not Blocking

Yes of course - SecDefaultAction. I had all SecDefaultAction lines # out such as #SecDefaultAction

unread,

913100 Detecting but not Blocking

Yes of course - SecDefaultAction. I had all SecDefaultAction lines # out such as #SecDefaultAction

Mar 9

Andrew Howe, Christian Folini2

11/16/20

Memory issue with specific CRS rules (variable expansion in compiled operators)

Hey Andrew, I think you never got a response for this. Personally, I was not aware of this problem.

unread,

Memory issue with specific CRS rules (variable expansion in compiled operators)

Hey Andrew, I think you never got a response for this. Personally, I was not aware of this problem.

11/16/20

oma...@gmail.com

10/27/20

exclusion for attack-lfi

Hello, there are many occurrences of single double dot '/../' in sites I try to protect by

unread,

exclusion for attack-lfi

Hello, there are many occurrences of single double dot '/../' in sites I try to protect by

10/27/20

rsomme...@cloudflare.com, … Christian Folini3

10/15/20

Allow HTTP/3 by default in 901163/920430

On Tue, Oct 13, 2020 at 04:52:46AM -0700, 'Barry Pollard' via ModSecurity Core Rule Set

unread,

Allow HTTP/3 by default in 901163/920430

On Tue, Oct 13, 2020 at 04:52:46AM -0700, 'Barry Pollard' via ModSecurity Core Rule Set

10/15/20

Christian Folini

9/14/20

CVE-2020-15598 – ModSecurity v3 Affected By DoS (Severity HIGH)

Dear all, ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the global

unread,

CVE-2020-15598 – ModSecurity v3 Affected By DoS (Severity HIGH)

Dear all, ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the global

9/14/20

Mike Melo, Ervin Hegedüs7

8/13/20

tried ftwrunner, most tests failing

ok thanks for that, will check out the skipped test details... On Thursday, August 13, 2020 at 5:14:

unread,

tried ftwrunner, most tests failing

ok thanks for that, will check out the skipped test details... On Thursday, August 13, 2020 at 5:14:

8/13/20

Mike Melo, … Christian Folini4

8/11/20

CRS regression tests

On Tue, Aug 11, 2020 at 02:22:06PM -0700, Mike Melo wrote: > Thank you!!!! > > this

unread,

CRS regression tests

On Tue, Aug 11, 2020 at 02:22:06PM -0700, Mike Melo wrote: > Thank you!!!! > > this

8/11/20

johan fillon, Ruben van Vreeland3

7/29/20

How to log in Anomaly Scoring mode + change the default http status 403 ??

Hello Ruben, thanks for your answer. Having a nolog in my configuration on the lines SecAction "

unread,

How to log in Anomaly Scoring mode + change the default http status 403 ??

Hello Ruben, thanks for your answer. Having a nolog in my configuration on the lines SecAction "

7/29/20

7/1/20

Core Rule Set v3.3.0 available

The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0. For

unread,

Core Rule Set v3.3.0 available

The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0. For

7/1/20

Alex Hautequest, Christian Folini2

6/30/20

CRS for limiting path names length/count

Hey Alex, There is no prepared rule for this. So you may want to write one yourself. SecRule

unread,

CRS for limiting path names length/count

Hey Alex, There is no prepared rule for this. So you may want to write one yourself. SecRule

6/30/20

6/18/20

OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 2 available

The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 2 for the

unread,

OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 2 available

The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 2 for the

6/18/20

6/10/20

Re: [mod-security-users] CentOS 8 Build moving modules to new server

hi Joe, On Wed, Jun 10, 2020 at 03:15:46PM +0000, Madden, Joe via mod-security-users wrote: > Hi

unread,

Re: [mod-security-users] CentOS 8 Build moving modules to new server

hi Joe, On Wed, Jun 10, 2020 at 03:15:46PM +0000, Madden, Joe via mod-security-users wrote: > Hi

6/10/20

5/27/20

SecGeoLookupDB & file format

Greetings, I would like to use the GeoIP feature of CRS to block by country-IP, however the crs-setup

unread,

SecGeoLookupDB & file format

Greetings, I would like to use the GeoIP feature of CRS to block by country-IP, however the crs-setup

5/27/20

5/27/20

OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 1 available

The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the

unread,

OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 1 available

The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the

5/27/20

john smith, … Christian Folini7

5/23/20

Looking for a way to measure response time

Hi, Sorry to pop this back up but i couldn't find a way nor did i get a response on my last

unread,

Looking for a way to measure response time

Hi, Sorry to pop this back up but i couldn't find a way nor did i get a response on my last

5/23/20

Christian Folini

5/13/20

Core Rule Set github repository moved to new location

Dear all, The OWASP ModSecurity Core Rule Set project has moved house. The project repository is no

unread,

Core Rule Set github repository moved to new location

Dear all, The OWASP ModSecurity Core Rule Set project has moved house. The project repository is no

5/13/20

Mike Melo, Christian Folini3

4/17/20

add a response header in MS3 to transfer timing information

thanks Christian, will keep you posted. On Friday, April 17, 2020 at 6:49:07 AM UTC-4, Christian

unread,

add a response header in MS3 to transfer timing information

thanks Christian, will keep you posted. On Friday, April 17, 2020 at 6:49:07 AM UTC-4, Christian

4/17/20

Stephan Fourie, Christian Folini2

4/13/20

Exclusion Rules for dynamic ARGS

Hello Stephan, You are in a bad situation, but you are not the first one stuck with this lack of

unread,

Exclusion Rules for dynamic ARGS

Hello Stephan, You are in a bad situation, but you are not the first one stuck with this lack of

4/13/20

john smith, Christian Folini3

3/11/20

CRS Rules and Apache responses

On Tue, Mar 10, 2020 at 04:55:15PM -0700, john smith wrote: > Well since i got not replies i

unread,

CRS Rules and Apache responses

On Tue, Mar 10, 2020 at 04:55:15PM -0700, john smith wrote: > Well since i got not replies i

3/11/20

Paul Beckett, Christian Folini2

11/28/19

Best CRS branch for production

Hello Paul, CRS 3.2.0 is the latest stable release. https://modsecurity.org/crs is not under the

unread,

Best CRS branch for production

Hello Paul, CRS 3.2.0 is the latest stable release. https://modsecurity.org/crs is not under the

11/28/19

Christian Folini, Paul Beckett2

11/28/19

Infos for the participants of the CRS Community Summit, September 25, Amsterdam

Were slides or recording from the CRS Community Sumit posted anywhere? Thanks, Paul

unread,

Infos for the participants of the CRS Community Summit, September 25, Amsterdam

Were slides or recording from the CRS Community Sumit posted anywhere? Thanks, Paul

11/28/19

Stephan Fourie, Christian Folini3

10/28/19

Prestashop Exclusion Rules

Hi Christian, Thanks for the reply! Yes, paranoia level 1. I'll report the false positive hits

unread,

Prestashop Exclusion Rules

Hi Christian, Thanks for the reply! Yes, paranoia level 1. I'll report the false positive hits

10/28/19

9/26/19

Announcement: msc_pyparser

Hi all, (sorry for the cross posting) let me announce the msc_pyparser tool, a ModSecurity ruleset

unread,

Announcement: msc_pyparser

Hi all, (sorry for the cross posting) let me announce the msc_pyparser tool, a ModSecurity ruleset

9/26/19

Search

Clear search

Close search

Google apps

Main menu