Groups

OWASP CRS project

1–30 of 96

Welcome to the OWASP CRS project mailing list. Feel free to ask support and general questions about the projects or associated issues and we will do our best to support you.

- CRS Project Leads

0 selected

TM, thalinda Sriprajak3

11:36 AM

Performance impact of CRS rules (with ModSecurity v3 Nginx Connector).

Hey, I did another test, this time to measure the response time impact of CRS rules on each request.

unread,

Performance impact of CRS rules (with ModSecurity v3 Nginx Connector).

Hey, I did another test, this time to measure the response time impact of CRS rules on each request.

11:36 AM

Oct 20

False Positive with Rule 942100 when matching text "大阪大"

Hello, I encountered a false positive with CRS rule 942100. The rule flagged the text "大阪大"

unread,

False Positive with Rule 942100 when matching text "大阪大"

Hello, I encountered a false positive with CRS rule 942100. The rule flagged the text "大阪大"

Oct 20

Michael Bullut, … Christian Folini3

Sep 22

Request For Guides on Testing ModSecurity C.R.S. Deployment Effectiveness...

Hi Michael, This is an excellent question or rather request. I am hosting CRS Community Call later

unread,

Request For Guides on Testing ModSecurity C.R.S. Deployment Effectiveness...

Hi Michael, This is an excellent question or rather request. I am hosting CRS Community Call later

Sep 22

Emilio Campos, Ervin Hegedüs2

Jun 17

crs 3.3/master vs crs4.0/main

Hi Emilio, > I do mention the following rulesets, not included in 4.0: > > REQUEST-922-

unread,

crs 3.3/master vs crs4.0/main

Hi Emilio, > I do mention the following rulesets, not included in 4.0: > > REQUEST-922-

Jun 17

Michael Bullut, Ervin Hegedüs2

Jun 16

Inquiry About Upgrading ModSecurity Version Bundled with Ubuntu...

Hi Michael, On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core

unread,

Inquiry About Upgrading ModSecurity Version Bundled with Ubuntu...

Hi Michael, On Mon, Jun 16, 2025 at 03:28:15PM +0300, 'Michael Bullut' via ModSecurity Core

Jun 16

Michael Bullut, … Emilio Campos6

May 21

Inquiry Regarding Use of ModSecurity in Production Environments Post End-of-Life...

Regarding the CRS ruleset and modsecurity presentation "2021-04-14_OWASP_ModSec-CRS-Intro.pdf

unread,

Inquiry Regarding Use of ModSecurity in Production Environments Post End-of-Life...

Regarding the CRS ruleset and modsecurity presentation "2021-04-14_OWASP_ModSec-CRS-Intro.pdf

May 21

Blason R, Andrew Howe2

Mar 17

Can we enabled ICAP with modsecurity?

Hi Blason, > ...possible to activate the ICAP client... Is that to say you *have* a specific ICAP

unread,

Can we enabled ICAP with modsecurity?

Hi Blason, > ...possible to activate the ICAP client... Is that to say you *have* a specific ICAP

Mar 17

Michael Bullut, … Andrew Howe4

Mar 17

Inquiry About Project Honeypot Integration with ModSecurity...

Hello Michael, My apologies for the delay in getting this reply and information to you. The Project

unread,

Inquiry About Project Honeypot Integration with ModSecurity...

Hello Michael, My apologies for the delay in getting this reply and information to you. The Project

Mar 17

Mar 9

Enhance Your ModSecurity with Session-Based Security Monitoring

Dear ModSecurity Community, I'd like to share a project that complements ModSecurity by

unread,

Enhance Your ModSecurity with Session-Based Security Monitoring

Dear ModSecurity Community, I'd like to share a project that complements ModSecurity by

Mar 9

11/6/24

SecAction "id:10102,phase:1,drop,nolog,noauditlog" does logging

Dear All, I hope it's OK to post some questions in this group. If not be so kind and advise me

unread,

SecAction "id:10102,phase:1,drop,nolog,noauditlog" does logging

Dear All, I hope it's OK to post some questions in this group. If not be so kind and advise me

11/6/24

10/30/24

CRS versions 4.8.0 and 3.3.7 released

The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7. For

unread,

CRS versions 4.8.0 and 3.3.7 released

The OWASP CRS team is pleased to announce the release of two new CRS versions: v4.8.0 and v3.3.7. For

10/30/24

Rahul Thakkar, Christian Folini2

4/19/24

How to implement rate limit using Mod Security Rule

Hey Rahul, Getting this up and running is very hard with ModSecurity and it takes a lot of experience

unread,

How to implement rate limit using Mod Security Rule

Hey Rahul, Getting this up and running is very hard with ModSecurity and it takes a lot of experience

4/19/24

F, Ervin Hegedüs2

4/10/24

CRS and SSTI with Velocity

Hi Max, On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote: > Hi > > We found a Server Side

unread,

CRS and SSTI with Velocity

Hi Max, On Wed, Apr 10, 2024 at 08:33:23AM -0700, F wrote: > Hi > > We found a Server Side

4/10/24

Blason R, … Jozef Sudolsky4

4/7/24

Can we remove these parts from logs?

Thanks folks let me try that out. On Sun, Apr 7, 2024, 12:26 Jozef Sudolsky <jo...@sudolsky.sk>

unread,

Can we remove these parts from logs?

Thanks folks let me try that out. On Sun, Apr 7, 2024, 12:26 Jozef Sudolsky <jo...@sudolsky.sk>

4/7/24

mahh m, … Christian Folini3

4/3/24

removed rules in CRS4

Hi there, We have stripped down CRS and moved non-essential functionality into plugins. The Anti-DoS

unread,

removed rules in CRS4

Hi there, We have stripped down CRS and moved non-essential functionality into plugins. The Anti-DoS

4/3/24

Sudharshan K S, … Andrew Howe8

3/16/24

Including CRS inside Location/If directive doesn't work

Hi Sudharshan, > Observation: The inclusion of crs-setup.conf and the other rules doesn't work

unread,

Including CRS inside Location/If directive doesn't work

Hi Sudharshan, > Observation: The inclusion of crs-setup.conf and the other rules doesn't work

3/16/24

Jozef Sudolsky, … Jean-Charles OLLAT6

3/8/24

Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

Setting tx.geoip-plugin_country_code is used only when tx.geoip-plugin_custom_lookup is set to 1 and

unread,

Re: [jcollat@gmail.com: [modsecurity-core-rule-set-project] Welcome & GeoIP]

Setting tx.geoip-plugin_country_code is used only when tx.geoip-plugin_custom_lookup is set to 1 and

3/8/24

Jean-Charles OLLAT

3/4/24

Welcome & GeoIP

Hello everyone, I wanted to extend a warm thank you for welcoming me to this discussion group.

unread,

Welcome & GeoIP

Hello everyone, I wanted to extend a warm thank you for welcoming me to this discussion group.

3/4/24

Christian Folini

2/15/24

CRS version 4.0.0 is out

Let CRS 4 be your valentine! The OWASP CRS team is proud to announce the release of CRS 4.0. * https:

unread,

CRS version 4.0.0 is out

Let CRS 4 be your valentine! The OWASP CRS team is proud to announce the release of CRS 4.0. * https:

2/15/24

mahh m, Franziska Buehler2

1/21/24

Custom charsets in the rules 920600 and 922110

Hi! Thanks for asking and sorry for your inconvenience. Unfortunately, I can't see from your

unread,

Custom charsets in the rules 920600 and 922110

Hi! Thanks for asking and sorry for your inconvenience. Unfortunately, I can't see from your

1/21/24

Théo B., Ervin Hegedüs2

1/20/24

Hi Théo, perhaps this can help you: https://github.com/coreruleset/modsecurity-crs-docker/blob/

unread,

Hi Théo, perhaps this can help you: https://github.com/coreruleset/modsecurity-crs-docker/blob/

1/20/24

1/12/24

Future of ModSecurity

Hi all, (sorry if someone received crosspost) Perhaps most users read the news: Trustwave transfers

unread,

Future of ModSecurity

Hi all, (sorry if someone received crosspost) Perhaps most users read the news: Trustwave transfers

1/12/24

Andrew Howe, … Christian Folini4

1/2/24

CRS version 4.0.0 release candidate 2 available

Hello Emiliom Nobody has been picking this up, so let's give it a shot. On Fri, Dec 29, 2023 at

unread,

CRS version 4.0.0 release candidate 2 available

Hello Emiliom Nobody has been picking this up, so let's give it a shot. On Fri, Dec 29, 2023 at

1/2/24

Jakub Kuchar, … Christian Folini8

9/8/23

Hello Andrew thanks for sharing information, and yes this is staging machine, if there is usage 75%

unread,

Hello Andrew thanks for sharing information, and yes this is staging machine, if there is usage 75%

9/8/23

saratoga, Christian Folini4

8/7/23

Setting tx.paranoia_level too late?

Hello, On Mon, Aug 07, 2023 at 12:55:42PM +0200, s wrote: > > Could it be your integrator does

unread,

Setting tx.paranoia_level too late?

Hello, On Mon, Aug 07, 2023 at 12:55:42PM +0200, s wrote: > > Could it be your integrator does

8/7/23

7/24/23

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For

unread,

CRS version 3.3.5 released

The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of CRS v3.3.5. For

7/24/23

jarofi, Christian Folini2

6/21/23

Using a regular expression in a ruleRemoveTargetById command

Hey Jarda, It's most unfortunate, but the ruleRemoveTargetById does not allow for regular

unread,

Using a regular expression in a ruleRemoveTargetById command

Hey Jarda, It's most unfortunate, but the ruleRemoveTargetById does not allow for regular

6/21/23

冰封飞飞, Andrew Howe2

6/7/23

Has ModSecurity 3 achieved full compatibility with CRS now?

Hello, ModSecurity Core Rule Set Developer on Duty here. ModSecurity v2 remains the reference

unread,

Has ModSecurity 3 achieved full compatibility with CRS now?

Hello, ModSecurity Core Rule Set Developer on Duty here. ModSecurity v2 remains the reference

6/7/23

Systems Admin, Franziska Buehler4

4/27/23

Configuration variables overwriting

Glad to hear that it works! No need to say sorry. I'm happy to help! Everyone was a newbie at

unread,

Configuration variables overwriting

Glad to hear that it works! No need to say sorry. I'm happy to help! Everyone was a newbie at

4/27/23

Blason R, Ervin Hegedüs2

4/24/23

Custom Modsec rule is not working

Hi Blason R, On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote: [...] > Am I doing anything

unread,

Custom Modsec rule is not working

Hi Blason R, On Fri, Apr 21, 2023 at 11:16:35PM +0530, Blason R wrote: [...] > Am I doing anything

4/24/23

Search

Clear search

Close search

Google apps

Main menu