Has ModSecurity 3 achieved full compatibility with CRS now?

45 views
Skip to first unread message

冰封飞飞

unread,
Jun 6, 2023, 10:20:01 PM6/6/23
to ModSecurity Core Rule Set project
HI team,
In a blog post dated December 22, 2021, available at https://coreruleset.org/20211222/talking-about-modsecurity-and-the-new-coraza-waf/, it was revealed that CRS still uses ModSecurity 2 as its reference implementation. The main reason for this is that ModSecurity 3 failed to pass all tests in the CRS test suite. Has this situation changed as of June 2023? Is CRS still using ModSecurity 2 as the reference implementation, and can ModSecurity 3 pass the test suite now?

Regards.

Andrew Howe

unread,
Jun 7, 2023, 9:02:35 AM6/7/23
to 冰封飞飞, ModSecurity Core Rule Set project
Hello,

ModSecurity Core Rule Set Developer on Duty here.

ModSecurity v2 remains the reference implementation for CRS.
ModSecurity v3 (on Nginx) fails many of the test cases from the CRS
test suite, owing to bugs, inconsistencies, and implementation gaps.

As of today, using the latest stable release of the go-ftw testing
tool, the latest CRS container images, and the CRS v4.0/dev branch,
the situation is as follows:

* Apache + ModSecurity v2:
run 3517 total tests in 59.605616827s
skipped 4 tests
All tests successful!

* Nginx + ModSecurity v3:
run 3517 total tests in 51.392467496s
skipped 4 tests
61 test(s) failed to run

Note that some of the Nginx + libModSecurity failures are due to
differences in the behaviour of Nginx compared to Apache, so not all
of the test failures are due to engine differences.

You may find the information and explanations on the CRS documentation
page about WAF engine options to be of interest:
https://coreruleset.org/docs/deployment/engine_integration_options/

Thanks,
Andrew Howe

--

Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
Reply all
Reply to author
Forward
0 new messages