Category:OWASP ModSecurity Core Rule Set Project

Download
Current Stable Release is always available here:

https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

Bug Tracker
JIRA Ticket System:

https://www.modsecurity.org/tracker/browse/CORERULES

Installation
Quick Start

Core Rule Set Structure & Usage

=
=======================

To activate the rules for your web server installation:

1) The modsecurity_crs_10_global_config.conf file includes directives that    can only be initiated once by Apache and thus this should be included     within the main httpd.conf file context.

The modsecurity_crs_10_config.conf, on the other hand, includes directives that can be included within virtual host containers. Pay attention to    the SecRuleEngine setting (On by default) and that the SecDefaultAction directive is set to "pass". All of the rules use the "block" action which inherits this setting. The effectively means that you can toggle the SecDefaultAction setting to decide if you would like to deny on a rule match or if you want to run in anomaly scoring/correlation mode (which is    the new default).

Should also update the appropriate anomaly scoring level in the modsecurity_crs_49_enforcement.conf and modsecurity_crs_60_correlation.conf files. This will determine when you log and block events.

Additionally you may want to edit modsecurity_crs_30_http_policy.conf

2) Add the following line to your httpd.conf (assuming you've placed the rule files into conf/modsecurity/):

Include conf/modsecurity/*.conf Include conf/modsecurity/base_rules/*conf

3) Restart web server.

4) Make sure your web sites are still running fine.

5) Simulate an attack against the web server. Then check    the attack was correctly logged in the Apache error log,     ModSecurity debug log (if you enabled it) and ModSecurity     audit log (if you enabled it).

6) If you configured your audit log entries to be transported    to ModSecurity Console in real time, check the alert was     correctly recorded there too.

Documentation
- Use of Block Action Updated the rules to use the "block" action. This allows the Admin to globally set the desired block action once with SecDefaultAction in the *10* config file rather than having to edit the disruptive actions in all of the rules or for the need to have multiple versions of the rules (blocking vs. non-blocking). - Fine Grained Policy The rules have been split to having one signature per rule instead of having all signatures combined into one optimized regular expression. This should allow you to modify/disable events based on specific patterns instead of having to deal with the whole rule. - Anomaly Scoring Mode Option The rules have been updated to include anomaly scoring variables which allow you to evaluate the score at the end of phase:2 and phase:5 and decide on what logging and disruptive actions to take based on the score. - Correlated Events There are rules in phase:5 that will provide some correlation between inbound events and outbound events and will provide a result of successful atttack or   attempted attack. - Updated Severity Ratings The severity ratings in the rules have been updated to the following: - 0: Emergency - is generated from correlation where there is an inbound attack and an outbound leakage. - 1: Alert - is generated from correlation where there is an inbound attack and an        outbound application level error. - 2: Critical - is the highest severity level possible without correlation. It is        normally generated by the web attack rules (40 level files). - 3: Error - is generated mostly from outbound leakabe rules (50 level files). - 4: Warning - is generated by malicious client rules (35 level files). - 5: Notice - is generated by the Protocol policy and anomaly files. - 6: Info - is generated by the search engine clients (55 marketing file). - Converted Snort Rules Emerging Threat web attack rules have been converted. http://www.emergingthreats.net/
 * New Rules & Features:

modsecurity_crs_10_config.conf modsecurity_crs_10_global_config.conf
 * CRS Rules Files

./base_rules: modsecurity_40_generic_attacks.data modsecurity_41_sql_injection_attacks.data modsecurity_46_et_sql_injection.data modsecurity_46_et_web_rules.data modsecurity_50_outbound.data modsecurity_crs_20_protocol_violations.conf modsecurity_crs_21_protocol_anomalies.conf modsecurity_crs_23_request_limits.conf modsecurity_crs_30_http_policy.conf modsecurity_crs_35_bad_robots.conf modsecurity_crs_40_generic_attacks.conf modsecurity_crs_41_sql_injection_attacks.conf modsecurity_crs_41_xss_attacks.conf modsecurity_crs_45_trojans.conf modsecurity_crs_46_et_sql_injection.conf modsecurity_crs_46_et_web_rules.conf modsecurity_crs_47_common_exceptions.conf modsecurity_crs_48_local_exceptions.conf modsecurity_crs_49_enforcement.conf modsecurity_crs_50_outbound.conf modsecurity_crs_60_correlation.conf

./optional_rules: modsecurity_crs_42_comment_spam.conf modsecurity_crs_42_tight_security.conf modsecurity_crs_55_marketing.conf

./util: httpd-guardian.pl modsec-clamscan.pl runav.pl

Presentations and Whitepapers
Current CRS v2 presented at AppSec DC 2009.

Ofer Shezaf's presentation and whitepaper on the Core Rule Set v1 presented at 6th OWASP AppSec conference in Milan, Italy, in May 2007

Related Projects
ModSecurity-Open Source Web Application Firewall OWASP Securing WebGoat using ModSecurity

Latest News and Mail List
Current Stable Version CRS 2.0.5

-- Version 2.0.5 - 02/01/2100 --

Improvements: - Removed previous 10 config files as they may conflict with local customized Mod configs. - Added a new 10 config file that allows the user to globally set TX variables to turn on/off PARANOID_MODE inspection, set anomaly score levels and http policies. Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. - Added Rule Logic and Reference links to rules descriptions. - Added Rule IDs to all rules. - Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification - Removed Apache limit directives from the 23 file - Added macro expansion to 23 file checks. - Added @pmFromFile check to 35 bad robots file - Added malicious UA strings to 35 bad robots check - Created an experimental rules file - Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection - Removed TX inspections for generic attacks and reverted to standard ARGS inspection https://www.modsecurity.org/tracker/browse/MODSEC-120 - Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) - Moved converted ET Snort rules to the /optional_rules directory - Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the request headers. - Updated Inbound blocking conf file to use macro expansion from the 10 config file settings - Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking. - Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators. - Updated the SPAMMER RBL check rules logic to only check once per IP/Day. - Added new outbound malware link detection rules.

Bug Fixes: - Removed Non-numeric Rule IDs https://www.modsecurity.org/tracker/browse/CORERULES-28 - Updated the variable list on SQLi rules. - Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring and blocking

-- Version 2.0.4 - 11/30/2009 --

Improvements:

- Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) - Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found then search more generically in request_body|request_uri_raw - Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate alerts for any variable matches that exist.

Bug Fixes:

- Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of phase:4 which would allow for blocking based on information leakage issues.

Project Mail List Subscribe here [mailto:owasp-modsecurity-core-rule-set@lists.owasp.org Use here]

Contributors, Users and Adopters
Project Leader

Ryan Barnett

Project Contributors

Brian Rectanus

The Core Rule Set (CRS) project is sponsored by: http://www.owasp.org/images/5/56/BreachSecurityLabs.jpg

Project Details
''The CRS is an open source rule set licensed under GPLv2. ModSecurity Core Rule Set works with ModSecurity 2.5 and above.''