Re: [mod-security-users] compatibility between apache module and OWASP_CRS

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hey Hans,

This is all a bit complicated.

ModSecurity has a 2.9.x release line as well as a ModSecurity 3.0.x release
line.

2.9.x is aimed for Apache, 3.0.x for Nginx. But expanding the 3.0 support to
other webservers is a priority for the OWASP ModSecurity project.

CRS favors the use of ModSec 2.9 on Apache since ModSecurity 3 has a few
implementation gaps and a performance problem. This is also being addressed
this year.

Best regards,

Christian

On Tue, Mar 26, 2024 at 10:18:09PM +0100, Hans Mayer via mod-security-users wrote:
> 
> Hi Christian,
> 
> many thanks for your swift reply. I will give it a try.
> 
> So, 2.9 is the latest production ready modsec.
> 
> For version 3 at
> https://github.com/owasp-modsecurity/ModSecurity-apache/tree/master I see
> the recommendation to use v 2.9.x
> 
> I am wondering because V 3 is also several years old.
> 
> 
> Best,
> 
> Hans
> 
> -- 
> 
> 
> 
> On 26.03.24 08:44, Christian Folini wrote:
> > Good morning Hans,
> > 
> > On Mon, Mar 25, 2024 at 10:12:50PM +0100, Hans Mayer via mod-security-users wrote:
> > > I am using Apache/2.4.57 on Debian bookworm with the modsecurity-crs
> > > package.
> > > 
> > > In the logs I see: Producer: ModSecurity for Apache/2.9.7 ; OWASP_CRS/3.3.5
> > > 
> > > At github there is already version 4 available from the coreruleset.
> > > 
> > > Would this work with the existing /usr/lib/apache2/modules/mod_security2.so
> > Yes it would.
> > 
> > More documentation at
> > https://coreruleset.org/20240214/let-crs-4-be-your-valentine/
> > 
> > Please be aware that this is a major new release and the transition takes
> > a bit of planning and testing. There will be new false positives usually.
> > 
> > Best,
> > 
> > Christian
> > 
> > 
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/