Re: [mod-security-users] compatibility between apache module and OWASP_CRS
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] compatibility between apache module and OWASP_CRS
|
From: Hans M. <mo...@ma...> - 2024-03-31 14:20:29
|
Hey Christian, Many thanks for your valuable information. Best regards, Hans -- On 28.03.24 10:40, Christian Folini wrote: > Hey Hans, > > This is all a bit complicated. > > ModSecurity has a 2.9.x release line as well as a ModSecurity 3.0.x release > line. > > 2.9.x is aimed for Apache, 3.0.x for Nginx. But expanding the 3.0 support to > other webservers is a priority for the OWASP ModSecurity project. > > CRS favors the use of ModSec 2.9 on Apache since ModSecurity 3 has a few > implementation gaps and a performance problem. This is also being addressed > this year. > > Best regards, > > Christian > > > > On Tue, Mar 26, 2024 at 10:18:09PM +0100, Hans Mayer via mod-security-users wrote: >> Hi Christian, >> >> many thanks for your swift reply. I will give it a try. >> >> So, 2.9 is the latest production ready modsec. >> >> For version 3 at >> https://github.com/owasp-modsecurity/ModSecurity-apache/tree/master I see >> the recommendation to use v 2.9.x >> >> I am wondering because V 3 is also several years old. >> >> >> Best, >> >> Hans >> >> -- >> >> >> >> On 26.03.24 08:44, Christian Folini wrote: >>> Good morning Hans, >>> >>> On Mon, Mar 25, 2024 at 10:12:50PM +0100, Hans Mayer via mod-security-users wrote: >>>> I am using Apache/2.4.57 on Debian bookworm with the modsecurity-crs >>>> package. >>>> >>>> In the logs I see: Producer: ModSecurity for Apache/2.9.7 ; OWASP_CRS/3.3.5 >>>> >>>> At github there is already version 4 available from the coreruleset. >>>> >>>> Would this work with the existing /usr/lib/apache2/modules/mod_security2.so >>> Yes it would. >>> >>> More documentation at >>> https://coreruleset.org/20240214/let-crs-4-be-your-valentine/ >>> >>> Please be aware that this is a major new release and the transition takes >>> a bit of planning and testing. There will be new false positives usually. >>> >>> Best, >>> >>> Christian >>> >>> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
