[Owasp-modsecurity-core-rule-set] OWASP ModSecurity Core Rule Set Version 3.0.0 Released

The OWASP ModSecurity Core Rule Set team is excited to announce the CRS release v3.0.0, short CRS3. Over 4 years in the making, this release represents a huge step forward in terms of capabilities, usability and protection. Key features include: * Over 90% reduction of false alarms in a default install when compared to CRS2 * A user-defined Paranoia Level to enable additional strict checks * Application-specific exclusions for WordPress Core and Drupal * Sampling mode: runs the CRS on a user-defined percentage of traffic * SQLi/XSS parsing using libinjection embedded in ModSecurity For a complete list of new features and the changes in this release, see the new site of the project https://modsecurity.org/crs or the CHANGES document on github https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/CHANGES CRS3 is the best stable release of the OWASP ModSecurity Core Rule Set. We advise all users and providers of boxed CRS versions to update their setups. CRS2 will reach its end of life soon. CRS3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or higher. Our GitHub repository is the preferred way to download and update CRS: $> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git For detailed installation instructions, see the INSTALL document. https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL The release is accompanied by a series of tutorials that guide you through the * Setup of ModSecurity https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/ * Inclusion of the CRS https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ * Handling of false positives https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/ Our desire is to see the Core Rules project as a simple baseline security feature, effectively fighting OWASP TOP 10 weaknesses with few side effects. As such we attempted to cut down on false positives as much as possible in the default install. Of course this must not affect the detection capabilities of the WAF. We honestly believe that the default install of CRS3 brings at least the same level of security and higher paranoia levels let you protect your site even more tightly. We are very excited about this release. So excited, we want to make it into a movie. As a first step, we designed the following poster: https://modsecurity.org/crs/poster Please share this link and feel free to print it for your personal use! Sincerely, Christian Folini on behalf of Chaim Sanders and Walter Hop (The Core CRS team, so to say) -- https://modsecurity.org/crs