[SOLVED] Update OWASP CRS?
-
Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system. 0 -
Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system.
Do you have an estimate when cPanel will have the newest OWASP CRS version?0 -
That's correct! 0 -
That's correct!
So after running the script, it will show as "OWASP ModSecurity Core Rule Set V3.3" under WHM " Security Center " ModSecurity" Vendors, correct? Does it automatically disable the previous V3.0 rule set?0 -
The only change inside WHM >> ModSecurity Vendors will be the wording of the rules. You'll see this: OWASP ModSecurity Core Rule Set V3.0 change to this: OWASP CRS v3.x for ModSec 2.9 (via pkg) which indicates you've installed the rules from that package. 0 -
The only change inside WHM >> ModSecurity Vendors will be the wording of the rules. You'll see this: OWASP ModSecurity Core Rule Set V3.0 change to this: OWASP CRS v3.x for ModSec 2.9 (via pkg) which indicates you've installed the rules from that package.
OK. Will theconf
file still be in the same directory as before?/etc/apache2/conf.d/modsec_vendor_configs/OWASP3
0 -
Yes - when you install that package you'll see a few timestamps in that directory update. Here's a test I did just now: [root@host OWASP3]# ll total 228K drwxr-xr-x 6 root root 4.0K May 5 14:14 . drwx------. 3 root root 4.0K May 5 14:14 .. -rw-r--r-- 1 root root 74K Apr 7 15:48 CHANGES -rw-r--r-- 1 root root 7.7K Apr 7 15:48 CONTRIBUTING.md -rw-r--r-- 1 root root 3.3K Apr 7 15:48 CONTRIBUTORS.md -rw-r--r-- 1 root root 33K Apr 7 15:48 crs-setup.conf -rw-r--r-- 1 root root 33K Apr 7 15:48 crs-setup.conf.example drwxr-xr-x 3 root root 4.0K May 5 14:14 docs -rw-r--r-- 1 root root 17K Apr 7 15:48 INSTALL -rw-r--r-- 1 root root 2.8K Apr 7 15:48 KNOWN_BUGS -rw-r--r-- 1 root root 12K Apr 7 15:48 LICENSE -rw-r--r-- 1 root root 2.5K Apr 7 15:48 README.md drwxr-xr-x 2 root root 4.0K May 5 14:14 rules -rw-r--r-- 1 root root 2.2K Apr 7 15:48 SECURITY.md drwxr-xr-x 4 root root 4.0K May 5 14:14 tests drwxr-xr-x 10 root root 4.0K May 5 14:14 util
0 -
OK, perfect. Thank you for testing this! 0 -
Sure thing! 0 -
Sure thing!
I successfully upgraded to OWASP CRS 3.3 today, thanks again for the help. However, I noticed OWASp only had22/32
rules enabled. Was that on purpose? The disabled rules are listed below:rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf rules/REQUEST-911-METHOD-ENFORCEMENT.conf rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Should these be enabled?0 -
That is intentional - you can always customize the configuration further after the update. 0 -
That is intentional - you can always customize the configuration further after the update.
Any of those disabled rules that you would recommend enabling?0 -
These rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server. However, if you're not seeing problems, you aren't required to enable any of these. 0 -
These rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server. However, if you're not seeing problems, you aren't required to enable any of these.
Perfect. Thank you!0 -
Old thread, I know, but I really wish I could see the "Exclusion" rules available on my new servers. All I see are the main 22 "Core" rules in WHM, and I don't see a way to include the Exclusions rules. Any help would be greatly appreciated!
0 -
I discovered the a few modsecurity modules were not installed in WHM EasyApache 4 , so I've recompiled to enable these:
mod_security2 / 2.9.7-1.el8.cloudlinux.2 / Security module for the Apache HTTP Server
mod_security2-debugsource / 2.9.7-1.1.17.cpanel / Debug sources for package ea-apache24-mod_security2
mod_security2-mlogc / 2.9.7-1.el8.cloudlinux.2 / ModSecurity Audit Log Collector
modsec2-rules-owasp-crs / 3.3.5-1.el8.cloudlinux /OWASP ModSecurity Core Rule Set (CRS)
And now can see the exclusion rules for a total of 33 instead of 22
Hoping to make some headway now.
1
Please sign in to leave a comment.
Comments
18 comments