Skip to main content

[SOLVED] Update OWASP CRS?

Comments

18 comments

  • cPRex Jurassic Moderator
    Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system.
    0
  • msklut
    Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system.

    Do you have an estimate when cPanel will have the newest OWASP CRS version?
    0
  • cPRex Jurassic Moderator
    I did some additional testing on my end and found that the current version in EasyApache is 3.3. There are more details on installing this specific version here:
    0
  • msklut
    I did some additional testing on my end and found that the current version in EasyApache is 3.3. There are more details on installing this specific version here:
    0
  • cPRex Jurassic Moderator
    That's correct!
    0
  • msklut
    That's correct!

    So after running the script, it will show as "OWASP ModSecurity Core Rule Set V3.3" under WHM " Security Center " ModSecurity" Vendors, correct? Does it automatically disable the previous V3.0 rule set?
    0
  • cPRex Jurassic Moderator
    The only change inside WHM >> ModSecurity Vendors will be the wording of the rules. You'll see this: OWASP ModSecurity Core Rule Set V3.0 change to this: OWASP CRS v3.x for ModSec 2.9 (via pkg) which indicates you've installed the rules from that package.
    0
  • msklut
    The only change inside WHM >> ModSecurity Vendors will be the wording of the rules. You'll see this: OWASP ModSecurity Core Rule Set V3.0 change to this: OWASP CRS v3.x for ModSec 2.9 (via pkg) which indicates you've installed the rules from that package.

    OK. Will the conf
    file still be in the same directory as before? /etc/apache2/conf.d/modsec_vendor_configs/OWASP3
    0
  • cPRex Jurassic Moderator
    Yes - when you install that package you'll see a few timestamps in that directory update. Here's a test I did just now: [root@host OWASP3]# ll total 228K drwxr-xr-x 6 root root 4.0K May 5 14:14 . drwx------. 3 root root 4.0K May 5 14:14 .. -rw-r--r-- 1 root root 74K Apr 7 15:48 CHANGES -rw-r--r-- 1 root root 7.7K Apr 7 15:48 CONTRIBUTING.md -rw-r--r-- 1 root root 3.3K Apr 7 15:48 CONTRIBUTORS.md -rw-r--r-- 1 root root 33K Apr 7 15:48 crs-setup.conf -rw-r--r-- 1 root root 33K Apr 7 15:48 crs-setup.conf.example drwxr-xr-x 3 root root 4.0K May 5 14:14 docs -rw-r--r-- 1 root root 17K Apr 7 15:48 INSTALL -rw-r--r-- 1 root root 2.8K Apr 7 15:48 KNOWN_BUGS -rw-r--r-- 1 root root 12K Apr 7 15:48 LICENSE -rw-r--r-- 1 root root 2.5K Apr 7 15:48 README.md drwxr-xr-x 2 root root 4.0K May 5 14:14 rules -rw-r--r-- 1 root root 2.2K Apr 7 15:48 SECURITY.md drwxr-xr-x 4 root root 4.0K May 5 14:14 tests drwxr-xr-x 10 root root 4.0K May 5 14:14 util
    0
  • msklut
    OK, perfect. Thank you for testing this!
    0
  • cPRex Jurassic Moderator
    Sure thing!
    0
  • msklut
    Sure thing!

    I successfully upgraded to OWASP CRS 3.3 today, thanks again for the help. However, I noticed OWASp only had 22/32
    rules enabled. Was that on purpose? The disabled rules are listed below: rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf rules/REQUEST-911-METHOD-ENFORCEMENT.conf rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
    Should these be enabled?
    0
  • cPRex Jurassic Moderator
    That is intentional - you can always customize the configuration further after the update.
    0
  • msklut
    That is intentional - you can always customize the configuration further after the update.

    Any of those disabled rules that you would recommend enabling?
    0
  • cPRex Jurassic Moderator
    These rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server. However, if you're not seeing problems, you aren't required to enable any of these.
    0
  • msklut
    These rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server. However, if you're not seeing problems, you aren't required to enable any of these.

    Perfect. Thank you!
    0
  • Metro2

    Old thread, I know, but I really wish I could see the "Exclusion" rules available on my new servers. All I see are the main 22 "Core" rules in WHM, and I don't see a way to include the Exclusions rules. Any help would be greatly appreciated!

    0
  • Metro2

    I discovered the a few modsecurity modules were not installed in WHM EasyApache 4 , so I've recompiled to enable these:

    mod_security2 / 2.9.7-1.el8.cloudlinux.2 / Security module for the Apache HTTP Server 

    mod_security2-debugsource / 2.9.7-1.1.17.cpanel / Debug sources for package ea-apache24-mod_security2 

    mod_security2-mlogc / 2.9.7-1.el8.cloudlinux.2 / ModSecurity Audit Log Collector 

    modsec2-rules-owasp-crs / 3.3.5-1.el8.cloudlinux /OWASP ModSecurity Core Rule Set (CRS)

    And now can see the exclusion rules for a total of 33 instead of 22

    Hoping to make some headway now.

    1

Please sign in to leave a comment.