Are you sure it's not production yet? I just checked my e-mail and I see a message from the mailing list...this is what it says:
The OWASP ModSecurity Core Rule Set team is excited to announce the
CRS release v3.0.0, short CRS3.
Over 4 years in the making, this release represents a huge step forward
in terms of capabilities, usability and protection. Key features
include:
* Over 90% reduction of false alarms in a default install
when compared to CRS2
* A user-defined Paranoia Level to enable additional strict checks
* Application-specific exclusions for WordPress Core and Drupal
* Sampling mode: runs the CRS on a user-defined percentage of traffic
* SQLi/XSS parsing using libinjection embedded in ModSecurity
For a complete list of new features and the changes in this release, see
the new site of the project
https://modsecurity.org/crs
or the CHANGES document on github
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/CHANGES
CRS3 is the best stable release of the OWASP ModSecurity Core Rule Set.
We advise all users and providers of boxed CRS versions to update their
setups. CRS2 will reach its end of life soon.
CRS3 requires an Apache/IIS/Nginx web server with ModSecurity 2.8.0 or
higher.
Our GitHub repository is the preferred way to download and update CRS:
$> git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
For detailed installation instructions, see the INSTALL document.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/INSTALL
The release is accompanied by a series of tutorials that guide you
through the
* Setup of ModSecurity
https://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/
* Inclusion of the CRS
https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/
* Handling of false positives
https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/
Our desire is to see the Core Rules project as a simple baseline
security feature, effectively fighting OWASP TOP 10 weaknesses with few
side effects. As such we attempted to cut down on false positives as
much as possible in the default install. Of course this must not affect
the detection capabilities of the WAF. We honestly believe that the
default install of CRS3 brings at least the same level of security and
higher paranoia levels let you protect your site even more tightly.
We are very excited about this release. So excited, we want to make it
into a movie. As a first step, we designed the following poster:
https://modsecurity.org/crs/poster
Please share this link and feel free to print it for your personal use!
Sincerely,
Christian Folini on behalf of Chaim Sanders and Walter Hop
(The Core CRS team, so to say)
[IMG]https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif[/IMG][Wed Nov 09 15:11:19.105770 2016] [core:warn] [pid 23822] AH00111: Config variable ${REQUEST_URI} is not defined
[Wed Nov 09 15:11:19.106369 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
[Wed Nov 09 15:11:19.106405 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
[Wed Nov 09 15:11:19.187538 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: Access denied with redirection to http://example.com/ using status 302 (phase 2). Matched phrase "nikto" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP/rules/REQUEST-13-SCANNER-DETECTION.conf"] [line "17"] [id "990002"] [rev "2"] [msg "Request Indicates a Security Scanner Scanned the Site"] [data "Matched Data: nikto found within REQUEST_HEADERS:User-Agent: mozilla/5.00 (nikto/2.1.6) (evasions:none) (test:domino detection)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: example.com"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-reputation"] [tag "reputation-scanner"] [tag "OWASP_CRS/AUTOMATION/SECURITY_SCANNER"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]
[Wed Nov 09 15:11:19.187968 2016] [:error] [pid 23822] [client <my server's IP address>] ModSecurity: collection_store: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "example.com"] [uri "/domcfg.nsf"] [unique_id "WCOC51yjguAUmeGkQeAWwgAAAAE"]drwxr-xr-x 23 root root 4096 Nov 10 04:04 /var/
drwx--x--x 98 root root 12288 Nov 10 16:04 /var/cpanel/
drwxrwx-wT 2 root nobody 4096 Jan 21 2016 /var/cpanel/secdatadir/
-rw-rw-r-- 1 nobody nobody 0 Jan 21 2016 /var/cpanel/secdatadir/global.dir
-rw-rw-r-- 1 nobody nobody 0 Jan 21 2016 /var/cpanel/secdatadir/global.pag
-rw-rw-rw- 1 nobody nobody 4096 Nov 9 14:55 /var/cpanel/secdatadir/ip.dir
-rw-rw-rw- 1 nobody nobody 2009088 Nov 10 15:58 /var/cpanel/secdatadir/ip.pagI would think so, yes. The cPanel team probably got the same email you did, just today.
4 years in the waiting with some of the most problematic rules I've ever used, and we get jokes.
Haha.Feature Requests are moderated. You can read more about that here if needed:
https://forums.cpanel.net/pages/cpfeatures/
I would think so, yes. The cPanel team probably got the same email you did, just today.
Here's the actual link to the OWASP list for reference:
[Owasp-modsecurity-core-rule-set] OWASP ModSecurity Core Rule Set Version 3.0.0 Released
Funny parts:
4 years in the waiting with some of the most problematic rules I've ever used, and we get jokes.
Those error messages are discussed on the following thread:
