OWASP ModSecurity Core Rule Set v3

Nov 28, 2016
6
0
1
United Kingdom
cPanel Access Level
Root Administrator
Shouldn't the OWASP vendor config file have the version added to the name or even another field to display the version. So if you have v2 and v3 installed you can differentiate between the two?

If you look at the following files you will see they both have the exact same name

v2
http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP.yaml

v3
http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml

Also i notice v3 displays v2.9.0 in that file, is that an error or just local versioning?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello,

This is addressed with internal case CPANEL-10477 in cPanel version 64:

Fixed case CPANEL-10477: Update WHM to use the new ModSecurity ruleset.

You'll see "OWASP ModSecurity Core Rule Set V3.0" as the vendor name in cPanel version 64. Additionally, the case includes the following conditions:

  • If the server did not have the older OWASP set installed, the new set should be the only one on the page.
  • If the server did have the older OWASP set installed, then it should still be installed and enabled, and the newer set should be shown as available to be installed.
Thank you.