[SOLVED] Update OWASP CRS?

cPanel & WHM Version
CentOS 7

msklut

Well-Known Member
May 24, 2020
62
5
8
NC
cPanel Access Level
Root Administrator
Is it possible to get the most updated OWASP Core Rule Set on CentOS? We would like to implement ModSecurity rules that are available on the latest versions. We’re on version 3.0 and the current stable version is 3.3. Are there compatibility issues with cPanel for the latest version?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system.
 
  • Like
Reactions: msklut

msklut

Well-Known Member
May 24, 2020
62
5
8
NC
cPanel Access Level
Root Administrator
Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system.
Do you have an estimate when cPanel will have the newest OWASP CRS version?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
I did some additional testing on my end and found that the current version in EasyApache is 3.3. There are more details on installing this specific version here:

 
  • Like
Reactions: msklut

msklut

Well-Known Member
May 24, 2020
62
5
8
NC
cPanel Access Level
Root Administrator
I did some additional testing on my end and found that the current version in EasyApache is 3.3. There are more details on installing this specific version here:

OK, so to update to the current version 3.3 I need to run yum install ea-modsec2-rules-owasp-crs?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
The only change inside WHM >> ModSecurity Vendors will be the wording of the rules. You'll see this:

OWASP ModSecurity Core Rule Set V3.0

change to this:

OWASP CRS v3.x for ModSec 2.9 (via pkg)

which indicates you've installed the rules from that package.
 
  • Like
Reactions: msklut

msklut

Well-Known Member
May 24, 2020
62
5
8
NC
cPanel Access Level
Root Administrator
The only change inside WHM >> ModSecurity Vendors will be the wording of the rules. You'll see this:

OWASP ModSecurity Core Rule Set V3.0

change to this:

OWASP CRS v3.x for ModSec 2.9 (via pkg)

which indicates you've installed the rules from that package.
OK. Will the conf file still be in the same directory as before?

Code:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP3
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
Yes - when you install that package you'll see a few timestamps in that directory update. Here's a test I did just now:

Code:
[[email protected] OWASP3]# ll
total 228K
drwxr-xr-x   6 root root 4.0K May  5 14:14 .
drwx------.  3 root root 4.0K May  5 14:14 ..
-rw-r--r--   1 root root  74K Apr  7 15:48 CHANGES
-rw-r--r--   1 root root 7.7K Apr  7 15:48 CONTRIBUTING.md
-rw-r--r--   1 root root 3.3K Apr  7 15:48 CONTRIBUTORS.md
-rw-r--r--   1 root root  33K Apr  7 15:48 crs-setup.conf
-rw-r--r--   1 root root  33K Apr  7 15:48 crs-setup.conf.example
drwxr-xr-x   3 root root 4.0K May  5 14:14 docs
-rw-r--r--   1 root root  17K Apr  7 15:48 INSTALL
-rw-r--r--   1 root root 2.8K Apr  7 15:48 KNOWN_BUGS
-rw-r--r--   1 root root  12K Apr  7 15:48 LICENSE
-rw-r--r--   1 root root 2.5K Apr  7 15:48 README.md
drwxr-xr-x   2 root root 4.0K May  5 14:14 rules
-rw-r--r--   1 root root 2.2K Apr  7 15:48 SECURITY.md
drwxr-xr-x   4 root root 4.0K May  5 14:14 tests
drwxr-xr-x  10 root root 4.0K May  5 14:14 util
 

msklut

Well-Known Member
May 24, 2020
62
5
8
NC
cPanel Access Level
Root Administrator
Sure thing!
I successfully upgraded to OWASP CRS 3.3 today, thanks again for the help. However, I noticed OWASp only had 22/32 rules enabled. Was that on purpose?

The disabled rules are listed below:
Code:
rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf   
rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf   
rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf   
rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf   
rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf   
rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
rules/REQUEST-911-METHOD-ENFORCEMENT.conf  
rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf  
rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf  
rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
Should these be enabled?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,498
1,971
363
cPanel Access Level
Root Administrator
These rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server.

However, if you're not seeing problems, you aren't required to enable any of these.
 
  • Like
Reactions: msklut

msklut

Well-Known Member
May 24, 2020
62
5
8
NC
cPanel Access Level
Root Administrator
These rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server.

However, if you're not seeing problems, you aren't required to enable any of these.
Perfect. Thank you!
 
  • Like
Reactions: cPRex