owasp-modsecurity-crs
OWASP ModSecurity Core Rule Set (CRS) Project (Official Repository)
Top Related Projects
OWASP CRS (Official Repository)
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
Daemon to ban hosts that cause multiple authentication errors
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
Quick Overview
The OWASP ModSecurity Core Rule Set (CRS) is an open-source set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. It provides protection against a wide range of web application security risks, including those listed in the OWASP Top Ten.
Pros
- Comprehensive protection against common web application attacks
- Regularly updated to address new threats and vulnerabilities
- Highly customizable and configurable to suit specific needs
- Large and active community for support and contributions
Cons
- Can be complex to set up and fine-tune for optimal performance
- May generate false positives, requiring careful configuration
- Performance impact on web servers, especially with default settings
- Requires ongoing maintenance and updates to stay effective
Getting Started
To get started with the OWASP ModSecurity Core Rule Set:
- Install ModSecurity on your web server
- Clone the CRS repository:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
- Copy the
crs-setup.conf.example
tocrs-setup.conf
and customize as needed - Include the CRS in your ModSecurity configuration:
Include /path/to/owasp-modsecurity-crs/crs-setup.conf Include /path/to/owasp-modsecurity-crs/rules/*.conf
- Restart your web server
- Monitor logs and adjust rules as necessary to reduce false positives
Note: Detailed installation and configuration instructions can be found in the project's documentation.
Competitor Comparisons
OWASP CRS (Official Repository)
Pros of coreruleset
- More active development and frequent updates
- Better documentation and user guides
- Improved integration with modern web application firewalls
Cons of coreruleset
- Potentially more complex configuration for beginners
- May require more fine-tuning for specific use cases
Code Comparison
owasp-modsecurity-crs:
SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(?:acunetix|nikto|sqlmap)" \
"id:999000,\
phase:1,\
block,\
t:none,\
msg:'Malicious User Agent Detected',\
logdata:'%{MATCHED_VAR}'"
coreruleset:
SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(?:acunetix|nikto|sqlmap|nessus|nmap|openvas|qualys|burpsuite)" \
"id:913100,\
phase:1,\
block,\
t:none,\
msg:'Found User-Agent associated with security scanner',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-reputation-scanner',\
tag:'paranoia-level/1',\
ver:'OWASP_CRS/3.3.0',\
severity:'CRITICAL',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
The coreruleset example shows more comprehensive detection patterns, additional metadata, and integration with the anomaly scoring system, reflecting its more advanced and actively maintained nature.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
Pros of ModSecurity
- Core engine: Provides the fundamental web application firewall functionality
- Flexibility: Can be integrated with various web servers and platforms
- Active development: Regular updates and improvements
Cons of ModSecurity
- Limited out-of-the-box protection: Requires additional rule sets for comprehensive security
- Complexity: Can be challenging to configure and fine-tune for specific environments
Code Comparison
ModSecurity (basic rule):
SecRule REQUEST_HEADERS:User-Agent "nikto" \
"id:1,phase:1,t:lowercase,deny,log,msg:'Nikto scanner detected'"
owasp-modsecurity-crs (CRS rule):
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,phase:1,block,t:none,t:lowercase,log,msg:'Found User-Agent associated with security scanner'"
The ModSecurity example shows a basic rule to detect a specific scanner, while the CRS rule uses a more comprehensive approach with a predefined list of scanner user agents.
ModSecurity provides the core engine, while owasp-modsecurity-crs offers a comprehensive set of rules built on top of ModSecurity. CRS provides ready-to-use protection against various web application attacks, making it easier to implement robust security measures. However, ModSecurity allows for more customization and integration with different web servers, offering greater flexibility for advanced users.
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
Pros of naxsi
- Lightweight and designed specifically for NGINX, offering better performance
- Simpler configuration and easier to maintain
- Focuses on positive security model, potentially reducing false positives
Cons of naxsi
- Less comprehensive rule set compared to ModSecurity CRS
- Smaller community and fewer updates
- Limited compatibility with web servers other than NGINX
Code comparison
naxsi configuration example:
location / {
SecRulesEnabled;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
}
owasp-modsecurity-crs configuration example:
SecRule REQUEST_HEADERS:User-Agent "nikto" \
"id:900001,\
phase:1,\
deny,\
log,\
msg:'Nikto Scan Detected'"
Both projects aim to provide web application firewall functionality, but naxsi is more NGINX-specific and lightweight, while owasp-modsecurity-crs offers a more comprehensive and widely compatible solution. naxsi's configuration is generally simpler, but owasp-modsecurity-crs provides a more extensive rule set and broader community support.
Daemon to ban hosts that cause multiple authentication errors
Pros of fail2ban
- Lightweight and easy to set up, requiring minimal system resources
- Versatile, capable of protecting various services beyond just web applications
- Actively maintained with regular updates and a large community
Cons of fail2ban
- Reactive approach, blocking threats after they've been detected
- Limited in its ability to prevent sophisticated application-layer attacks
- Potential for false positives if not configured properly
Code Comparison
fail2ban configuration example:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
owasp-modsecurity-crs rule example:
SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(?:acunetix|nikto|sqlmap)" \
"id:999999,\
phase:1,\
deny,\
status:403,\
msg:'Malicious User Agent Detected'"
fail2ban focuses on log parsing and IP blocking, while owasp-modsecurity-crs provides detailed rules for web application firewall protection. fail2ban is more general-purpose and easier to configure, but owasp-modsecurity-crs offers more comprehensive web application security.
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
Pros of Suricata
- Designed for high-performance network security monitoring
- Supports multi-threading for improved processing speed
- Offers extensive protocol analysis and file extraction capabilities
Cons of Suricata
- Requires more system resources compared to ModSecurity
- Has a steeper learning curve for rule creation and management
- May generate more false positives due to its broader scope
Code Comparison
Suricata rule example:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SQL Injection Attempt";
flow:established,to_server; content:"SELECT"; nocase;
content:"FROM"; distance:0; nocase; sid:1000001; rev:1;)
ModSecurity rule example:
SecRule ARGS "@rx (?i:select.*from)" \
"id:1000001,\
phase:2,\
t:none,\
block,\
msg:'SQL Injection Attempt',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}'"
Both examples show rules for detecting SQL injection attempts, but Suricata focuses on network traffic analysis, while ModSecurity is designed for web application firewalls.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
CRS migrated to a new :house: !
The OWASP ModSecurity Core Rule Set (CRS) has moved to https://github.com/coreruleset/coreruleset.
A note on this change:
This project started at Trustwave SpiderLabs over ten years ago, it was created with the idea of making a free ruleset that anyone can use to get started with ModSecurity. Over time it has grown into a community maintained project that no longer needs our direct support- which is the best you can hope for with such a project: Apart from growing a community dedicated fully to maintaining the CRS project, it also freed us up to focus fully on maintaining ModSecurity the engine.
Given that Trustwave SpiderLabs hasn't been the maintainer of the project for a few years now it made sense for it to have its own home on GitHub. As such, in coordination with the CRS team it has moved to the following location: https://github.com/coreruleset/coreruleset
This project is now archived to retain its history and make sure that no links are broken but it will NOT be maintained at this location so if you're working directly with GitHub make sure to update your scripts and environments accordingly.
- Trustwave SpiderLabs
OWASP ModSecurity Core Rule Set (CRS)
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
CRS Resources
Please see the OWASP ModSecurity Core Rule Set page to get introduced to the CRS and view resources on installation, configuration, and working with the CRS.
Contributing to the CRS
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false positive alert reports, evasions, usability issues, and suggestions for new detections.
Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log.
Sign up for our Google Group to ask general usage questions and participate in discussions on the CRS. Also here you can find the archives for the previous mailing list.
Join the #coreruleset channel on OWASP Slack to chat about the CRS.
License
Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
Top Related Projects
OWASP CRS (Official Repository)
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
Daemon to ban hosts that cause multiple authentication errors
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot