Top Related Projects
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
High-performance WAF built on the OpenResty stack
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
Daemon to ban hosts that cause multiple authentication errors
Quick Overview
The OWASP ModSecurity Core Rule Set (CRS) is an open-source web application firewall (WAF) rule set. It provides protection against a wide range of web application vulnerabilities, including the OWASP Top Ten, with a focus on minimizing false positives and ease of use.
Pros
- Comprehensive protection against common web application attacks
- Regularly updated to address new threats and vulnerabilities
- Highly customizable and configurable to suit different environments
- Large and active community for support and contributions
Cons
- Can be complex to set up and fine-tune for optimal performance
- May require significant resources, potentially impacting application performance
- False positives can occur, especially in complex applications
- Requires ongoing maintenance and updates to stay effective
Getting Started
To get started with the OWASP ModSecurity Core Rule Set:
- Install ModSecurity on your web server (e.g., Apache, Nginx)
- Download the latest CRS release from the GitHub repository
- Extract the files and place them in your ModSecurity configuration directory
- Include the CRS configuration in your ModSecurity setup:
# Include the CRS configuration
Include /path/to/coreruleset/crs-setup.conf
# Include the CRS rules
Include /path/to/coreruleset/rules/*.conf
- Configure the CRS by editing the
crs-setup.conffile - Restart your web server to apply the changes
- Monitor logs and adjust rules as needed to reduce false positives
Note: Detailed installation and configuration instructions can be found in the project's documentation on GitHub.
Competitor Comparisons
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
Pros of ModSecurity
- More comprehensive web application firewall (WAF) solution
- Offers broader protection against various web attacks
- Highly configurable and customizable
Cons of ModSecurity
- Steeper learning curve and more complex setup
- Can be resource-intensive, potentially impacting server performance
- Requires more maintenance and fine-tuning
Code Comparison
ModSecurity rule example:
SecRule REQUEST_HEADERS:User-Agent "nikto" \
"id:1000,phase:1,deny,log,msg:'Nikto Scan Detected'"
CoreRuleSet rule example:
SecRule REQUEST_HEADERS:User-Agent "@contains nikto" \
"id:900001,phase:1,block,t:lowercase,log,msg:'Nikto Scan Detected'"
Both examples show rules to detect and block Nikto scans. ModSecurity's rule is more basic, while CoreRuleSet's rule includes additional options like case-insensitive matching.
CoreRuleSet is a set of rules designed to work with ModSecurity, providing pre-configured protection against common web application attacks. It's easier to implement but less flexible than a full ModSecurity setup. CoreRuleSet is ideal for users who want quick, out-of-the-box protection, while ModSecurity is better for those needing granular control and customization of their WAF.
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
Pros of Naxsi
- Lightweight and designed specifically for Nginx, offering better performance
- Simple configuration and easy to deploy
- Focuses on positive security model, potentially reducing false positives
Cons of Naxsi
- Smaller rule set compared to CoreRuleSet, potentially offering less comprehensive protection
- Less frequent updates and smaller community support
- Limited documentation and learning resources
Code Comparison
Naxsi rule example:
MainRule "str:select" "msg:SQL Injection" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
CoreRuleSet rule example:
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx select.+(?:from|union.+select)" \
"id:942100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,t:sqlHexDecode,\
msg:'SQL Injection Attack Detected via libinjection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
High-performance WAF built on the OpenResty stack
Pros of lua-resty-waf
- Written in Lua, offering better performance and lower resource usage
- Designed specifically for OpenResty, allowing seamless integration
- More flexible and customizable due to its modular architecture
Cons of lua-resty-waf
- Smaller community and less frequent updates compared to coreruleset
- Fewer out-of-the-box rules, requiring more manual configuration
- Limited documentation and examples for advanced use cases
Code Comparison
lua-resty-waf:
local waf = require "resty.waf"
local waf_instance = waf:new()
waf_instance:exec()
coreruleset:
SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(?:acunetix|arachni|nikto|w3af)" \
"id:900000,\
phase:1,\
block,\
t:none,\
msg:'Scanner Detection',\
logdata:'%{MATCHED_VAR}',\
tag:'application-attack-reconnaissance',\
severity:'CRITICAL'"
The lua-resty-waf code snippet demonstrates its simplicity in implementation, while the coreruleset example showcases its more detailed and comprehensive rule definition approach.
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
Pros of Suricata
- Full-featured network security monitoring engine with intrusion detection and prevention capabilities
- Supports hardware acceleration for improved performance on high-speed networks
- Extensive protocol support and ability to analyze encrypted traffic
Cons of Suricata
- More complex setup and configuration compared to CoreRuleSet
- Higher system resource requirements for full functionality
- Steeper learning curve for effective rule creation and management
Code Comparison
Suricata rule example:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible SQL Injection"; flow:established,to_server; content:"SELECT"; http_uri; pcre:"/SELECT.+FROM/i"; sid:1000001; rev:1;)
CoreRuleSet rule example:
SecRule REQUEST_URI "@rx SELECT.+FROM" \
"id:942100,\
phase:2,\
block,\
capture,\
t:none,t:urlDecodeUni,\
msg:'SQL Injection Attack Detected via libinjection',\
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-sqli',\
tag:'OWASP_CRS',\
tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
tag:'WASCTC/WASC-19',\
tag:'OWASP_TOP_10/A1',\
tag:'OWASP_AppSensor/CIE1',\
tag:'PCI/6.5.2',\
ver:'OWASP_CRS/3.2.0',\
severity:'CRITICAL',\
setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Daemon to ban hosts that cause multiple authentication errors
Pros of fail2ban
- Lightweight and easy to set up, focusing on intrusion prevention
- Highly customizable with flexible configuration options
- Can protect various services beyond just web applications
Cons of fail2ban
- Primarily focused on IP-based blocking, which may not be as effective against sophisticated attacks
- Requires more manual configuration and maintenance compared to CoreRuleSet
- May cause false positives if not properly configured
Code Comparison
fail2ban configuration example:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
CoreRuleSet rule example:
SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(?:acunetix|nikto|sqlmap)" \
"id:900001,\
phase:1,\
block,\
t:none,\
msg:'Malicious User Agent',\
severity:'CRITICAL'"
While fail2ban focuses on log parsing and IP blocking, CoreRuleSet provides more granular HTTP request inspection and rule-based protection. fail2ban is better suited for general intrusion prevention across multiple services, while CoreRuleSet excels at web application security with its extensive rule set and integration with web application firewalls.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
| Branch | Status |
|---|---|
| main |  |
| v3.3/master |  |
OWASP CRS
The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
CRS Resources
Please see the OWASP CRS page to get introduced to the CRS and view resources on installation, configuration, and working with the CRS.
Contributing to the CRS
We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beginner and experienced users. We are interested in hearing any bug reports, false-positive alert reports, evasions, usability issues, and suggestions for new detections.
Create an issue on GitHub to report a false positive or false negative (evasion). Please include your installed version and the relevant portions of your ModSecurity audit log. We will try and address your issue and potentially ask for additional information to reproduce your problem. Please also note that stale issues will be flagged and closed after 120 days. You can search for stale issues with the following search query.
Sign up for our Google Group to ask general usage questions and participate in discussions on the CRS. Also here you can find the archives for the previous mailing list.
Join the #coreruleset channel on OWASP Slack to chat about the CRS. (Click here to get an invitation if you are not yet registered on the OWASP slack. It's open to non-members too.)
License
Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
Copyright (c) 2021-2024 CRS project. All rights reserved.
The OWASP CRS is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
Top Related Projects
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
High-performance WAF built on the OpenResty stack
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.
Daemon to ban hosts that cause multiple authentication errors
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot