Starting to build a set of rule exclusions or TYPO3

@avarx_ is part of the Swiss team for the European Cyber Security Challenges and also a member of the TYPO3 security team. I joined with him to start a set of TYPO3 rule exclusions for the OWASP ModSecurity Core Rule Set 3.0 (short CRS3). This is a set of rules to be deployed on a WAF in order to protect web applications. See an article on Linux Weekly News to get an intro to what this is all about.

CRS3 Release Poster

The poster of the CRS3 release.

The problem with CRS3 and complex software are false positives. That is benign traffic that looks like a potential attack to ModSecurity. The WAF will thus block the request. CRS3 solved most of the false positive problem, but there are a few ones remaining. What you need is thus something like a policy file that tells ModSecurity that it faces a TYPO3 install and this rule should be disabled in this situation.

@avarx_ and I have thus joined to bring such a set of rule exclusions. You can follow and support the development by checking out the branch on github:

The rule exclusions build on the architecture we implemented for WordPress and Drupal for CRS3. The new policy is defined in REQUEST-903.9003-TYPO3-EXCLUSION-RULES.conf. It is activated by setting the variable tx.crs_exclusions_typo3 in crs-setup.conf.

If this is new to you, then check out the various Apache / ModSecurity tutorials here at


Christian Folini