Migrating from CRS v3 to CRS v4 can be intimidating. It’s a complicated task that risks to leave you vulnerable during the transition. But with the help of the new netnea-CRS-Upgrading-Plugin you can keep your guards up during the transition. Introduction Upgrading the OWASP CRS ruleset from version 3 to version 4 is not as […]
Introduction In my tutorial’s webserver logfile configuration, there is a position reserved for the country code of an IP address. I have never explained how I get the information into the environment variable that is then used to fill said position. There are several other guides around, but I think it’s time to provide my […]
Running ModSecurity CRS for the first time on an existing service is like a jump into murky water.
With the sampling mode you can run CRS on a limited percentage of the traffic, which reduces the risk a big deal.
Let’s consider Dave Wichers and the OWASP Top 10 project resists all the pressure and the 2017 edition of OWASP Top 10 will include the new A7 “Insufficient Attack Protection”. Lately the discussion has turned more constructive so maybe that prospect is not all that unrealistic. But honestly, I can not tell if A7 will […]
Damiano Esposito of ZHAW and I run a little test project where we want to measure the effectiveness of the OWASP ModSecurity Core Rule Set 3.0 (CRS3) under attack by several security scanners. The testing is only about to start, but I would like to document the setup of the ModSecurity server a bit to […]