{"id":1173,"date":"2017-01-13T23:24:58","date_gmt":"2017-01-13T22:24:58","guid":{"rendered":"http:\/\/www.netnea.com\/cms\/?p=1173"},"modified":"2017-01-14T08:12:33","modified_gmt":"2017-01-14T07:12:33","slug":"starting-to-build-a-set-of-rule-exclusions-or-typo3","status":"publish","type":"post","link":"https:\/\/www.netnea.com\/cms\/2017\/01\/13\/starting-to-build-a-set-of-rule-exclusions-or-typo3\/","title":{"rendered":"Starting to build a set of rule exclusions or TYPO3"},"content":{"rendered":"<p><a href=\"https:\/\/twitter.com\/avarx_\" target=\"_blank\">@avarx_<\/a>\u00a0is part of the Swiss team for the\u00a0<a href=\"http:\/\/www.europeancybersecuritychallenge.eu\/\" target=\"_blank\">European Cyber Security Challenges\u00a0<\/a>and also a member of the <a href=\"https:\/\/typo3.org\/teams\/security\/members\/\" target=\"_blank\">TYPO3 security<\/a> team. I joined with him to start a set of TYPO3 rule exclusions for the <a href=\"https:\/\/modsecurity.org\/crs\" target=\"_blank\">OWASP ModSecurity Core Rule Set 3.0<\/a> (short CRS3). This\u00a0is a set of rules to be deployed on a WAF in order to protect web applications. See an <a href=\"https:\/\/lwn.net\/Articles\/709348\/\" target=\"_blank\">article on Linux Weekly News<\/a> to get an intro to what this is all about.<\/p>\n<div id=\"attachment_1088\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/modsecurity.org\/crs\/poster\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-1088\" class=\"wp-image-1088 size-full\" src=\"http:\/\/www.netnea.com\/cms\/wp-content\/uploads\/2016\/11\/CRS3-movie-poster-thumb.jpeg\" alt=\"CRS3 Release Poster\" width=\"300\" height=\"420\" srcset=\"https:\/\/www.netnea.com\/cms\/wp-content\/uploads\/2016\/11\/CRS3-movie-poster-thumb.jpeg 300w, https:\/\/www.netnea.com\/cms\/wp-content\/uploads\/2016\/11\/CRS3-movie-poster-thumb-214x300.jpeg 214w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-1088\" class=\"wp-caption-text\"><em>The poster of the CRS3 release.<\/em><\/p><\/div>\n<p>The problem with CRS3 and complex software are false positives. That is benign traffic that looks like a potential attack to ModSecurity. The WAF will thus block the request. CRS3 solved most of the false positive problem, but there are a few ones remaining. What you need is thus something like a policy file that\u00a0tells ModSecurity that it faces a TYPO3 install and this rule should be disabled in this situation.<\/p>\n<p>@avarx_ and I have thus joined to bring such a set of rule exclusions. You can follow and support the development by checking out the branch on github:<\/p>\n<p><a href=\"https:\/\/github.com\/dune73\/owasp-modsecurity-crs\/tree\/crs3-typo3-support\" target=\"_blank\">https:\/\/github.com\/dune73\/owasp-modsecurity-crs\/tree\/crs3-typo3-support<\/a><\/p>\n<p>The rule exclusions build on the\u00a0architecture we implemented for WordPress and Drupal for CRS3. The new policy is defined in\u00a0<tt>REQUEST-903.9003-TYPO3-EXCLUSION-RULES.conf<\/tt>. It is activated by setting the variable\u00a0<tt>tx.crs_exclusions_typo3<\/tt> in <tt>crs-setup.conf<\/tt>.<\/p>\n<p>If this is new to you, then check out the various <a href=\"https:\/\/netnea.com\/cms\/apache-tutorials\" target=\"_blank\">Apache \/ ModSecurity tutorials<\/a> here at netnea.com<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/cms\/wp-content\/uploads\/2016\/07\/portrait-round-300x300.png\" width=\"100\" height=\"100\" \/> Christian Folini <a class=\"twitter-follow-button\" href=\"https:\/\/twitter.com\/ChrFolini\" data-show-count=\"false\">Follow @ChrFolini<\/a> <a class=\"twitter-share-button\" href=\"https:\/\/twitter.com\/share\" data-show-count=\"false\">Tweet<\/a><br \/>\n<script src=\"\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>@avarx_\u00a0is part of the Swiss team for the\u00a0European Cyber Security Challenges\u00a0and also a member of the TYPO3 security team. I joined with him to start a set of TYPO3 rule exclusions for the OWASP ModSecurity Core Rule Set 3.0 (short CRS3). This\u00a0is a set of rules to be deployed on a WAF in order to [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[33,10,37],"class_list":{"0":"post-1173","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-security","7":"tag-core-rules","8":"tag-modsecurity","9":"tag-typo3","10":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts\/1173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/comments?post=1173"}],"version-history":[{"count":5,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts\/1173\/revisions"}],"predecessor-version":[{"id":1178,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/posts\/1173\/revisions\/1178"}],"wp:attachment":[{"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/media?parent=1173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/categories?post=1173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.netnea.com\/cms\/wp-json\/wp\/v2\/tags?post=1173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}