Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 17 Aug 2016 15:28:05 -0400
From: Chaim Sanders <chaim@...imsanders.com>
To: oss-security@...ts.openwall.com
Subject: ModSecurity's OWASP CRS v3.0.0-rc1 Released.

The OWASP Core Rule Set team is proud to announce the first of two
planned release candidates for the upcoming OWASP ModSecurity Core
Rule Set v3.0.0.

This new release represents a huge step forward in terms of both
capabilities and protections including:

- A 95% reduction in false positives for a typical CRS deployment
using the default configuration.
- Extended effectiveness and detection capabilities in numerous areas;
namely Remote Command Execution and PHP injections (Walter Hop).
- A simple to use, adjustable paranoia level that allows users to
tailor their ruleset experience.
- The capability to allow existing sites to try out the Core Rules by
enabling the rules for only limited percentage of requests (Christian
Folini).

Please see the CHANGES document for a detailed list of new features
and improvements.
(https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0.0-rc1/CHANGES)

Our desire is to see the Core Rules project used as part of a defense
in depth strategy to help effectively fight web application weaknesses
with few side effects. As such we attempt to cut down on false
positives as much as possible in the default install. This RC1
therefore offers an opportunity for individuals to provide feedback
and to report any other issues they may face. This is no longer aimed
at ModSecurity experts. This is the Core Rules for the rest of us.

Please use the CRS GitHub
(https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/v3.0.0-rc1)
or the Core Rules mailing list to tell us about your experiences,
including false positives or other issues with this release candidate.
Our current timeline is to seek public feedback on RC1 for the next
month, followed by an RC2 and subsequently a release.

 For more information, please see the following blog post accompanying
this release:

https://www.trustwave.com/Resources/SpiderLabs-Blog/OWASP-ModSecurity-CRS-Version-3-0-RC1-Released/


Sincerely Chaim Sanders, on behalf of the Core Rules Set development team.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.