Damiano Esposito of ZHAW and I run a little test project where we want to measure the effectiveness of the OWASP ModSecurity Core Rule Set 3.0 (CRS3) under attack by several security scanners. The testing is only about to start, but I would like to document the setup of the ModSecurity server a bit to […]
@avarx_ is part of the Swiss team for the European Cyber Security Challenges and also a member of the TYPO3 security team. I joined with him to start a set of TYPO3 rule exclusions for the OWASP ModSecurity Core Rule Set 3.0 (short CRS3). This is a set of rules to be deployed on a WAF in order to […]
The new Core Rule Set 3.0 (CRS3) release simplifies ModSecurity/Drupal integration tremendously. Here is a guide aimed at the Drupal community to learn how to work with ModSecurity. This guide and the rule file it is based on currently covers Drupal Core. Modules / Plugins are not yet supported. But count on the Drupal community […]
Today, we are releasing the next tutorial in our Apache / ModSecurity series: Extending and Analyzing the Access Log “What’s the big deal?” I hear you say. I admit, it may sound a bit boring, but log files are primordial. Configuring the right logfile makes the difference between ignorance and insight into you server. There […]
The release of the OWASP ModSecurity Core Rule Set 3.0 is drawing closer and closer. This made me think about a way to introduce new users to ModSecurity and the Core Rules. Despite online documentation and blog posts and google and stack overflow and what not: There is no one stop place to learn it […]
