Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

dune73 · 2021-02-10T14:27:15Z

This is the Agenda for the Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, March 1st, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, March 15th. That's the 3rd Monday of the month.

Items on the Agenda: (see previous meetings decisions: here)

What happend in the meantime since the chat last month

Outside development

Blogpost: How to test the WAF with CRS as example
Blogpost: Payload detection challenge testing CRS against other offerings
There is a new agenda template to kickstart a new meeting agenda for the monthly meetings Link
@dune73 will appear in the Infosec & OSInt show podcast on Friday, March 5, 2021 to talk about CRS and WAFs in general.

PRs that have been merged since the last meeting

Removing %{MATCHED_VAR} from logging #1985: Removing %{MATCHED_VAR} from logging
Documentation: Enhancement of installation process for Nginx / IIS #1988: Documentation: Enhancement of installation process for Nginx / IIS
del terminating whitespace in crs-setup.conf #1989: del terminating whitespace in crs-setup.conf
feat(git): ignore docker-compose environment files in git #1994: feat(git): ignore docker-compose environment files in git
feat(env): add timezone variable to compose #1995: feat(env): add timezone variable to compose
Avoid FP at rule 933210 when Cookie contains / (slash) #1996: Avoid FP at rule 933210 when Cookie contains / (slash)
WordPress exclusion profile improvements #1997: WordPress exclusion profile improvements
XenForo exclusion profile improvements #1998: XenForo exclusion profile improvements
wrong version in requirements file #2004: wrong version in requirements file
942220: fix magic number #2010: 942220: fix magic number
Drop trailing period as done in other rules #2011: Drop trailing period as done in other rules
Fix False Positive in rule 932115 #2012: Fix False Positive in rule 932115 - ready to be merged it seems
Move rule 920300 from PL2 to PL3 #2013: Move rule 920300 from PL2 to PL3
930110: make bare '..' without (back)slashes not trigger #2016: 930110: make bare '..' without (back)slashes not trigger
Request header Sec-Fetch-User: Allow only booleans #2020: Request header Sec-Fetch-User (920275): Allow only booleans
Added regression tests for 920275 #2021: Added regression tests for 920275

Open PRs

Anti-virus support without need to run external programs #1986: Anti-virus support without need to run external programs - waiting for an extensive review
Try to fix 933210 bypass at PL1, lowering FPs #2000: Try to fix 933210 bypass at PL1, lowering FPs - waiting for a review
Move 941310 from PL1 to PL2 #2014: Move 941310 from PL1 to PL2 - approach is open for a discussion
Whitelist for YAM package manager #2022: Whitelist for YAM package manager - waiting for a review

Open PRs marked "work in progress" / needs action

Migrate PR: RE2 compatibility for 920120 #1868: Migrate PR: RE2 compatibility for 920120 - waiting for work by @franbuehler
feat(ci): upgrades ci to run tests using python 3 #1934: feat(ci): upgrades ftw to python 3 supported version - waiting for FTW python upgrade
V3.4/dev ftw main #1938: V3.4/dev ftw main - work in progress
Fix for issue #1922 #1958: Fix for issue Rules blocking Google OAuth2 redirect (callback) URLs #1922 - finished by @azurit, but a ModSec oddity leads to a stupid rule with information missing in the alert - or chain the rule differently and runtime parameter rule exclusions no longer work
Nextcloud 20 false-positives #1975: Nextcloud 20 false-positives - waiting for review by @azurit
Draft: Plugins support + response body decompress plugin #1993: Draft: Plugins support + response body decompress plugin - waiting to be morphed into a plugin

Other items

What's up with the next release?
Are we generally open to enter an agreement with a sponsor to provide specific rule exclusions and to maintain them over time?
Proposed course forward for ftw:
We are stuck on python 2 with ftw and it's no longer supported. Yet upgrading is tricky.
- step 1: adopt ftw for py3 with minimal adjustments to tests. According to @fzipi there is no way around adopting 2 existing tests since the formatting of binary data as raw_request no longer works the same way. We need to use encoded_request. @fzipi thinks he can do a PR within 10 days.
- step 2: run ftw and new go-ftw (written in Go by @fzipi) version in parallel. Tests would be transformed by a script to work with go-ftw
- step-3: replace ftw with go-ftw and adopt all changes to new, a wee bit cleaner yaml test format with stricter variable typing. go-ftw is way faster than our ftw. There is still quite some work with tests and better interfaces to make this viable.
CRS plugin architecture - this is a fleshed out proposal with a plugin architecture and the new include statements that load it by default.

Open Issues - Separate Issues Meeting (Monday, March 15th)

Of the 8 issues discussed in February, 4 have been closed in the meantime. The other 4 are taken up here again (in the slots 1-4).

We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.

Issue slot 1: FP: 941120 (PL1) base64 encoded string in param #1867 FP: 941120 (PL1) base64 encoded string in param - assigned to @csanders-git
Issue slot 2: REQUEST-912-DOS-PROTECTION paranoia level 2 sets ip.dos_block=1 outside of dos_burst_time_slice window dos-protection-plugin-modsecurity#11 REQUEST-912-DOS-PROTECTION paranoia level 2 sets - assigned to @dune73
Issue slot 3: Proposal to include monitoring agents exceptions in a new data file #1589 Proposal to include monitoring agents exceptions in a new data file - assigned to @fzipi and @theMiddleBlue
Issue slot 4: 942300 matching "for ? (" when it's expected to find OR? #2007 942300 matching "for ? (" when it's expected to find OR? - assigned to @csanders-git
Issue slot 5: Use the upcoming version in 'ver' actions on our dev branch #1917 Use the upcoming version in 'ver' actions on our dev branch - ...
Issue slot 6: Sec-CH-UA / Sec-CH-UA-Mobile request headers are excluded from validation #2027 Sec-CH-UA / Sec-CH-UA-Mobile request headers are excluded from validation - ...
Issue slot 7: Go Test WAF bypasses #1991 Go Test WAF bypasses - ...
Issue slot 8: False Positive valid JSON input being caught by 942260 V3.1.0 #1907 False Positive valid JSON input being caught by 942260 V3.1.0
Issue slot 9:
Issue slot 10:

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp-slack.herokuapp.com/ .

Everybody is welcome to join our community chat.

The text was updated successfully, but these errors were encountered:

franbuehler · 2021-03-01T20:13:39Z

Decisions

PRs

Anti-virus support without need to run external programs #1986: Anti-virus support without need to run external programs - @airween will review it
Try to fix 933210 bypass at PL1, lowering FPs #2000: Try to fix 933210 bypass at PL1, lowering FPs - @lifeforms will review it
Move 941310 from PL1 to PL2 #2014: Move 941310 from PL1 to PL2 - approach is open for a discussion - @franbuehler will provide a curl example so that @airween can review and possibly merge the PR.
Whitelist for YAM package manager #2022: Whitelist for YAM package manager - tests would be nice, @lifeforms will sheperd the PR to the merge :-)

Other items

Next release:

Open Issues - Separate Issues Meeting (Monday, March 15th)

Issue slot 1: FP: 941120 (PL1) base64 encoded string in param #1867 FP: 941120 (PL1) base64 encoded string in param - assigned to @csanders-git
Issue slot 2: REQUEST-912-DOS-PROTECTION paranoia level 2 sets ip.dos_block=1 outside of dos_burst_time_slice window dos-protection-plugin-modsecurity#11 REQUEST-912-DOS-PROTECTION paranoia level 2 sets - assigned to @dune73
Issue slot 3: Proposal to include monitoring agents exceptions in a new data file #1589 Proposal to include monitoring agents exceptions in a new data file - assigned to @fzipi and @theMiddleBlue
Issue slot 4: 942300 matching "for ? (" when it's expected to find OR? #2007 942300 matching "for ? (" when it's expected to find OR? - assigned to @csanders-git
Issue slot 5: Use the upcoming version in 'ver' actions on our dev branch #1917 Use the upcoming version in 'ver' actions on our dev branch - @airween takes this one
Issue slot 6: Sec-CH-UA / Sec-CH-UA-Mobile request headers are excluded from validation #2027 Sec-CH-UA / Sec-CH-UA-Mobile request headers are excluded from validation - @dune73 volunteers to take this one
Issue slot 7: Go Test WAF bypasses #1991 Go Test WAF bypasses - flo405 will test this and report back
Issue slot 8: False Positive valid JSON input being caught by 942260 V3.1.0 #1907 False Positive valid JSON input being caught by 942260 V3.1.0 - @franbuehler self assigned this one
Issue slot 9:
Issue slot 10:

dune73 added the 🔖 Meeting Agenda label Feb 10, 2021

This was referenced Mar 1, 2021

Anti-virus support without need to run external programs #1986

Closed

Move 941310 from PL1 to PL2 #2014

Closed

dune73 mentioned this issue Apr 2, 2021

Monthly Chat Agendas April (2021-04-05 and 2021-04-19) Meeting Agenda #2051

Closed

dune73 closed this as completed Apr 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

Uh oh!

Uh oh!

Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

Monthly Chat Agendas March (2021-03-01 and 2021-02-15) Meeting Agenda #2008

Comments

Uh oh!

What happend in the meantime since the chat last month

Outside development

PRs that have been merged since the last meeting

Open PRs

Open PRs marked "work in progress" / needs action

Other items

Open Issues - Separate Issues Meeting (Monday, March 15th)

How to get to our slack and join the meeting?

Uh oh!

Decisions

PRs

Other items

Open Issues - Separate Issues Meeting (Monday, March 15th)

Uh oh!