Closed
Description
This is the Agenda for the Monthly CRS Chat.
The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-01-03, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-01-17. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).
Items on the Agenda: (see previous meetings decisions: here)
What happend in the meantime since the chat last month
Outside development
- Introduction of the CRS Sandbox
- Coverage of CRS Sandbox in the "Daily Swig"
- Blog post about script wafparan01d3 that is an alternative to the CRS
send-payload-pls.pyscript - CRS Log4j / Log4Shell / CVE-2021-44228 coverage
- CRS Hunt for Log4j rule bypasses
- Swiss Newspaper NZZ covering CRS and project co-lead Christian Folini (link to English version of article)
- Gloo by Solo is an API Gateway with CRS support
PRs that have been merged since the last meeting
- Fix 933210 Regex #2214
- fix(dir): rename nodejs to generic #2340
- Adding sslvpn_websession into restricted files #2338
- Backslashes 932200 #2335
- fix(path): update path in util to subdirectory #2327
- Amend regular expression pattern for rule 942440 #2201
- Add a Chrome and Firefox version 100 UA #2325
- Removed unnecessary .BAK file #2328
- Added new util script to find rules without test #2279
- Refactored and tested version of rule-ctl script #2193
- Fixing attack type of few rules #2324
- WordPress: add exclusion for aioseo plugin #2311
- Move 941120 from PL1 to PL2 #2306
- fix(sql): update rule to remove false positive #2248
We merged 14 PRs since the last monthly project chat.
Open PRs
- Backslashes 941170 #2345
- Fix for phpBB FP on PL4 #2343
- Fixed assembly of 920120-no-backtracking.data #2333
- Removing old regexes from 942400 #2323
- Email ruleset #2322
- phpBB: Fixing FP and package deactivation #2299
- Update send-payload-pls.sh #2288
- feat(ssrf): adds rules to check for IP based SSRF #2259
Open PRs marked DRAFT or work in progress or needs action
- fix 933180 regex #2303
- fix: 933161 regex #2302
- fix: 933160 regex #2301
- fix 942350 #2300
- Sqli regex update to support comment blocks #2290
- Added crs-rules-check tool #2236
- Fixing Google OAuth2 detection #2222
- Exclusion list fot RoundCube webmail #2217
- Detect JavaScript prototype pollution injection attempts #2070
- Proposal for a new plugin: Machine Learning on ModSecurity #2067
- Draft: Plugins support + response body decompress plugin #1993
- Nextcloud 20 false-positives #1975
Dev retreat topics
- Demo / Sandbox site: @theMiddleBlue will schedule a call to talk about the setup and @lifeforms will contribute the documentation. They will let us know so that we can join in too: tentatively scheduled during meeting: Jan 19 at 17:00 (CET).
- Documentation: Updates: Plugins page to go live once the final blog is published. Sampling mode blog post to be converted into a page for /docs. Docker documentation discussion/meeting to happen at some point, to discuss what we want to document and where we want it to live. -> @RedXanadu will prepare some bullet points to get people thinking about the open questions and schedule a meeting. People can sign up during our Feb chat meeting.
- Technical Blog Posts: Plugin post is almost done. @dune73 will then attack the next topic. Plus 2-3 other blog posts he has in mind.
- Status page: We're really stalled due to missing responses and Felipe is apparently away. We hope we can pick this up later in January.
- Coraza: Coraza passes the CRS test suite 100%, Coraza 2.0 has been released.
Other items
- Cleanup of anomaly scoring variables Refactor the CRS scoring variables #2319
- Release schedule
Open Issues - Separate Issues Meeting (Monday, 2022-01-17)
Status of issues covered last month
We covered 8 issues in the last meeting. This is their state:
- Issue slot 1: Refactor the CRS scoring variables #2319 (probably this covers also Bug in how the variables
tx.inbound_anomaly_scoreis used? #1896) - Issue slot 2: Add documentation for the sandbox #2312 - we are getting closer to release date, this should be ready to go.
- Issue slot 3: Replace NodeJS Rule Set #2163
- Issue slot 4: False negative in 942230 #2230
- Issue slot 5: Fake Googlebot plugin #2227 + Fake bot plugin #2228
- Issue slot 6: The Big Backslash Hunt #2332
- Issue slot 7: Rule against CVE-2021-44228 #2331 - what to do with the log4j rule and the existing 932130?
- Issue slot 8: SQLi using scientific notation not detected at PL1 #2318 - volunteer to write a new sqli rule needed
- Issue slot 9: #FIXME
- Issue slot 10: #FIXME
Stats
- Covered in chat: 9
- Closed: 5
- Pending: 4
This month's issues
There are FIXME open issues at the beginning of the issue chat.
We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.
- Issue slot 1: Refactor the CRS scoring variables #2319
- Issue slot 2: The Big Backslash Hunt #2332
- Issue slot 3: SQLi using scientific notation not detected at PL1 #2318
- Issue slot 4: Add common HTTP headers to tests so logs get cleaner #2344
- Issue slot 5: False positive: rule 941340 on Azure Front Door #2341
- Issue slot 6: Dissassemble regexp for 920120 and extend matching #2334
- Issue slot 7: Magento ver. 2.4.3 #2329
- Issue slot 8: WordPress: Nicepage plugin import failed #2317
- Issue slot 9: #FIXME
- Issue slot 10: #FIXME
How to get to our slack and join the meeting?
If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .
Everybody is welcome to join our community chat.