Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

dune73 · 2022-03-26T15:57:00Z

This is the Agenda for the Monthly CRS Chat.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2022-04-04, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2022-04-18. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Items on the Agenda: (see previous meetings decisions: here)

What happend in the meantime since the chat last month

Outside development

Blogpost about ImpressCMS weaknesses that also describes a CRS false negative at PL1 via a prepared statement and omitting whitespace.
@airween published a first version of a service to read rule documentation at https://crsdoc.digitalwave.hu/parse.html
Good Summer of Code application has found a lot of interest with contact with 8 students

PRs that have been merged since the last meeting

We merged 22 PRs since the last monthly project chat.

Open PRs

Spring RCE missing payloads #2464 good to go?
Remove FP on 942440 (JWT) #2460 good to go?
920470: allow * in Content-Type to fix 'application/*+json' FP #2455
Sqli remove unnecessary lazy quantifiers #2437 BIG, needs thorough review
Fixing few SQLi related false negatives #2429 good to go?
Re2 support 942130 #2425 good to go?
Updated comments in rule files on how to use regexp-assemble.py #2423 conflict, otherwise good to go?
Refactor scoring variables #2417 Preliminary reviews look good. Reporting question open.

Open PRs marked DRAFT or work in progress or needs action

log4j / log4shell defense: new rules 932131, 944140, 944141 #2349 final open point about stricter sibling, otherwise good to go
Unified regex utils #2422 waiting for review
fix 933180 regex #2303 draft
fix: 933161 regex #2302 draft
fix: 933160 regex #2301 draft
Sqli regex update to support comment blocks #2290 needs action
Exclusion list fot RoundCube webmail #2217 needs action
Proposal for a new plugin: Machine Learning on ModSecurity #2067 draft
Nextcloud 20 false-positives #1975 new traffic on this PR

Open Non-Core PRs

Contributed pgAdmin rule exclusion plugin: Add pgAdmin rule exclusions plugin plugin-registry#9

Dev retreat topics

Demo / Sandbox site:
- /juiceshop backend is active and running in production.
- all requests that match a rule under /juiceshop receive a 403 Forbidden with the usual JSON/CSV/TXT output.
- I’m writing an HTML matched rules output that should be the default output format for /juiceshop.
- There’re some FPs on juiceshop and we should develop an exclusion rule set for it (for example allow PUT method).
- Since there’re RCE and SQLi vulnerabilities, we need to find a clean solution to “factory reset” the backend (maybe a crontab job that kills the container and recreates it via docker-compose).
Documentation:
- 📊 Anomaly scoring content: still stuck at 99% complete. Now has feedback from @dune73. Needs re-visiting.
- 🔧 Development section: now in a PR! @theseion has left some comments, which need to be looked into.
  - Help required with the following headings:
    - When and Why to Anchor Regular Expressions
    - Lazy Matching
    - Writing RE2-compatible Regular Expressions
  - Testing section: ported from the wiki.
- 🚒 Engine options and integrations: still todo.
- 🧹 Final tidy up: todo, needs everything else to be finished first.
Technical Blog Posts: FIXME
Status page: There has not been additional progress in the Status page project.
Coraza: FIXME

Other items

🔌 Plugins: Should they be allowed to set global (server context) ModSec/engine settings (e.g. SecCollectionTimeout)?
Plugin activation / disabling per VH?
Feature Freeze

Open Issues - Separate Issues Meeting (Monday, FIXME)

Status of issues covered last month

Issue slot 1: #FIXME
Issue slot 2: #FIXME
Issue slot 3: #FIXME
Issue slot 4: #FIXME
Issue slot 5: #FIXME
Issue slot 6: #FIXME
Issue slot 7: #FIXME
Issue slot 8: #FIXME
Issue slot 9: #FIXME
Issue slot 10: #FIXME

Stats

Covered in chat: FIXME
Closed: FIXME
Pending: FIXME

This month's issues

There are FIXME open issues at the beginning of the issue chat.

We generally cover 10 issues per month in a separate issue meeting. Add them as you see fit.

Issue slot 1: False Positive in PL2 with double encoded JSON data #2449
Issue slot 2: Sandbox is wrong about in which PL a payload would be detected. #2450
Issue slot 3: add a rule with APPLICATION-ATTACK-JAVA.conf to block Actuator url #2447
Issue slot 4: Rule Id: 932150 false positive on time keyword #2044 - is this fixed by 932150: remove 'time' and 'ping' which are FP prone #2457
Issue slot 5: #FIXME
Issue slot 6: #FIXME
Issue slot 7: #FIXME
Issue slot 8: #FIXME
Issue slot 9: #FIXME
Issue slot 10: #FIXME

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.

The text was updated successfully, but these errors were encountered:

franbuehler · 2022-04-04T18:38:30Z

Decisions

PRs

Spring RCE missing payloads #2464 - merged during meeting
Remove FP on 942440 (JWT) #2460 - merged during meeting
920470: allow * in Content-Type to fix 'application/*+json' FP #2455 - merged during meeting
Sqli remove unnecessary lazy quantifiers #2437 - We postpone the thorough review for after 4.0. It's unclear what the performance impacts are and changing lazy to greedy isn't without risks
Fixing few SQLi related false negatives #2429 - merged during meeting
Re2 support 942130 #2425 - merged during meeting
Updated comments in rule files on how to use regexp-assemble.py #2423 - depends on Unified regex utils #2422 that still needs a review by @franbuehler and @airween.
Refactor scoring variables #2417 - Walter schedules 20:30 CEST on Mon 11 April to give final arguments on PR and if it’s good, we merge and he makes the RC.
log4j / log4shell defense: new rules 932131, 944140, 944141 #2349 - Max thinks about the stricter sibling some more and then we should be able to merge it this week.
Andrew will open a PR that removes the DoS rules.

RC1 Discussion and notes

Issues

azurit · 2022-05-07T06:12:36Z

@dune73 Can this be closed? Thanks.

dune73 · 2022-05-07T10:21:55Z

Absolutely. Thanks.

dune73 added the 🔖 Meeting Agenda label Mar 26, 2022

franbuehler mentioned this issue Apr 4, 2022

Sqli remove unnecessary lazy quantifiers #2437

Closed

dune73 added this to the CRS v4.0.0 milestone Apr 8, 2022

dune73 added ⚠️ do not merge Additional work or discussion is needed despite passing tests and removed ⚠️ do not merge Additional work or discussion is needed despite passing tests labels Apr 8, 2022

dune73 closed this as completed May 7, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Comments

Uh oh!

What happend in the meantime since the chat last month

Outside development

PRs that have been merged since the last meeting

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Open Non-Core PRs

Dev retreat topics

Other items

Open Issues - Separate Issues Meeting (Monday, FIXME)

Status of issues covered last month

This month's issues

How to get to our slack and join the meeting?

Uh oh!

Decisions

PRs

RC1 Discussion and notes

Issues

Uh oh!

Uh oh!

Uh oh!