Search Criteria
Package Details: owasp-core-ruleset 4.9.0-1
Package Actions
Git Clone URL: | https://aur.archlinux.org/owasp-core-ruleset.git (read-only, click to copy) |
---|---|
Package Base: | owasp-core-ruleset |
Description: | OWASP ModSecurity Core Rule Set |
Upstream URL: | https://github.com/coreruleset/coreruleset/ |
Licenses: | Apache-2.0 |
Submitter: | marcool04 |
Maintainer: | marcool04 |
Last Packager: | marcool04 |
Votes: | 2 |
Popularity: | 0.000271 |
First Submitted: | 2023-02-24 21:55 (UTC) |
Last Updated: | 2024-12-07 15:41 (UTC) |
Dependencies (2)
- apache (apache-gitAUR)
- modsecurity (libmodsecurity2AUR)
Latest Comments
marcool04 commented on 2023-12-06 07:53 (UTC)
Hi @MarsSeed.
You are right, we have something of a duplicate here.
There is a small difference however (albeit unrelated to the naming): this PKGBUILD depends on
apache
, and installs the CRS into its config directory in/etc/httpd/conf/
whereas themodsecurity-crs
PKGBUILD depends onnginx
and provides a.install
file with instructions for setting up that webserver.The reason why I named this PKGBUILD like this is that: "The OWASP® ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls" (on https://coreruleset.org/). I agree, that is a bit disingenuous as I don't think there are any "compatible WAF" that are not ModSecurity itself. Since at the moment there is a bit of tossing and turning around TrustWave's end of support for Modsecurity, it is not inconceivable that in the future another WAF will be developed, or that a fork and name change may occur, and having the CRS technically and nominally be independent seems to make sense in that regard. Also, another detail I notice about the
modsecurity-crs
PKGBUILD is that it actually pulls config files from the ModSecurity's Github page (https://github.com/SpiderLabs/ModSecurity) which further ties it into that WAF rather than another (but that's nothing that couldn't be changed should the need arise).Maybe in a way this should be
owasp-coreruleset-apache
and the otherowasp-coreruleset-nginx
, or we should work with AlphaJack, the maintainer ofmodsecurity-crs
, to sort out a commonowasp-coreruleset
for bothapache
andnginx
...MarsSeed commented on 2023-12-05 14:37 (UTC)
Hi,
It seems that the owasp-core-ruleset package has been resubmitted to AUR as modsecurity-crs.
The latter already depends on Arch repo's libmodsecurity.
It might be good to consider merging AUR/owasp-core-ruleset into AUR/modsecurity-crs.
By having the 'modsecurity-' name prefix, the latter might be a bit more helpful to users by making it clear that this is an addon for (lib)modsecurity.
(Albeit upstream's repo and release tar name is 'coreruleset', upstream's website frequently refers to this package by its acronym, CRS.)
marcool04 commented on 2023-10-31 08:07 (UTC)
Hi @MarsSeed. Well, modsecurity has been announced as EOL (see [1] and [2]) by its current caretaker Trustwave, and although they say they will "hand the project over to the open source community", it's not looking like there is a very shiny future for the engine according to OWASP, who are moving towards newer, better maintained alternatives [3]. That being said, for the time being, there is not yet a stable alternative, and I think there will be sufficient support for the engine, so we should keep this packet alive for sure. Adopted!
[1] https://www.modsecurity.org/
[2] https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall/
[3] https://coreruleset.org/20211222/talking-about-modsecurity-and-the-new-coraza-waf/
MarsSeed commented on 2023-10-31 03:40 (UTC)
Hi,
Dependency
modsecurity
is an orphan now and needs update. Would you consider adopting it and taking care of it?