Jump to content
View in the app

A better way to browse. Learn more.
AlphaGNU

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CWP update ModSecurity to 3.0.12 with OWASP Ruleset 4.0.7?

Starburst
in CWP - Control WEB Panel

Featured Replies

Posted

Would like to update ModSecurity from 2.9.7 to 3.0.12, along with using the Latest OWASP Ruleset 4.0.7

Is there a guide how to accomplish this?

21 hours ago, Starburst said:

Would like to update ModSecurity from 2.9.7 to 3.0.12, along with using the Latest OWASP Ruleset 4.0.7

Is there a guide how to accomplish this?

Unfortunately, apache does not work with 3.0.x version.

Do you use just nginx?

In the same way, I have installed in cwpsrv server.

I can share the (long) command sequence with you, if would be useful.

On 10/23/2024 at 2:43 AM, Sandeep B. said:

any error you're getting with the latest version build with Apache?

To use ModSecurity V3 (libmodsecurity), is needed to use the ModSecurity-apache connector. This project is under development and not production-ready. The functionality is not complete, so we cannot use use with Apache HTTP Server.

There are a note in that page:

"NOTE: This project is not production ready

This project should be considered under development and not production ready. The functionality is not complete and so should not be used. With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x.

"

  • 2 weeks later...
  • Author

No, The OWASP 4.x ruleset works with Mod Security 2.9.7 and Apache 2.4.62

The only problem, is notifications are not being sent by LFD from the Mod Security log (something isn't being triggered).

Otherwise when I look at the log, attacks are being blocked as they should be.

Quote

No, The OWASP 4.x ruleset works with Mod Security 2.9.7 and Apache 2.4.62

The only problem, is notifications are not being sent by LFD from the Mod Security log (something isn't being triggered).

Otherwise when I look at the log, attacks are being blocked as they should be.

The lastest version of ModSecurity V3 is 3.0.12.

It's important doesn't confuse ModSecurity 3.0.x with OWASP ruleset core 3.0.x.

Like I said, apache doesn't work fully with ModSecurity 3.0.x. This is documented in Modsecurity site (assumed by OWASP team in july, this year)

But I have myself running normally apache with OWASP Ruleset core 4.7.x, since 3.x up to 4.x.

Maybe LFD problem can be solved with a few adjusts in ErrorLogFormat directive, to do it work.

Edited by Netino

  • 2 months later...

Create an account or sign in to comment

Go to topic listing

Topics

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.