OWASP Rules
Learning Focus
By the end of this lesson you will understand what the OWASP CRS covers and how to apply it with ModSecurity.
What OWASP CRS Covers
The OWASP Core Rule Set (CRS) is a community-maintained set of rules that detects and blocks common web attacks:
| Category | What It Catches |
|---|---|
| SQL Injection | ' OR 1=1, UNION-based attacks |
| Cross-Site Scripting (XSS) | <script>, event handlers |
| Path Traversal | ../../etc/passwd |
| Remote Code Execution | Command injection attempts |
| File Inclusion | LFI/RFI attempts |
Applying OWASP CRS
After installing the CRS (see ModSecurity Support):
- Edit the CRS setup file:
/usr/local/lsws/conf/modsecurity-crs/crs-setup.conf - Configure the paranoia level (1-4):
- Level 1: Minimal false positives, catches common attacks
- Level 2: Broader detection, some false positives
- Level 3-4: Strict, many false positives — requires tuning
Recommended Approach
- Start at paranoia level 1
- Enable in detection-only mode first
- Monitor logs for false positives
- Create exclusions for legitimate requests
- Switch to blocking mode once verified
warning
Higher paranoia levels catch more attacks but produce more false positives. Always test thoroughly before enabling in blocking mode.
Key Takeaways
- OWASP CRS provides broad protection against the most common web attacks.
- Start at paranoia level 1 and increase gradually.
- Run in detection mode first to identify and exclude false positives.
What's Next
- Continue to Custom Rules for writing your own WAF rules.