Monthly Chat Agenda May 2024 (2024-05-06 and 2024-05-20)

[dune73]

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-05-06, at 20:30 CEST. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2024-05-20. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

• The OWASP ModSecurity project will hold a first onsite meeting on Wed, June 5 in Leuven, Belgium. This will be constitutional for the new community and also elect permanent project leaders. More info in the #project-modsecurity OWASP Slack channel
• OWASP HQ wants to a June WAF media month, CRS is invited to provide at least a blog post

Inside development

Rules

• FIXME: Please fill in

CRS Sandbox

• A lot of work have been done to restore the Sandbox using the latest container versions
  • now it should be blocking using 403 back again
  • started the effort to bring back Coraza to the sandbox

Security

• FIXME: Please fill in

Plugins

• Fake Bot Plugin
  • marked as 'tested'
  • version 1.0.0 released
• Google OAuth2 Plugin
  • version 1.0.0 released

Documentation and Public Relations

• New website is live!
  • still need to fix some cross postings
• Alessandro has been comissioned to provide a CRS media kit for OWASP HQ

Project Administration and Sponsor relationships

• FIXME: Please fill in

Tools

• FIXME: Please fill in

Testing incl. Seaweed and many future plans

• Seaweed was failing on older python versions
  • trying to catch up and use regular nuclei + simpler scripting (jq? yq?)
  • ported reporting to golang for now

Containers

• New versions out with:
  • removed modsecurity setup override and now we use the default modsecurity.conf-recommended as base.
  • new variables have been introduced to support this change, now making everything in that file configurable with env vars.
  • we moved away from two branch development, and now we just use main and tag when we want a new release. this way we have release notes that are easier to track.

CRS Status Page

• FIXME: Please fill in

Project discussions and decisions

• #3683 - introduction of new labels to automate changelog generation for release notes
• What will happen if we merge lfi-os-files.data and restricted-files.data into one file?
• Add exclusion set for OData standard #2127
• Bug on Regression Test 942210-31 #3297
• Unified format for tests matching log rule IDs #3239 Looks like we never got into the next steps needed here.

Rules development, key project numbers

PRs that have been merged since the last meeting

• fix: typos in 920330 and 942280 tests #3688
• docs: add missing changelog entry for 4.1.0 #3689
• chore: remove docs as submodule #3691
• test: change pl-1 to pl1 to be inline with others #3690
• fix: add visudo and cscli to unix-shell.data (932160 PL-1, 932161 PL-2) #3663
• fix: Oracle SQL database data leakage FP (951120 PL1) #3685
• feat: catch Java PostgreSQL errors (951240 PL1) #3686
• fix: also check open changelog PRs for processed PRs #3681
• chore: post release add 4.3.0-dev #3682
• chore: release v4.2.0 #3680
• chore: changelog updates since 2024-04-14, merged by @dune73 #3674
• fix: don't cumulate changes in changelog PRs #3678
• chore: changelog updates for 2024-04-15, merged by @franbuehler #3671
• chore: changelog updates for 2024-04-14, merged by @franbuehler #3664
• chore: changelog updates since 2024-04-14, merged by @azurit #3677
• chore: create changelog PRs weekly, based on main #3669
• fix: add detection for php evasion attempt (933100 PL1) #3667
• fix: fix permissions of log files for tests #3668
• chore: changelog updates for 2024-04-14, merged by @azurit #3665
• chore: remove references to nonexistant 942110 rule #3648
• feat: block crowdsec cscli and visudo commands (932235 PL-1, 932236 PL-2, 932237 PL-3, 932239 PL-2, 932260 PL-1) #3649
• feat: disassemble php rule (933100 PL1) #3662
• fix: run nightly workflows at separate times #3660
• fix: increase length of Accept-Encoding header from 50 to 100 (920520 PL1) #3661
• chore(deps): update secrules_parsing to 0.2.9 #3657
• chore: changelog updates for 2024-04-09, merged by @azurit #3653
• fix: pin tool versions in gha #3651

We merged 27 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

• feat: Split Node-Validator keywords functionally #2637

• feat: auto-sync to coreruleset/documentation #3292

• fix: adjust the order of t:urlDecodeUni and t:utf8toUnicode in 941160 PL1 #3450

• feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) #3687

• feat: block The Mysterious Mozlila User Agent bot (913100 PL1) #3646

• fix: collections not being initialized without User-Agent header #3645

• chore: add release changelog file #3683

• fix: false positives from PHP config directives and functions (933120 PL1, 933151 PL2) #3638

• feat: accidental firewall disability prevention #3650

• As of Monday, we have 90 open issues.

• As of Monday, we have 14 open pull requests.

Separate 2nd Meeting (Monday, 2024-05-20)

• Create GeoIP plugin #2500
• FPs with rule 953120 for gzip data #2751
• Rule 933120 FP: Common Words #3637 (sophisticated proposal to fight some FPs - do we want this)
• Since 4.2.0 many Fediverse ActivityPub pushes to /inbox fail with rule 941100, 932130, 932260 and others #3698
• feat: use albedo as backend server #3706
  • intro to Albedo
  • what to do with the failing tests?

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.

[franbuehler]

Decisions 2nd Meeting (Monday, 2024-05-20)

🔵 GeoIP plugin

Information by @fzipi and @azurit

• There is a new plugin for doing GeoIP (blocking)
• That still needs to be moved to the coreruleset org
• It will be a good addition to our plugins
• Open question is:
  • @azurit would like to have a simple geoip plugin that does nothing by itself, it's meant to use geoip across CRS
  • @dune73 would like to have at least a blocking rule inside this plugin. But @azurit thinks this blocking rule should be a second plugin
  • Decision: no decision yet, but we would like to see what @dune73's arguments are (ping him and discuss it in issue)

🔵 953120

• Because checking the response header is cheaper than checking the response body, because we think that trusting the Content-Encoding header is acceptable and because we think that solving this fp is important (azurit sees so much diverse traffic) we decide to go with solution 2.

🔵 933120 False Positive

• already resolved :-)

🔵 Fediverse / ActivityPub

• We agree that this should be solved with a plugin.
• As for the RCE rules, they have a couple of open issues. We need to tackle those as a group and conceptually decide what we want to do with them.

🔵 Albedo

• Intro by @theseion:
  • Albedo is a simple web server that is designed to replace httpbin in our test setup. It does 3 things:
    • requests to unknown endpoints -> return 200 without a body
    • POST requests to /reflect expect a JSON document that describes the response to return; albedo will return the response as specified.
    • endpoint access and payloads are logged
  • The main motivation is response rule testing, which currently doesn't work
    . There are currently 3 issues with response testing:
    • no way to set the status code
    • the request body is embedded in the response, so anchored regexes won't match
    • the request body is embedded as JSON, meaning non-printable characters and double quotes are escaped, with additional white space and newline characters thrown in
  • @theseion updated most response tests to use albedo. They still work with the current setup.

[franbuehler]

Blog posts found by dev-on-duty, to be added for the next meeting (external references) when preparing the June meeting (@dune73):

• https://twitter.com/20iUnlimited/status/1795804063444910383 (Link to https://www.20i.com/blog/modsec/): Rough overview, does not go into depth. Explains how to write a SecRule using an example.
• https://twitter.com/prod42net/status/1795272715131138419 - Link to https://dev.to/henri_sekeladi/whitelisting-specific-paths-on-modsecurity-3-with-owasp-rules-39d5 (rule exclusion example with a path)
• https://twitter.com/prod42net/status/1795272708898333151 -> Link to https://dev.to/henri_sekeladi/install-modsecurity-owasp-crs-for-nginx-webserver-on-centos-7-4fgo
• https://twitter.com/prod42net/status/1795272706331406484 -> Link to https://dev.to/henri_sekeladi/install-nginx-with-modsecurity-3-owasp-crs-on-ubuntu-2204-5d6l (I think they use the bad NGINX by Ondrej PPA here -> should we say something? Also see https://owasp.slack.com/archives/CBKGH8A5P/p1706108836492279. Not entirely sure if I got this right)