OWASP Developer Guide

ModSecurity Core Rule Set

9.4 ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) project is a set of generic attack detection rules for use with ModSecurity compatible web application firewalls such as OWASP Coraza. CRS is an OWASP Flagship tool project and can be downloaded for either Apache or IIS/Nginx web servers.

What is the Core Rule Set?

The Core Rule Set (CRS) are attack detection rules for use with ModSecurity, [Corazacoraza and other ModSecurity compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks with a minimum of false alerts. The CRS provides protection against many common attack categories, including those in the OWASP Top Ten.

Why use it?

If an organization is using a Coraza, ModSecurity or compatible Web Application Firewall (WAF) then it is very likely that the Core Rule Set is already in use by this WAF. The CRS provides the policy for the Coraza / Modsecurity engine so that traffic to a web application is inspected for various attacks and malicious traffic is blocked.

How to use it

The use of the Core Rule Set assumes that a ModSecurity, Coraza or compatible WAF has been installed. Refer to the Coraza tutorial or the ModSecurity on how to do this.

To get started with CRS refer to the Core Rule Set installation instructions.

The OWASP Spotlight series provides an overview of how to use this Core Rule Set: ‘Project 3 - Core Rule Set (CRS) - 1st Line of Defense’.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.