CRS – OWASP ModSecurity Core Rule Set

CRS - OWASP ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic assault detection guidelines to be used with ModSecurity or suitable internet utility firewalls. The CRS goals to guard internet functions from a variety of assaults, together with the OWASP Top Ten, with a minimal of false alerts.

The Core Rule Set supplies safety in opposition to many frequent assault classes, together with:

  • SQL Injection (SQLi)
  • Cross Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Remote Code Execution (RCE)
  • PHP Code Injection
  • HTTP Protocol Violations    HTTPoxy
  • Shellshock
  • Session Fixation
  • Scanner Detection
  • Metadata/Error Leakages
  • Project Honey Pot Blacklist
  • GeoIP Country Blocking

New Features in CRS 3

CRS Three contains many protection enhancements, plus the next new options:

  • Over 90% discount of false alerts in a default set up
  • A person-outlined Paranoia Level to allow extra strict checks
  • Application-specific exclusions for WordPress Core and Drupal
  • Sampling mode runs the CRS on a person-outlined proportion of site visitors
  • SQLi/XSS parsing utilizing libinjection embedded in ModSecurity
For a full listing of modifications on this launch, see the CHANGES doc.


CRS Three requires an Apache/IIS/Nginx internet server with ModSecurity or greater.

Download CRS.

git clone

After obtain, copy crs-setup.conf.instance to crs-setup.conf. Optionally edit this file to configure your CRS settings. Then embrace the recordsdata in your webserver configuration:

Include /.../crs-setup.conf
Include /.../guidelines/*.conf

For detailed set up directions, see the INSTALL doc. Also evaluate the CHANGES and KNOWN_BUGS paperwork.
You can replace the rule set utilizing the included script util/

Handling False Positives and Advanced Features

Advanced options are defined within the crs-setup.conf and the rule recordsdata themselves. The crs-setup.conf file is mostly an excellent entry level to discover the options of the CRS.
We try laborious to scale back the variety of false positives (false alerts) within the default set up. But in the end, you could encounter false positives however.

Christian Folini’s tutorials on installing ModSecurity, configuring the CRS and handling false positives present in-depth data on these matters.

Core Team


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.