

























Hi,
It seems that the owasp-core-ruleset package has been resubmitted to AUR as modsecurity-crs.
The latter already depends on Arch repo's libmodsecurity.
It might be good to consider merging AUR/owasp-core-ruleset into AUR/modsecurity-crs.
By having the 'modsecurity-' name prefix, the latter might be a bit more helpful to users by making it clear that this is an addon for (lib)modsecurity.
(Albeit upstream's repo and release tar name is 'coreruleset', upstream's website frequently refers to this package by its acronym, CRS.)
Hi,
Dependency modsecurity is an orphan now and needs update. Would you consider adopting it and taking care of it?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。
Hi @MarsSeed.
You are right, we have something of a duplicate here.
There is a small difference however (albeit unrelated to the naming): this PKGBUILD depends on
apache, and installs the CRS into its config directory in/etc/httpd/conf/whereas themodsecurity-crsPKGBUILD depends onnginxand provides a.installfile with instructions for setting up that webserver.The reason why I named this PKGBUILD like this is that: "The OWASP® ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls" (on https://coreruleset.org/). I agree, that is a bit disingenuous as I don't think there are any "compatible WAF" that are not ModSecurity itself. Since at the moment there is a bit of tossing and turning around TrustWave's end of support for Modsecurity, it is not inconceivable that in the future another WAF will be developed, or that a fork and name change may occur, and having the CRS technically and nominally be independent seems to make sense in that regard. Also, another detail I notice about the
modsecurity-crsPKGBUILD is that it actually pulls config files from the ModSecurity's Github page (https://github.com/SpiderLabs/ModSecurity) which further ties it into that WAF rather than another (but that's nothing that couldn't be changed should the need arise).Maybe in a way this should be
owasp-coreruleset-apacheand the otherowasp-coreruleset-nginx, or we should work with AlphaJack, the maintainer ofmodsecurity-crs, to sort out a commonowasp-corerulesetfor bothapacheandnginx...