Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Announcing Release of OWASP ModSecurity Core Rule Set v2.2.1

I am pleased to announce the release of the OWASP CRS v2.2.1.

This is a significant update with regards to SQL Injection protections. Trustwave's SpiderLabs Team conducted an analysis/review of the SQL Injection Challenge Level II evasions - http://www.modsecurity.org/demo/challenge.html and made many updates to now detect the evasion techniques used during the challenge. SpiderLabs will soon be releasing a blog post providing details about the successful SQLi evasions used against the OWASP CRS >v.2.2.1 during the SQLi Challenge. Keeping responsible disclosure in mind, we have delayed public release of this blog post until we had an updated CRS for the community to install that detected these evasions.

*** It is highly recommended that you update your CRS installs ASAP to gain the improved SQL Injection protections. ***



Version 2.2.1 - 07/20/2011



- Extensive SQL Injection signature updates as a result of the SQLi Challenge


- Updated the SQL Error message detection in reponse bodies

- Updated SQL Injection signatures to include more DB functions

- Updated the WEAK SQL Injection signatures

- Added tag AppSensor/RE8 to rule ID 960018

Bug Fixes:

- Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches


- Fixed Session Hijacking rules to properly capture IP address network hashes.

- Added the multiMatch action to the SQLi rules

- Fixed a false negative logic flaw within the advanced_filter_converter.lua script

- Fixed missing : in id action in DoS ruleset.

- Updated rule ID 971150 signature to remove ;




Manual Downloading:

You can always download the latest CRS version here -


Automated Downloading:

Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -lRepository:  http://www.modsecurity.org/autoupdate/repositorymodsecurity-crs {          2.0.0: modsecurity-crs_2.0.0.zip          2.0.1: modsecurity-crs_2.0.1.zip          2.0.2: modsecurity-crs_2.0.2.zip          2.0.3: modsecurity-crs_2.0.3.zip          2.0.4: modsecurity-crs_2.0.4.zip          2.0.5: modsecurity-crs_2.0.5.zip          2.0.6: modsecurity-crs_2.0.6.zip          2.0.7: modsecurity-crs_2.0.7.zip          2.0.8: modsecurity-crs_2.0.8.zip          2.0.9: modsecurity-crs_2.0.9.zip          2.0.9: modsecurity-crs_2.0.10.zip          2.1.0: modsecurity-crs_2.1.0.zip          2.1.1: modsecurity-crs_2.1.1.zip          2.1.2: modsecurity-crs_2.1.2.zip          2.2.0: modsecurity-crs_2.2.0.zip          2.2.1: modsecurity-crs_2.2.1.zip}# Get the latest stable version of "modsecurity-crs":$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crsFetching: modsecurity-crs/modsecurity-crs_2.2.1.zip ...$ ls -R rulesmodsecurity-crsrules/modsecurity-crs:modsecurity-crs_2.2.1.zip    modsecurity-crs_2.2.1.zip.sig