Monthly Chat Agenda February (extraordinary changed to: 2020-02-10)

[dune73]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, February 10, at 20:30 CET.

Items on the Agenda:

• Previous Meetings decisions: Monthly Chat Agenda January (2020-01-06)  #1654 (comment)

PRs

• Problems with Travis
• PR new vuln scanner for scanners-user-agents.data #1679 new vuln scanner
• PR Remove req msg dot #1678 cleanup: Remove req msg dot
• PR Fix FP with create with 942360 #1675 solves issue Rule 942360: False positive #1605.
• PR Extend sql having in rule 942230 #1674 solves issues Rule 942230: False positive #1607 and Rule 942230: False positive #1598 and adds regression tests for 942230.
• PR XenForo: add exclusions, remove unnecessary chains #1673 Xenforo
• PR Avoid embedded anchors in CRS rule 942330 #1668 Avoid embedded anchors in CRS rule 942330
• PR Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667: Work in progres
• PR RE2 compatibility for 920120 #1663 RE2 compatibility for 920120
• PR Fix 930100 and 930110 (REQUEST_BODY) #1659 Fix 930100 and 930110 (REQUEST_BODY)
• PR Revert #578 #1616 Revert Add urlDecodeUni() operation to ARG/ARGS_NAMES #578: we are still waiting for the commit message update explaining why. :)
• More PRs need more work

Other items

• We are going to migrate our github away from SpiderLabs to an organization of our own. This is probably happening in March and Trustwave has agreed to support this migration. Support is vital because we meed TW to export the discussion history (issues and PRs).
• @fzipi has provided a draft for the new CAPEC tagging - but @dune73 failed to look into it.

Open Issues

In January, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

• General problem with newly discovered DoS issues in our rules
• Issue slot 1: Ensure that all rules with ARGS also consider XML:* #1227 Ensure that all rules with ARGS also consider XML:*
• Issue slot 2: Review severity levels of CRS to make sure all rules have severity levels #610 Review severity levels of CRS to make sure all rules have severity levels
• Issue slot 3: Consistent support for the "ver" action #650 Consistent support for the "ver" action
• Issue slot 4: ...
• Issue slot 5: ...
• Issue slot 6: ...
• Issue slot 7: ...
• Issue slot 8: ...
• Issue slot 9: ...
• Issue slot 10: ...

Feel free to add items as you see fit either above, or below as comments.

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM .
Everybody is welcome to join our community chat.

[dune73]

Decisions

PRs

• Problems with Travis: We are unsure as to why this happens. @franbuehler will investigate this for an hour or two on Tuesday, if she fails, @dune73 will try and pick it up. Longterm, we want to replace Travis with github actions. @fzipitria is working on this.
• new vuln scanner for scanners-user-agents.data #1679 will be merged as soon as Travis works again
• Remove req msg dot #1678 will be merged as soon as Travis works again
• Fix FP with create with 942360 #1675 has been merged during the meeting by accident, it worked when tested locally.
• Extend sql having in rule 942230 #1674 dune73 will review this; will be merged afterwards if Travis works again
• XenForo: add exclusions, remove unnecessary chains #1673 will be merged as soon as Travis works again
• Avoid embedded anchors in CRS rule 942330 #1668 @franbuehler will review this
• Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) #1667 is a work in progress, thus skipped
• RE2 compatibility for 920120 #1663 @dune73 will investigate the performance situation with this proposed update
• Fix 930100 and 930110 (REQUEST_BODY) #1659 will be merged since @themiddle has tested this extensively
• Revert #578 #1616 is still waiting for an update
• Rule to check if both C-L and T-E are present #1310 will be merged after a rebase by @themiddle so the table is clean for more request splitting rules afterwards

Other issues

• We will be moving our repository to https://github.com/coreruleset in March
  The following people will work on this: @dune73, @lifeforms and @fzipitria
• Sponsoring is moving along, but there are issues with HQ
• CAPEC tagging is making progres thanks to @fzipitria and his student.
  @lifeforms and @dune73 will review 2nd draft.
  @dune73 shares a story how a CISO of a big bank bumped into one of his
  classes, saw one of the few rules with CAPEC tagging on the screen and
  got very excited that this is great and really what is needed for
  management and reports...
• The long absence of co-lead @csanders-git is affecting the project. We need to talk to him.

Issues

• Rule 941120 Processing time is too long #1665: Discussed this quite long. It's a serious problem, @dune73 came up with a simpler rule that @airween will now check
• Ensure that all rules with ARGS also consider XML:* #1227: @lifeforms volunteered
• Consistent support for the "ver" action #650: postponed (maybe @lifeforms if Ensure that all rules with ARGS also consider XML:* #1227 works nicely)
• Review severity levels of CRS to make sure all rules have severity levels #610: postponed (maybe @lifeforms if Ensure that all rules with ARGS also consider XML:* #1227 works nicely)
• Add XSS checks for Referer header #606: kill issue, we have not been able to do a PR for this, so we better give up for now
• LFI path traversal rules using REQUEST_BODY cannot be excluded #597: @emphazer, but he will probably take until end of March to provide PR
• Block proxy requests (GET http://example.org/ HTTP/1.1) #501: assigned to @themiddle, who is already running the rule in prod
• Rule 920150 (Unmatched multipart boundry) is redundent to modsecurity.conf-recc #437: axe it
• Add base64 decoding for some rules #369: can be removed in light of greater transformation PR
• LDAP Injection Rule #276: @dune73