­
Mastering OWASP ModSecurity Core Rule Set(4): Sampling Mode | Christian Folini - All Articles - CISO Platform

All Articles

Mastering OWASP ModSecurity Core Rule Set(4): Sampling Mode | Christian Folini

Posted by Biswajit Banerjee on March 31, 2025 at 8:26pm in Blog
Mastering OWASP ModSecurity Core Rule Set(4): Sampling Mode | Christian Folini

Protecting Your Applications with Confidence

Imagine running a high-speed train. Every minute, thousands of passengers board, and you need to ensure they get to their destination safely. But what if 1% of those passengers posed a potential risk? Wouldn’t it make sense to inspect that small percentage carefully while letting the others move freely?

This is exactly what happens when you implement Sampling Mode with the OWASP ModSecurity Core Rule Set (CRS). It’s a simple but powerful feature that ensures security without overwhelming your servers.

 

Understanding Sampling Mode

When deploying a web application firewall (WAF) like ModSecurity, performance is a critical concern. The CRS has a sampling mode that allows security teams to test the rule set on a small fraction of incoming requests. This way, 99% of the traffic flows normally while 1% is evaluated against CRS rules.

Here’s how it works:

  • Low Impact on Performance: Only 1% of traffic triggers CRS rules, reducing CPU load and ensuring that performance remains intact.

  • Safe Testing Ground: Sampling lets you test CRS without affecting the entire application. Any anomalies are limited to a small subset of requests.

  • Minimized Disruption: If a legitimate user encounters an error, refreshing the page often resolves the issue, as the next request likely bypasses the CRS.

Think of it as dipping your toes in the water before diving in. You get a feel for what’s coming without taking unnecessary risks.

 

Commercial Players Using CRS

CRS isn’t just a theoretical concept. It’s actively used by major commercial providers who have adapted it to their ecosystems.

1. Fastly – Pioneering CRS in Varnish

Fastly, a content delivery network (CDN), doesn’t use ModSecurity directly. Instead, they transpose CRS into Varnish Configuration Language (VCL). Varnish is a high-performance caching server, and Fastly specializes in making it even faster by integrating CRS rules.

  • No ModSecurity required.

  • Pure Varnish-based CRS for ultra-fast performance.

  • Proven to work effectively for Fastly’s high-traffic environment.

2. AWS – Managed CRS for the Masses

Amazon Web Services (AWS) offers CRS in its WAF Managed Rules available in the AWS Marketplace. Users can purchase and deploy CRS to protect their applications hosted on AWS infrastructure.

  • Easy integration with AWS WAF.

  • Paid service, but highly optimized for AWS environments.

3. Microsoft Azure – Custom CRS Implementation

Azure has taken CRS a step further by forking and re-implementing ModSecurity to better fit its cloud infrastructure. ModSecurity can be resource-intensive, and Azure optimized it for improved memory and CPU usage.

  • Forked ModSecurity for enhanced performance.

  • Seamless CRS integration into Azure WAF.

4. Oracle Cloud – Security with CRS

Oracle Cloud uses CRS, but the underlying architecture is less transparent. While it is known that Oracle Cloud leverages CRS rules, it’s unclear whether they use ModSecurity or a custom implementation.

  • CRS support available for Oracle Cloud users.

  • High security with minimal impact on performance.

5. Cloudflare – Pushing CRS Beyond Limits

Cloudflare initially started with CRS but has since built a more advanced system. Although you can still get CRS from Cloudflare, they now rely on their proprietary engine for enhanced protection.

  • CRS used as a foundation for Cloudflare’s custom rules.

  • Optimized for massive-scale internet security.

6. Verizon Media – Introducing Raffles

Verizon Media runs CRS but replaces ModSecurity with their own engine called Raffles. Although Raffles is technically open-source, it remains tightly linked to Verizon’s ecosystem, and few outside Verizon Media are using it.

  • CRS deployed through Raffles for superior performance.

  • Open-source but specialized for Verizon’s setup.

Why Sampling Mode Makes Sense

When testing CRS on a high-traffic application, sampling mode can save your day. Imagine running CRS at full capacity on an application that receives millions of requests per day. Without sampling, the server could face performance issues, slowing down operations or even crashing.

But by using sampling mode:

 No Performance Bottlenecks: Only a fraction of requests are processed by CRS, keeping things running smoothly.
  Real-Time Error Identification: Any issues that arise are isolated, making it easier to troubleshoot without affecting the entire system.
  Smooth Transition to Full CRS Deployment: Once you’re confident in the results, expanding to 100% traffic becomes a seamless process.

 

CRS in Action: Real-World Scenarios

Let’s say a company deploys CRS with sampling mode set at 1%. Most traffic passes without evaluation, but that 1% provides enough data to identify vulnerabilities and refine the rule set.

If a legitimate user encounters an error, a quick F5 refresh (reload) bypasses the CRS on the next attempt, ensuring minimal disruption. This flexibility makes sampling mode a go-to solution for companies introducing CRS to their production environment.

 

Key Takeaways for Cybersecurity Professionals

For CISOs, CIOs, Security Analysts, and Vulnerability Managers, understanding the practical implications of CRS and its commercial adaptations is crucial.

  • Use Sampling Mode for Safe CRS Testing: Minimize risk by evaluating CRS on a small percentage of traffic.

  • Explore Commercial CRS Offerings: Consider providers like AWS, Azure, and Fastly for optimized and pre-configured solutions.

  • Stay Updated on CRS Enhancements: Providers like Cloudflare and Verizon Media continuously innovate on top of CRS, offering cutting-edge security solutions.

Final Thoughts

Deploying the OWASP ModSecurity Core Rule Set with sampling mode is like adding a safety net beneath a tightrope. You minimize risk, test with confidence, and ensure your application is ready for full-scale protection.

In a world where cyber threats lurk behind every digital corner, CRS offers a reliable defense. Whether it’s AWS, Azure, Fastly, or Cloudflare, these industry giants trust CRS—so should you.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Christian Folini (Teacher and Security Engineer, Partner, Netnea.com)

Views: 12
Tags: owasp, modsecurity, sampling mode, christian folini
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

Apr 15, 2025 at 8:00am to May 15, 2025 at 10:00am UTC+5.5
India
  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

CISO Cocktail Reception At RSAConference, San Francisco 2025 !

Apr 29, 2025 from 5:45pm to 9:00pm PDT
San Francisco, America
  • Description:

    We are thrilled to invite you to the CISO Cocktail Reception At RSA Conference San Francisco 2025 !

    The yacht party is hosted by EC-Council, with CISO Platform and FireCompass serving as community partners.

    Event Details : 

    • Date: Tuesday, April 29th, 2025
    • Location: Docking from SF/China Basin
    • Time: Boarding at 5:45 PM | Cruise: 6:00 - 9:00 PM

    Agenda : 

    • Premium…
  • Created by: Biswajit Banerjee
  • Tags: ciso, usa, san francisco, rsaconference 2025

Round Table Dubai 2025 | GISEC

May 8, 2025 from 6:00pm to 9:00pm UTC+04
Dubai
  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee