­
OWASP ModSecurity Core Rule Set (CRS)(2): Taming the Mad Dog | Christian Folini - All Articles - CISO Platform

All Articles

OWASP ModSecurity Core Rule Set (CRS)(2): Taming the Mad Dog | Christian Folini

Posted by Biswajit Banerjee on March 31, 2025 at 8:27pm in Blog
OWASP ModSecurity Core Rule Set (CRS)(2): Taming the Mad Dog | Christian Folini

Introduction

Imagine your home guarded by a loyal family dog. It’s friendly, greets your guests, and barks only when a real threat emerges. But what happens when that same dog is suddenly tasked with guarding a high-security vault? It transforms into a fierce guard dog, ready to pounce at the slightest sign of intrusion. This is exactly how OWASP ModSecurity Core Rule Set (CRS) behaves—switching between a family-friendly pet and an untamed protector depending on its Paranoia Level (PL).

As cyber threats become more sophisticated, security professionals need a fine balance between protection and flexibility. CRS achieves that balance by allowing organizations to set different Paranoia Levels to detect and prevent web-based attacks. The deeper we dive into these levels, the more aggressive and precise the rules become.

 

 

Understanding Paranoia Levels: Dog Metaphor Edition 

Let’s break down Paranoia Levels with a fun analogy. Picture a dog that adjusts its behavior based on its environment:

  • Paranoia Level 1: The family dog. Friendly, welcoming, and reacts only to obvious intruders. This level minimizes false positives and is suitable for most internet-facing applications. Basic protection with minimal fuss.

  • Paranoia Level 2: A suspicious watchdog. It sniffs out trouble more often, but occasionally mistakes a friendly neighbor for an intruder. It’s perfect for online shops or applications dealing with real user data.

  • Paranoia Level 3: The guard dog. Barking at every knock on the door. It monitors closely and is ideal for high-stakes environments like online banking, where every transaction is under the microscope.

  • Paranoia Level 4: The mad dog. Ready to pounce at the slightest provocation. It's hyper-vigilant but needs constant training to distinguish between threats and friendly visitors. Reserved for applications where nothing less than nuclear-grade security will do—think military institutions or nuclear plants.

Why Paranoia Levels Matter

Security is never one-size-fits-all. An online shopping portal doesn’t need the same level of security as a classified government database. CRS allows you to adjust the rules depending on your application’s sensitivity.

Here’s the breakdown:

  • PL 1: Baseline security for any internet-facing service. Minimal false positives. Ideal for public websites.

  • PL 2: Enhanced security for services handling sensitive data. A few false positives are expected. E-commerce platforms fit this bill.

  • PL 3: Stringent security with specialized rules. Requires experienced handlers to manage false positives. Online banking services or financial institutions fall here.

  • PL 4: Maximum security for mission-critical applications. High false positives, but top-notch protection. Perfect for high-stakes infrastructures.

Training the Mad Dog: False Positives and Rule Tuning

Running Paranoia Level 4 without training is like leaving a guard dog untrained—it bites everyone, even the mailman. False positives are the bane of high paranoia levels. When the rules get stricter, they sometimes mistake legitimate requests for malicious activity.

 

False Positives Explained:

  • A friendly guest mistaken for an intruder? False positive.

  • An actual attacker identified as a threat? Success.

To prevent unnecessary “bites,” security teams invest time training CRS, writing rule exclusions, and continuously testing. This ongoing effort is crucial for environments operating at PL 3 or PL 4.

Why Training Matters:

  • New software releases introduce new traffic patterns—just like a new mailman visiting the house.

  • False positives lead to unnecessary blocking of legitimate traffic, affecting user experience.

  • Writing exclusions and tuning rules smooths the guard dog’s responses, ensuring a balance between security and user access.

Diving Deeper: Rule Groups and Their Importance

CRS rules are grouped by topic and assigned unique IDs. Think of these as commands given to the guard dog to recognize various threats. These rule groups cover a wide range of attack vectors, from protocol enforcement to SQL injection prevention.

Key Rule Groups:

  • 920 Protocol Enforcement: Ensures HTTP protocol compliance.

  • 930 Local File Inclusion Protection: Prevents unauthorized file access.

  • 932 Remote Command Execution Detection: Blocks shell command injections.

  • 941 SQL Injection Detection: Protects against SQL-based attacks.

  • 942 Cross-Site Scripting (XSS) Prevention: Identifies and stops malicious scripts.

  • 949 Blocking Evaluation: Determines whether to block or allow the request.

The Art of Stricter Siblings: Evolving Paranoia with Rule Layers

CRS introduces a clever concept—stricter siblings. Each base rule has stricter versions at higher Paranoia Levels. Think of it as a family of rules where each sibling is more disciplined and less forgiving.

Example: Byte Range Enforcement

  • PL 1 (Base Rule): Allows the full ASCII range except null characters.

  • PL 2 (Stricter Sibling): Accepts only visible ASCII characters, plus tab and newline.

  • PL 3: Narrows the range further by excluding special characters like the percent sign.

  • PL 4: Allows only a minimal set of characters, treating everything else as suspicious.

This layered approach ensures that as the paranoia level increases, the rules become more rigorous—like a family dog transforming into a SWAT-trained protector.

 

Paranoia in Action: Making a Reasonable Decision

When deploying CRS, security teams need to assess the value of the data being protected. A business hosting sensitive customer data should aim for Paranoia Level 2 or 3. However, a financial institution processing millions of transactions may consider Paranoia Level 4 worth the investment—despite the effort required to tame the false positives.

Decision-Making in Action:

  1. Evaluate the Application: How valuable is the data? What are the potential risks?

  2. Discuss with Stakeholders: Involve developers, security teams, and business units.

  3. Set the Right Level: Balance security with operational efficiency.

  4. Allocate Time for Rule Tuning: Be ready to invest 4-6 days for false positive management.

Conclusion: Strike the Right Balance

OWASP ModSecurity Core Rule Set empowers organizations to choose their security posture wisely. Whether it’s a family dog watching the front yard or a military-trained guard dog protecting the crown jewels, CRS adapts to the situation. Paranoia Levels give security professionals the power to fine-tune protection without compromising performance.

For Chief Information Security Officers (CISOs) and cybersecurity teams, finding the right level is like striking a balance between vigilance and trust. With the right Paranoia Level and some dedicated training, CRS can be the perfect guard dog—friendly when needed, ferocious when required.

Join CISO Platform — the CyberSecurity Community
Gain exclusive insights from top security professionals and access cutting-edge research.
Join Now

By: Christian Folini (Teacher and Security Engineer, Partner, Netnea.com)

Views: 10
Tags: owasp, modsecurity, paranoia, christian folini
E-mail me when people leave their comments –
Follow

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

Apr 15, 2025 at 8:00am to May 15, 2025 at 10:00am UTC+5.5
India
  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

CISO Cocktail Reception At RSAConference, San Francisco 2025 !

Apr 29, 2025 from 5:45pm to 9:00pm PDT
San Francisco, America
  • Description:

    We are thrilled to invite you to the CISO Cocktail Reception At RSA Conference San Francisco 2025 !

    The yacht party is hosted by EC-Council, with CISO Platform and FireCompass serving as community partners.

    Event Details : 

    • Date: Tuesday, April 29th, 2025
    • Location: Docking from SF/China Basin
    • Time: Boarding at 5:45 PM | Cruise: 6:00 - 9:00 PM

    Agenda : 

    • Premium…
  • Created by: Biswajit Banerjee
  • Tags: ciso, usa, san francisco, rsaconference 2025

Round Table Dubai 2025 | GISEC

May 8, 2025 from 6:00pm to 9:00pm UTC+04
Dubai
  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee