Avi iWAF Core Rule Set
Avi CRS is the default signature based protection for Avi iWAF.
Released versions are based on the OWASP ModSecurity Core Rule Set (CRS) with heavy modifications to fit the Avi configuration model. As Avi CRS is solely used in Avi iWAF, changes include benefits to rule performance, accuracy, and manageability.
For more details, visit the OWASP ModSecurity Core Rule Set (CRS) page.
You can create custom rules in Avi Vantage and apply the rules to a WAF policy.
The version history of CRS updates in Avi Vantage and the plan for upcoming releases is as presented in the table below:
|CRS-2022-1||3.3.2||Bugs fixes and performance improvements|
|CRS-2021-4||3.3.2||Improve rules to protect against Log4J vulnerability|
|CRS-2021-3||3.3.2||Add rules to protect against Log4J vulnerability|
|CRS-2021-2||3.3.2||OWASP Core Rule Set from version 3.3 to 3.3.2|
|CRS-2021-1||3.3.2||OWASP Core Rule Set from version 3.2 to 3.3|
|CRS-2020-3||3.2||Bugs fixes and performance improvements|
|CRS-2020-2||3.2||Bugs fixes and performance improvements|
|CRS-2019-3||3.2||OWASP Core Rule Set updated from version 3.1.1 to 3.2|
|CRS-2019-2||3.1.1||A new rule group CRS_402_Additional_Rules, which is a set of Avi-provided rules is supported
|CRS-VERSION-NOT-APPLICABLE||None||Enabled a WAF policy will not contain CRS rules|
|CRS-2019-1||3.1.0||Rule optimizations and reorganization|
|CRS-2017-1||3.0.2||Initial release version of 17.2|
|CRS-2017-0||3.0 (beta)||Pre-release version|
Avi CRS Release Notes
The following changes have been made between the release CRS-2021-4 and CRS-2022-1:
- Fixed False Positives in rules 920470, 932115 and 942251.
- Added rule 920530 which fixes False Negatives (WAF bypass).
- The rule group 949 is not active by default. If you migrate from an older CRS version, your settings will be kept.
- Fixed some typos in rule names and descriptions
- Fixed anomaly scoring for rule 4022056
- Added CVE tags to log4shell rules
The following changes have been made between the release CRS-2021-3 and CRS-2021-4:
Improve detection of
Reduce potential false positives in the Log4Shell detection rules.
In CRS-2021-3, two rules have been added in group
CRS_402_Additional_Rules to protect against CVE-2021-44228.
The following changes have been made between the release CRS-2021-2 and CRS-2021-1:
Based on OWASP Core Ruleset 3.3.2
Removed 3 rules in the CRS_903.9001_Drupal_Exclusion_Rules group
Fixed the names for some rules, e.g. rule 950130
Removed redundant rules, 901120 and 901160
Added Avi rules to detect Cross Site Scripting and SQL Injection in the PATH name
Added Avi rule to detect unencoded # in URL
Every rule now has a tag which marks it is a group membership, e.g. CRS-group-980. This enables the user to exclude whole groups dynamically via ModSecurity control actions (e.g. by using
Every rule with a block or deny action is now is guaranteed to have a paranoia-level tags
Improved the error message of rule 4022030 by including the reason for the parsing error in the log message
Fixed a false positive for the rule 931130
The following changes have been made between the release CRS-2021-1 and CRS-2020-3:
- Based on OWASP Core Rule Set version 3.3.
- New Tags based on CAPEC ( Common Attack Pattern Enumeration and Classification ) to give the user more information about the nature of an attack. The CAPEC ID’s can be looked up on https://capec.mitre.org/ to give more information about the impact of an attack detected by WAF
- Added exclusions for phpBB from upcoming OWASP Core Rule Set version 3.4:
- Incorporate certain fixes which will be added in the upcoming release.
- Rule 920420 will not accept partial content-types anymore.
- Rule 920350 now handles IPv6 addresses correctly.
- Reduces false positives for rules 920470, 941120, 942230 and 942190.
The following changes have been made between the release CRS-2020-2 and CRS-2020-3:
- Rule 920450 is now working as expected.
- The regex for rules 920470 and 920480 is updated to avoid false positives.
The following changes have been made between the release CRS-2020-1 and CRS-2020-2:
- Rule 920180 does no longer create false positives for HTTP/2 requests. This bug has been fixed and performance improvement.
- Performance improvements for rules 941120, 942210, and, 942260.
The following changes have been made between the release CRS-2019-3 and CRS-2020-1:
- Older systems could not update to CRS-2019-3. This bug has been fixed.
- Disable rule 920300 per default (this rule checked for Accept-Encoding header and was only generating log entries but never rejected a request).
The following changes have been made between the release CRS-2019-2 and CRS-2019-3:
- Introduce rules for special attack types. New groups have been included to:
- Reduce false positives for xenForo.
- Protect against NodeJS attacks.
- Moved two rules which handled input parsing failure into CRS_402_Additional_Rules group.
The following changes have been made between the release CRS-2019-1 and CRS-2019-2:
- A new rule group with rules provided by Avi Vantage CRS_402_Additional_Rules has been created:
This group contains two new rules to detect attacks on HTTP protocol level, like the HTTP desync attack.
Note: Avi Vantage is not vulnerable to this attack. However, these two rules will provide more visibility.
- The OWASP Core Rule Set are updated from version 3.1 to version 3.1.1 as follows:
- Some rules are updated to avoid false positives.
- Some rules are updated to make the pattern more efficient (avoid ReDOS attack).
- Fixed some false negatives in rules 920240 and 920400.
- Some rules are updated to avoid false positives.
- Updated the OWASP Core Rule Set from version 3.0 to 3.1.
- Added groups which include exclusions for special applications.
- Recreated the group structure from OWASP Core Rule Set again (created more groups).
- Disabled rule 920350 (Detect if Host Header is an IP address) in default installation.