Avi iWAF Core Rule Set

Avi CRS is the default signature-based protection for Avi iWAF.

Released versions are based on the OWASP ModSecurity Core Rule Set (CRS) with heavy modifications to fit the Avi configuration model. As Avi CRS is solely used in Avi iWAF, changes include benefits to rule performance, accuracy, and manageability.

For more details, visit the OWASP ModSecurity Core Rule Set (CRS) page.

You can create custom rules in Avi Vantage and apply the rules to a WAF policy.

The version history of CRS updates in Avi Vantage and the plan for upcoming releases is as presented in the table below:

Name Upstream Version Comments
CRS-2023-2 3.3.4 Fixed a false positive
CRS-2023-1 3.3.4 OWASP Core Rule Set from version 3.3.2 to 3.3.4, bugs fixes, and performance improvements
CRS-2022-2 3.3.2 Add rule to protect against JSON-Based SQL Injection
CRS-2022-1 3.3.2 Bugs fixes and performance improvements
CRS-2021-4 3.3.2 Improve rules to protect against Log4J vulnerability
CRS-2021-3 3.3.2 Add rules to protect against Log4J vulnerability
CRS-2021-2 3.3.2 OWASP Core Rule Set from version 3.3 to 3.3.2
CRS-2021-1 3.3.2 OWASP Core Rule Set from version 3.2 to 3.3
CRS-2020-3 3.2 Bugs fixes and performance improvements
CRS-2020-2 3.2 Bugs fixes and performance improvements
CRS-2020-1 3.2 Bugs fixed
CRS-2019-3 3.2 OWASP Core Rule Set updated from version 3.1.1 to 3.2
CRS-2019-2 3.1.1 A new rule group CRS_402_Additional_Rules, which is a set of Avi-provided rules is supported
CRS-VERSION-NOT-APPLICABLE None Enabled a WAF policy will not contain CRS rules
CRS-2019-1 3.1.0 Rule optimizations and reorganization
CRS-2017-1 3.0.2 Initial release version of 17.2
CRS-2017-0 3.0 (beta) Pre-release version

Avi CRS Release Notes

CRS-2023-2

The following change has been made between the release CRS-2023-1 and CRS-2023-2.

  • Fixed false positives in the rule 941310.

CRS-2023-1

CRS-2023-1 is the maintenance release based on OWASP Core Rule Set 3.3.4. The following changes have been made between the release CRS-2022-2 and CRS-2023-1:

  • Added rules 4022021, 920600, 921421 and 921230 to detect attack vectors in the request header.

  • Added rule 934120 to detect server side request forgery in paranoia-level 2.

  • Reduced false positives in rules 942190 and 934100.

  • Fixed a problem with anomaly scoring in rule 920530.

  • Added the group CRS_903.9008_Phpmyadmin_Exclusion_Rules to make protection of PHPmyAdmin simpler.

CRS-2022-2

The following change has been made between the release CRS-2022-1 and CRS-2022-2:

  • Added rule 4022062 to protect against JSON-Based SQL Injection

CRS-2022-1

The following changes have been made between the release CRS-2021-4 and CRS-2022-1:

  • Fixed False Positives in rules 920470, 932115 and 942251.
  • Added rule 920530 which fixes False Negatives (WAF bypass).
  • The rule group 949 is not active by default. If you migrate from an older CRS version, your settings will be kept.
  • Fixed some typos in rule names and descriptions.
  • Fixed anomaly scoring for rule 4022056.
  • Added CVE tags to log4shell rules.

CRS-2021-4

The following changes have been made between the release CRS-2021-3 and CRS-2021-4:

  • Improve detection of CVE-2021-44228 and CVE-2021-45046 (Log4Shell).

  • Reduce potential false positives in the Log4Shell detection rules.

CRS-2021-3

In CRS-2021-3, two rules have been added in group CRS_402_Additional_Rules to protect against CVE-2021-44228.

CRS-2021-2

The following changes have been made between the release CRS-2021-2 and CRS-2021-1:

  • Based on OWASP Core Ruleset 3.3.2

  • Removed 3 rules in the CRS_903.9001_Drupal_Exclusion_Rules group

  • Fixed the names for some rules, e.g. rule 950130

  • Removed redundant rules, 901120 and 901160

  • Added Avi rules to detect Cross Site Scripting and SQL Injection in the PATH name

  • Added Avi rule to detect unencoded # in URL

  • Every rule now has a tag which marks it is a group membership, e.g. CRS-group-980. This enables the user to exclude whole groups dynamically via ModSecurity control actions (e.g. by using ctl:ruleRemoveTargetByTag or ctl:ruleRemoveByTag)

  • Every rule with a block or deny action is now is guaranteed to have a paranoia-level tags

  • Improved the error message of rule 4022030 by including the reason for the parsing error in the log message

  • Fixed a false positive for the rule 931130.

CRS-2021-1

The following changes have been made between the release CRS-2021-1 and CRS-2020-3:

  • Based on OWASP Core Rule Set version 3.3.
  • New Tags based on CAPEC ( Common Attack Pattern Enumeration and Classification ) to give the user more information about the nature of an attack. The CAPEC ID’s can be looked up on https://capec.mitre.org/ to give more information about the impact of an attack detected by WAF
  • Added exclusions for phpBB from upcoming OWASP Core Rule Set version 3.4:
    • Incorporate certain fixes which will be added in the upcoming release.
    • Rule 920420 will not accept partial content-types anymore.
    • Rule 920350 now handles IPv6 addresses correctly.
    • Reduces false positives for rules 920470, 941120, 942230 and 942190.

CRS-2020-3

The following changes have been made between the release CRS-2020-2 and CRS-2020-3:

  • Rule 920450 is now working as expected.
  • The regex for rules 920470 and 920480 is updated to avoid false positives.

CRS-2020-2

The following changes have been made between the release CRS-2020-1 and CRS-2020-2:

  • Rule 920180 does no longer create false positives for HTTP/2 requests. This bug has been fixed and performance improvement.
  • Performance improvements for rules 941120, 942210, and, 942260.

CRS-2020-1

The following changes have been made between the release CRS-2019-3 and CRS-2020-1:

  • Older systems could not update to CRS-2019-3. This bug has been fixed.
  • Disable rule 920300 per default (this rule checked for Accept-Encoding header and was only generating log entries but never rejected a request).

CRS-2019-3

The following changes have been made between the release CRS-2019-2 and CRS-2019-3:

  • Introduce rules for special attack types. New groups have been included to:
    • Reduce false positives for xenForo.
    • Protect against NodeJS attacks.
  • Moved two rules which handled input parsing failure into CRS_402_Additional_Rules group.

CRS-2019-2

The following changes have been made between the release CRS-2019-1 and CRS-2019-2:

  1. A new rule group with rules provided by Avi Vantage CRS_402_Additional_Rules has been created:
    This group contains two new rules to detect attacks on HTTP protocol level, like the HTTP desync attack.
    Note: Avi Vantage is not vulnerable to this attack. However, these two rules will provide more visibility.
  2. The OWASP Core Rule Set are updated from version 3.1 to version 3.1.1 as follows:
    • Some rules are updated to avoid false positives.
    • Some rules are updated to make the pattern more efficient (avoid ReDOS attack).
    • Fixed some false negatives in rules 920240 and 920400.

CRS-2019-1

The following changes have been made between the initial release CRS-2017-1 and CRS-2019-1:

  1. Updated the OWASP Core Rule Set from version 3.0 to 3.1.
  2. Added groups which include exclusions for special applications.
  3. Recreated the group structure from OWASP Core Rule Set again (created more groups).
  4. Disabled rule 920350 (Detect if Host Header is an IP address) in default installation.