Avi iWAF Core Rule Set

Avi CRS is the default signature based protection for Avi iWAF.

Released versions are based on the OWASP ModSecurity Core Rule Set (CRS) with heavy modifications to fit the Avi configuration model. As Avi CRS is solely used in Avi iWAF, changes include benefits to rule performance, accuracy, and manageability.

For more details, visit the OWASP ModSecurity Core Rule Set (CRS) page.

You can create custom rules in Avi Vantage and apply the rules to a WAF policy.

The version history of CRS updates in Avi Vantage and the plan for upcoming releases is as presented in the table below:

Name Release Upstream Version Comments
CRS-2021-2 Avi Vantage version 3.3 OWASP Core Rule Set from version 3.3 to 3.3.2
CRS-2021-1 Avi Vantage version 3.3 OWASP Core Rule Set from version 3.2 to 3.3
CRS-2020-3 Avi Vantage version 3.2 Bugs fixes and performance improvements
CRS-2020-2 Avi Vantage version 3.2 Bugs fixes and performance improvements
CRS-2020-1 Avi Vantage version 3.2 Bugs fixed
CRS-2019-3 Avi Vantage version 3.2 OWASP Core Rule Set updated from version 3.1.1 to 3.2
CRS-2019-2 Avi Vantage version 18.2.6 3.1.1 A new rule group CRS_402_Additional_Rules, which is a set of Avi-provided rules is supported
CRS-VERSION-NOT-APPLICABLE Avi Vantage version 18.2.5 None Enabled a WAF policy will not contain CRS rules
CRS-2019-1 Avi Vantage version 18.2.5 3.1.0 Rule optimizations and reorganization
CRS-2017-1 Avi Vantage version 17.2.3 3.0.2 Initial release version of 17.2
CRS-2017-0 Pre-relase Avi Vantage version 17.2.2 3.0 (beta) Pre-release version

Avi CRS Release Notes

CRS-2021-2

The following changes have been made between the release CRS-2021-2 and CRS-2021-1:

  • Based on OWASP Core Ruleset 3.3.2

  • Removed 3 rules in the CRS_903.9001_Drupal_Exclusion_Rules group

  • Fixed the names for some rules, e.g. rule 950130

  • Removed redundant rules, 901120 and 901160

  • Added Avi rules to detect Cross Site Scripting and SQL Injection in the PATH name

  • Added Avi rule to detect unencoded # in URL

  • Every rule now has a tag which marks it is a group membership, e.g. CRS-group-980. This enables the user to exclude whole groups dynamically via ModSecurity control actions (e.g. by using ctl:ruleRemoveTargetByTag or ctl:ruleRemoveByTag)

  • Every rule with a block or deny action is now is guaranteed to have a paranoia-level tags

  • Improved the error message of rule 4022030 by including the reason for the parsing error in the log message

  • Fixed a false positive for the rule 931130

CRS-2021-1

The following changes have been made between the release CRS-2021-1 and CRS-2020-3:

  • Based on OWASP Core Rule Set version 3.3.
  • New Tags based on CAPEC ( Common Attack Pattern Enumeration and Classification ) to give the user more information about the nature of an attack. The CAPEC ID’s can be looked up on https://capec.mitre.org/ to give more information about the impact of an attack detected by WAF
  • Added exclusions for phpBB from upcoming OWASP Core Rule Set version 3.4:
    • Incorporate certain fixes which will be added in the upcoming release.
    • Rule 920420 will not accept partial content-types anymore.
    • Rule 920350 now handles IPv6 addresses correctly.
    • Reduces false positives for rules 920470, 941120, 942230 and 942190.

CRS-2020-3

The following changes have been made between the release CRS-2020-2 and CRS-2020-3:

  • Rule 920450 is now working as expected.
  • The regex for rules 920470 and 920480 is updated to avoid false positives.

CRS-2020-2

The following changes have been made between the release CRS-2020-1 and CRS-2020-2:

  • Rule 920180 does no longer create false positives for HTTP/2 requests. This bug has been fixed and performance improvement.
  • Performance improvements for rules 941120, 942210, and, 942260.

CRS-2020-1

The following changes have been made between the release CRS-2019-3 and CRS-2020-1:

  • Older systems could not update to CRS-2019-3. This bug has been fixed.
  • Disable rule 920300 per default (this rule checked for Accept-Encoding header and was only generating log entries but never rejected a request).

CRS-2019-3

The following changes have been made between the release CRS-2019-2 and CRS-2019-3:

  • Introduce rules for special attack types. New groups have been included to:
    • Reduce false positives for xenForo.
    • Protect against NodeJS attacks.
  • Moved two rules which handled input parsing failure into CRS_402_Additional_Rules group.

CRS-2019-2

The following changes have been made between the release CRS-2019-1 and CRS-2019-2:

  1. A new rule group with rules provided by Avi Vantage CRS_402_Additional_Rules has been created:
    This group contains two new rules to detect attacks on HTTP protocol level, like the HTTP desync attack.
    Note: Avi Vantage is not vulnerable to this attack. However, these two rules will provide more visibility.
  2. The OWASP Core Rule Set are updated from version 3.1 to version 3.1.1 as follows:
    • Some rules are updated to avoid false positives.
    • Some rules are updated to make the pattern more efficient (avoid ReDOS attack).
    • Fixed some false negatives in rules 920240 and 920400.

CRS-2019-1

The following changes have been made between the initial release CRS-2017-1 and CRS-2019-1:

  1. Updated the OWASP Core Rule Set from version 3.0 to 3.1.
  2. Added groups which include exclusions for special applications.
  3. Recreated the group structure from OWASP Core Rule Set again (created more groups).
  4. Disabled rule 920350 (Detect if Host Header is an IP address) in default installation.