modsecurity-crs for Debian -------------------------- Updating to 3.0.0 ----------------- OWASP Core Rule Set 3.x is incompatible with 2.x and changes the directory layout for the rule files. You should update the way rule files are Included. To ease this job from 3.0.0-3 the rule files you may want to modify were moved to /etc/modsecurity/crs/. Those are: crs-setup.conf REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf A new file (/usr/share/modsecurity-crs/owasp-crs.load) includes those files, and the rest of CRS rules, in the right order. Including that file in your configuration should be enough to use CRS. Modsecurity-apache, from 2.9.1-2, already does that for you. Everything should work out of the box. -- Alberto Gonzalez Iniesta Wed, 21 Dec 2016 12:36:03 +0100