Avi Load Balancer CRS is the default Signature-based protection for Avi Load Balancer WAF. This topic elaborates on CRS versions and feature inclusions.

Released versions are based on the OWASP ModSecurity CRS with heavy modifications to fit the Avi Load Balancer configuration model. This modified CRS is solely used by the Avi Load Balancer WAF, as the changes made to include benefits to rule performance, accuracy, and manageability are specifically for the Avi Load Balancer. For more information, see OWASP ModSecurity Core Rule Set (CRS).

You can create Custom Rules in Avi Load Balancer and apply the rules to a WAF Policy. For more information, see Custom Rules.

The version history of CRS updates in Avi Load Balancer are as presented in the table.

Name

Upstream version

Comments

CRS-2024-1

3.3.5

Bugs fixes for false positives and performance improvements.

CRS-2023-4

3.3.4

Bugs fixes for false positives and performance improvements.

CRS-2023-3

3.3.4

Added rule to protect against CVE-2023-38199

CRS-2023-2

3.3.4

Bug Fixed

CRS-2023-1

3.3.4

OWASP Core Rule Set from version 3.3.2 to 3.3.4, bugs fixes, and performance improvements

CRS-2022-2

3.3.2

Add rule to protect against JSON-Based SQL Injection

CRS-2022-1

3.3.2

Bugs fixes and performance improvements.

CRS-2021-4

3.3.2

Improve rules to protect against Log4J vulnerability.

CRS-2021-3

3.3.2

Add rules to protect against Log4J vulnerability.

CRS-2021-2

3.3.2

OWASP CRS from version 3.3 to 3.3.2.

CRS-2021-1

3.3.2

OWASP CRS from version 3.2 to 3.3.

CRS-2020-3

3.2

Bugs fixes and performance improvements.

CRS-2020-2

3.2

Bugs fixes and performance improvements.

CRS-2020-1

3.2

Bugs fixed.

CRS-2019-3

3.2

OWASP CRS updated from version 3.1.1 to 3.2.

CRS-2019-2

3.1.1

A new rule group CRS_402_Additional_Rules(set of rules provided by Avi Load Balancer) is supported.

CRS-VERSION-NOT-APPLICABLE

None

Enabled WAF Policy will not contain CRS rules.

CRS-2019-1

3.1.0

Rule optimizations and reorganization.

CRS-2017-1

3.0.2

Initial release version of 17.2.

CRS-2017-0

3.0 (beta)

Pre-release version.

Avi Load Balancer CRS Release Notes

CRS-2024-1

The following changes have been made between the release CRS-2023-4 and CRS-2024-1:

  • Reduced False Positives by moving some rules into a higher paranoia level.

  • Improved performance by removing unneeded transformations.

  • Improved detection rate for rules 920275, 933110, 933200 and 941180.

CRS-2023-4

The following changes have been made between the release CRS-2023-3 and CRS-2023-4:
  • Relaxed the pattern in rule 920600 to avoid false positives.

  • Deactivated rule 4022062 by default to work around performance problems.

  • Reduce false positives in the rule 920274.

CRS-2023-3

The following change has been made between the release CRS-2023-2 and CRS-2023-3.

CRS-2023-2

The following change has been made between the release CRS-2023-1 and CRS-2023-2.

  • Fixed false positives in the rule 941310.

CRS-2023-1

CRS-2023-1 is the maintenance release based on OWASP Core Rule Set 3.3.4. The following changes have been made between the release CRS-2022-2 and CRS-2023-1:

  • Added rules 4022021, 920600, 921421 and 921230 to detect attack vectors in the request header.

  • Added rule 934120 to detect server side request forgery in paranoia-level 2.

  • Reduced false positives in rules 942190 and 934100.

  • Fixed a problem with anomaly scoring in rule 920530.

  • Added the group CRS_903.9008_Phpmyadmin_Exclusion_Rules to make protection of PHPmyAdmin simpler.

CRS-2022-2

The following change has been made between the release CRS-2022-1 and CRS-2022-2:

  • Added rule 4022062 to protect against JSON-Based SQL Injection

CRS-2022-1

The following changes have been made between the release CRS-2021-4 and CRS-2022-1:

  • Fixed false positives in rules 920470, 932115, and 942251.

  • Added rule 920530 which fixes false negatives (WAF bypass).

  • The rule group 949 is not active by default. If you migrate from an older CRS version, your settings will be kept.

  • Fixed some typos in rule names and descriptions.

  • Fixed anomaly scoring for rule 4022056.

  • Added CVE tags to log4shell rules.

CRS-2021-4

The following changes have been made between the release CRS-2021-3 and CRS-2021-4:

  • Improve detection of CVE-2021-44228 and CVE-2021-45046 (Log4Shell).

  • Reduce potential false positives in the Log4Shell detection rules.

CRS-2021-3

In CRS-2021-3, two rules have been added in group CRS_402_Additional_Rules to protect against CVE-2021-44228.

CRS-2021-2

The following changes have been made between the release CRS-2021-2 and CRS-2021-1:

  • Based on OWASP CRS 3.3.2.

  • Removed 3 rules in the CRS_903.9001_Drupal_Exclusion_Rules group.

  • Fixed the names for some rules, for example, rule 950130.

  • Removed redundant rules, 901120, and 901160.

  • Added Avi Load Balancer rules to detect Cross-Site Scripting and SQL Injection in the PATH name.

  • Added Avi Load Balancer rule to detect unencoded # in URL.

  • Every rule now has a tag which marks it as group membership, for example, CRS-group-980. This enables the user to exclude whole groups dynamically using ModSecurity control actions (For example, by using ctl:ruleRemoveTargetByTag or ctl:ruleRemoveByTag).

  • Every rule with a block or deny action is now is guaranteed to have a paranoia-level tags.

  • Improved the error message of rule 4022030 by including the reason for the parsing error in the log message.

  • Fixed a false positive for the rule 931130.

CRS-2021-1

The following changes have been made between the release CRS-2021-1 and CRS-2020-3:

  • Based on OWASP CRS version 3.3.

  • New Tags based on CAPEC (Common Attack Pattern Enumeration and Classification) give the user more information about the nature of an attack. The CAPEC IDs can be looked upon at https://capec.mitre.org/ to give more information about the impact of an attack detected by WAF.

  • Added Exceptions for phpBB from upcoming OWASP CRS Version 3.4:

    • Incorporate certain fixes which will be added in the upcoming release.

    • Rule 920420 will not accept partial content types anymore.

    • Rule 920350 handles IPv6 addresses correctly.

    • Reduces false positives for rules 920470, 941120, 942230 and 942190.

CRS-2020-3

The following changes have been made between the release CRS-2020-2 and CRS-2020-3:

  • Rule 920450 is now working as expected.

  • The regex for rules 920470 and 920480 is updated to avoid false positives.

CRS-2020-2

The following changes have been made between the release CRS-2020-1 and CRS-2020-2:

  • Rule 920180 no longer creates false positives for HTTP/2 requests. This bug has been fixed and performance improvement.

  • Performance improvements for rules 941120, 942210, and, 942260.

CRS-2020-1

The following changes have been made between the release CRS-2019-3 and CRS-2020-1:

  • Older systems could not update to CRS-2019-3. This bug has been fixed.

  • Disable rule 920300 per default (this rule checked for Accept-Encoding header and was only generating log entries but never rejected a request).

CRS-2019-3

The following changes have been made between the release of CRS-2019-2 and CRS-2019-3:

  • Introduce rules for special attack types. New groups have been included to:

    • Reduce false positives for xenForo.

    • Protect against NodeJS attacks.

  • Moved two rules which handled input parsing failure into the CRS_402_Additional_Rules group.

CRS-2019-2

The following changes have been made between the release of CRS-2019-1 and CRS-2019-2:

  • A new rule group with rules provided by Avi Load BalancerCRS_402_Additional_Rules has been created:

    This group contains two new rules to detect attacks on the HTTP protocol level, like the HTTP desync attack.

    Note:

    The Avi Load Balancer is not vulnerable to this attack. However, these two rules will provide more visibility.

  • The OWASP CRS is updated from version 3.1 to version 3.1.1 as follows:

    • Some rules are updated to avoid false positives.

    • Some rules are updated to make the pattern more efficient (avoid ReDOS attacks).

    • Fixed some false negatives in rules 920240 and 920400.

CRS-2019-1

The following changes have been made between the initial release of CRS-2017-1 and CRS-2019-1:

  • Updated the OWASP CRS from version 3.0 to 3.1.

  • Added groups which include Exceptions for special applications.

  • Recreated the group structure from OWASP CRS (created more groups).

  • Deactivated rule 920350 (Detect if Host Header is an IP address) in the default installation.