From 5ee6a72697b4762aaad0e3083c61dc39c5a1bc67 Mon Sep 17 00:00:00 2001
From: Matteo Pace <pace.matteo96@gmail.com>
Date: Thu, 12 Jan 2023 00:21:40 +0100
Subject: [PATCH] Enables CRS early blocking (#129)

---
 README.md                               |  3 +++
 wasmplugin/rules/crs-setup-demo.conf    | 14 +++++++-------
 wasmplugin/rules/crs-setup.conf.example | 14 +++++++-------
 3 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index 7d530602c8c52..381838f2cf1fe 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,9 @@ configuration:
     }
 ```
 
+#### Recommendations using CRS with proxy-wasm
+- In order to mitigate as much as possible malicious requests (or connections open) sent upstream, it is recommended to keep the [CRS Early Blocking](https://coreruleset.org/20220302/the-case-for-early-blocking/) feature enabled (SecAction [`900120`](./wasmplugin/rules/crs-setup.conf.example)).
+
 ### Running go-ftw (CRS Regression tests)
 
 The following command runs the [go-ftw](https://github.com/fzipi/go-ftw) test suite against the filter with the CRS fully loaded.
diff --git a/wasmplugin/rules/crs-setup-demo.conf b/wasmplugin/rules/crs-setup-demo.conf
index 479cd7df0bb22..299c509cc9461 100644
--- a/wasmplugin/rules/crs-setup-demo.conf
+++ b/wasmplugin/rules/crs-setup-demo.conf
@@ -398,13 +398,13 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # does not get evaluated if the request is being blocked early. So when you
 # disabled early blocking again at some point in the future, then new alerts
 # from phase 2 might pop up.
-#SecAction \
-#  "id:900120,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:tx.early_blocking=1"
+SecAction \
+ "id:900120,\
+ phase:1,\
+ nolog,\
+ pass,\
+ t:none,\
+ setvar:tx.early_blocking=1"
 
 
 #
diff --git a/wasmplugin/rules/crs-setup.conf.example b/wasmplugin/rules/crs-setup.conf.example
index f677bec92d5be..2f4f686efdd5f 100644
--- a/wasmplugin/rules/crs-setup.conf.example
+++ b/wasmplugin/rules/crs-setup.conf.example
@@ -398,13 +398,13 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # does not get evaluated if the request is being blocked early. So when you
 # disabled early blocking again at some point in the future, then new alerts
 # from phase 2 might pop up.
-#SecAction \
-#  "id:900120,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:tx.early_blocking=1"
+SecAction \
+ "id:900120,\
+ phase:1,\
+ nolog,\
+ pass,\
+ t:none,\
+ setvar:tx.early_blocking=1"
 
 
 #