Is it okay to use core ruleset v3.3 on modsecurity v2.9

I am just a beginner in the field of security. I have installed ModSecurity v2.9 on my server using this link. But GitHub repository for the core rule set in the link was outdated, so later I removed the ruleset with the official ruleset. Is it okay to update core rules v3.3 with mod security v2.9? Will it break my site?


Solution 1:

In my opinion, it is not only okay but really recommended to do it.

You can also use the repository maintained by our own CRS developer and Debian Maintainer, Ervin, hosted at https://modsecurity.digitalwave.hu/

Regarding if it "will break your site", depends a lot on what you are hosting. There are lots of recommendations on how to begin (e.g. start with paranoia level 1), and if you are hosting one of the supported applications we have a predefined exclusion package that can be used (e.g. WordPress, Drupal, owncloud/nextcloud, etc.). Please check the documentation in the official webpage