OWASP ModSecurity Core Rule Set #10
Description
Investigate integrating or porting OWASP ModSecurity Core Rule Set
CRS is a fantastic project. It builds upon a module, ModSecurity, for Apache, IIS, and nginx. If you haven't heard of it, I highly encourage you check out the link above. CRS versions, and some documentation are spread out on a few github repos due to its history, however the current maintained repo is https://github.com/coreruleset/coreruleset.
From a cursory look at the latest release, releases appear to be a snapshot of the branch at that time. Installation consists of copying to a folder on the web server. The main files are the .conf files, but in some cases there is a named .data file providing extra data. There are also external libraries used for some rules, such as libinjection
The approach here would probably be to somewhat follow in the footsteps of Coraza (an alternative to ModSecurity, written in Go). However, I do wonder if this project (Yarp.Extensions.Firewall) can use some of the other benefits of .NET, such as making use of source generators to precompile rules and regex instead of reading .conf files at runtime (there's also questions of what the CRS license allows).
Of course, not integrating and instead filling in functional gaps (such as libinjection integration) is an option so that all default CRS rules can be done through Y.Ext.FW's rule config (and possibly a tool to convert from the collection of .conf files to Y.Ext.FW's .json format)