First, thank you for providing this. Finding a good set of baseline rules that don't create a bunch of false neg/pos is always difficult.
Are most of you switching from OWASP CRS to Comodo or are you starting new? I'm curious how the Comodo ruleset compares to the CRS. There is a separate post comparing performance against commercial/paid rules, and I thought it interesting there was a column for "no rules" (why run mod_security w/out rules?).
However, I'm more interested in comparing against CRS. IMO, CRS is sorta the baseline, especially in the free realm.
I'm new to this. I'm not running cPanel or anything, just straight-up Apache 2.2.x and mod_security 2.8. Until now, I was just using CRS/2.2.9.
If anyone has any opinion on Comodo free rules vs the OWASP CRS rules, I'd greatly appreciate hearing your take on both.
Thank you,
PH