For the 403 error, be sure to update the conf files with the earlier changes
Compare $SPECROOT\apache\conf.old with the conf folder after upgrading and update conf files of "conf" and "conf/extra" folders.
Regarding the modsecurity_crs_10_setup.conf file no longer present, In Spectrum 21.2.8 modsecurity uses crs-setup.conf instead of modsecurity_crs_10_setup.conf because the 21.2.8 is shipped with owasp-modsecurity-crs v3.3.2
Upgrading from CRS 2.x to CRS 3
In general, you can update by unzipping our new release over your older one, and updating the
crs-setup.conf file with any new settings. However, CRS 3.0 is a major rewrite, incompatible with CRS 2.x. Key setup variables have changed their name, and new features have been introduced. Your former
modsecurity_crs_10_setup.conf file is thus no longer usable. We recommend you to start with a fresh
crs-setup.conf file from scratch.
Most rule IDs have been changed to reorganize them into logical sections. This means that if you have written custom configuration with exclusion rules (e.g.
ctl:ruleRemoveTargetById) you must renumber the rule numbers in that configuration. You can do this using the supplied utility
util/id_renumbering/update.py or find the changes in
However, a key feature of the CRS 3 is the reduction of false positives in the default installation, and many of your old exclusion rules may no longer be necessary. Therefore, it is a good option to start fresh without your old exclusion rules.
If you are experienced in writing exclusion rules for CRS 2.x, it may be worthwhile to try running CRS 3 in Paranoia Level 2 (PL2). This is a stricter mode, which blocks additional attack patterns, but brings a higher number of false positives — in many situations the false positives will be comparable with CRS 2.x. This paranoia level however will bring you a higher protection level than CRS 2.x or a CRS 3 default install, so it can be worth the investment.
Spectrum modsecurity_crs_10_setup.conf was having rule id 900001 to 900021, these ids are removed in v3.3.2, and uncommented the rules (having new rule ids) which were part of modsecurity_crs_10_setup.conf.
If a customer needs specific rules then those can be added in crs-setup.conf (But we can not directly take rules from modsecurity_crs_10_setup.conf as those rule ids are not valid for the new version).