cleanup crs version and fix ctrl-f replace mess

calico-enterprise/threat/web-application-firewall.mdx

@@ -25,16 +25,16 @@ Historically, web application firewalls (WAFs) were deployed at the edge of your
 ### About {{prodname}} WAF
 
 WAF is deployed in your cluster along with Envoy DaemonSet. {{prodname}} proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard
-[ModSecurity](https://owasp.org/www-project-modsecurity-core-rule-set/) with OWASP Core Rule Set v3.3.5 modified for kubernetes workloads.
-<!--To review the rules deployed with the WAF, see [Rule Set files](https://github.com/tigera/operator/tree/master/pkg/render/applicationlayer/embed/corerule set/rules).-->
+[ModSecurity](https://owasp.org/www-project-modsecurity-core-rule-set/) with OWASP Core Rule Set `v4.0.0-rc2` with some modifications for kubernetes workloads.
+
 
 You simply enable WAF in Manager UI, and determine the services that you want to enable for WAF protection. By default WAF is set to `DetectionOnly` so no traffic will be denied until you are ready to turn on blocking mode.
 
 Every request that WAF finds an issue with, will result in a Security Event being created for [you to review in the UI](#view-waf-events), regardless of whether the traffic was allowed or denied. This can greatly help in tuning later.
 
 #### How WAF determines if a request should be allowed or denied
 
-If you configure WAF in blocking mode, WAF will use something called [anomaly scoring mode](https://corerule set.org/docs/concepts/anomaly_scoring/) to determine if a request is allowed with `200 OK` or denied `403 Forbidden`.
+If you configure WAF in blocking mode, WAF will use something called [anomaly scoring mode](https://coreruleset.org/docs/concepts/anomaly_scoring/) to determine if a request is allowed with `200 OK` or denied `403 Forbidden`.
 
 This works by matching a single HTTP request against all the configured WAF rules. Each rule has a score and WAF adds all the matched rule scores together, and compares it to the overall anomaly threshold score (100 by default). If the score is under the threshold the request is allowed and if the score is over the threshold the request is denied. Our WAF starts in detection mode only and with a high default scoring threshold so is safe to turn on and then [fine-tune the WAF](#manage-your-waf) for your specific needs in your cluster.
 
@@ -176,10 +176,10 @@ Include @owasp_crs/*.conf
 SecRuleEngine DetectionOnly
 ```
 
-The configuration file starts with importing the appropriate rule set config. We use Coraza WAF's recommended [Core Rule Set setup](https://coraza.io/docs/tutorials/corerule set/) files:
+The configuration file starts with importing the appropriate rule set config. We use Coraza WAF's recommended [Core Rule Set setup](https://coraza.io/docs/tutorials/coreruleset/) files:
 
 1. Coraza recommended [configuration](https://github.com/corazawaf/coraza/blob/main/coraza.conf-recommended)
-1. The rest of the [corerule set](https://github.com/corerule set/corerule set) files, currently [v4.0.0-rc2](https://github.com/corerule set/corerule set/tree/v4.0.0-rc2)
+1. The rest of the [coreruleset](https://github.com/coreruleset/coreruleset) files, currently [v4.0.0-rc2](https://github.com/coreruleset/coreruleset/tree/v4.0.0-rc2)
 
 These files can be customized if desired. Add all your customizations directly under `tigera.conf`:
 
@@ -220,12 +220,12 @@ By default WAF will not block a request even if it has matching rule violations.
 
 ##### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/corerule set/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the tigera.conf will look like this:
 
 ```bash
-# CoreRule Set activation
+# coreruleset activation
 Include @coraza.conf-recommended
 Include @crs-setup.conf.example
 Include @owasp_crs/*.conf
@@ -235,7 +235,7 @@ SecRuleEngine DetectionOnly
 # --- all customizations appear below this line, unless they need a specific loading order like plugins ---
 
 # --- Add sampling mode
-# Read about sampling mode here https://corerule set.org/docs/concepts/sampling_mode/
+# Read about sampling mode here https://coreruleset.org/docs/concepts/sampling_mode/
 SecAction "id:900400,\
   phase:1,\
   pass,\
@@ -277,9 +277,9 @@ SecAction \
 ```
 
 
-##### Using corerule set plugins
+##### Using coreruleset plugins
 
-Let's go with an example plugin: [Wordpress Rule Exclusions](https://github.com/corerule set/wordpress-rule-exclusions-plugin/).
+Let's go with an example plugin: [Wordpress Rule Exclusions](https://github.com/coreruleset/wordpress-rule-exclusions-plugin/).
 
 Plugin files are the following:
 
@@ -328,7 +328,7 @@ kubectl create cm --dry-run=client \
 kubectl replace -f rule set.configmap.yaml
 ```
 
-Read more about the order of execution for plugins here: https://corerule set.org/docs/concepts/plugins/
+Read more about the order of execution for plugins here: https://coreruleset.org/docs/concepts/plugins/
 
 ### View WAF events