forked from SpiderLabs/owasp-modsecurity-crs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGES
1101 lines (897 loc) · 50.6 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
== OWASP ModSecurity Core Rule Set (CRS) CHANGES ==
== Report Bugs/Issues to GitHub Issues Tracker or the mailinglist ==
* https://github.com/SpiderLabs/owasp-modsecurity-crs/issues
or the CRS mailinglist at
* https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
== Version 3.1.0 - 8/7/2018 ==
* Add Detectify scanner (theMiddle)
* Renaming matched_var/s (Victor Hora)
* Remove lines with bare '#' comment char (Walter Hop)
* Drop the XML variable from rule 932190 (Federico G. Schwindt)
* Update outdated URLs (Walter Hop)
* remove unused rule 901180 (Walter Hop)
* Drop exit from unix and windows RCE (Federico G. Schwindt)
* Fix anomaly_score counters (Federico G. Schwindt)
* Remove mostly redundant 944220 in favor of 944240 (Christian Folini)
* Add self[ and document[ to rule 941180 (theMiddle)
* Provide proxy support within CRS docker image (Scott O'Neil)
* Prevent bypass in rule 930120 PL3 (theMiddle)
* Fix small typo in variable (Felipe Zipitría)
* Fix bug #1166 in Docker image (Franziska Bühler)
* Remove revision status from rules (Federico G. Schwindt)
* Add template for issues (Federico G. Schwindt)
* Correct failing travis tests in merge situations (Federico G. Schwindt)
* Remove unused global variable in IIS rules (Chaim Sanders)
* Refactor to use phase number instead of name (Federico G. Schwindt)
* Add uploaded file name check; refresh LFI / filename checks (Walter Hop)
* Introduce critical sibling of 920340 in PL2 (Walter Hop)
* Fix bypass caused by multiple spaces in RCE rules (Walter Hop)
* Remove unneded regex capture groups (Federico G. Schwindt)
* Add built-in exceptions for CPanel (Christoph Hansen)
* Add additional file restrictios for ws_ftp, DS_Store... (Jose Nazario)
* Fix missing strings in 942410 (Franziska Bühler)
* Add 2 missing PDO errors (Christoph Hansen)
* Fix issues with FPs in regression tests (Chaim Sanders)
* Add Nextcloud client exclusion support (Christoph Hansen)
* Fix spelling mistakes in REQUEST-942- (Padraig Doran, Chaim Sanders)
* Explicitly ignore the user defined rules (Aaron Haaf, Chaim Sanders)
* Add regression tests for 942490 (Christoph Hansen, Chaim Sanders)
* Add Owncloud client exclusion support (Christoph Hansen, Christian Folini)
* Adding 'F-Secure Radar' vulnerability scanner UA (Christian Folini, Chaim Sanders)
* Update DockerFile to use Ubuntu as base (Chaim Sanders)
* False positives 942360: move alter and union (Franziska Bühler, Chaim Sanders)
* Add support for Java style attacks (Manuel Spartan, Walter Hop)
* Fix various regression tests issues caused by webserver handling (azhao155, Chaim Sanders)
* Update TravisCI to build on a per PR basis (Chaim Sanders)
* Optimized rule 921160 and regex (Allan Boll, Chaim Sanders)
* Update the consistency across various files (Federico G. Schwindt)
* Add missing transform, 944120 sibling 944240 (Manuel Spartan)
* Fix false positive for 'like' in 942120 (Walter Hop)
* Add regression tests for Java Rules (Manuel Spartan)
* Fixup and small reorg of dokuwiki rule exclusion package (Christian Folini)
* Make TravisCI tests fail if Apache can't load rules (Felipe Zipitría)
* Add exclusion rules for Dokuwiki (Matt Bagley, Christian Folini)
* Inital exclusions for NextCloud installs (Matt Bagley, Christian Folini)
* Added struts-pwn UA to list (Manuel Spartan)
* Uses MULTIPART_MISSING_SEMICOLON instead of MULTIPART_SEMICOLON_MISSING (Felipe Zimmerle)
* Add file upload checks (Manuel Spartan)
* Check if Transfer-Encoding is missing (Federico G. Schwindt, Christian Folini)
* Remove duplicated variables (Federico G. Schwindt)
* Reduce FP by splitting classic SQL injection rule 942370 (Christoph Hansen)
* Fix typo in REQUEST-920-PROTOCOL-ENFORCEMENT (ihacku, Franziska Bühler)
* Add configurable timestamp format to FTW integration (Christian Folini)
* Add badges to README (Felipe Zipitría)
* Add clarifying comments to 910110 (Christian Folini)
* Making rule 933131 case-insensitive (Manuel Spartan)
* Merge and reorder rules as part of cleanup (Federico G. Schwindt)
* Update copyright date and syntax (Jose Nazario, Felipe Zipitría)
* Updated SecMarker and SkipAfter names to use meet guidelines (Felipe Zipitría)
* Tidy up single quotes and other guidelines updates (Felipe Zipitría)
* Syntax fix for setvar crs_exclusions_wordpress (Manuel Spartan)
* Updated various contributors to developers (Christian Folini)
* Revise SQL rules by disassembling them into their core protections (Franziska Bühler)
* Add an exmaple payload to 920220 (coolt)
* Add a missing regex to rule 942310 (Franziska Bühler)
* Detect GET or HEAD with Transfer-Encoding header (Federico G. Schwindt)
* Fix broken links in references (Pásztor Gábor)
* Add contributing guidelines (Felipe Zipitría)
* Fix processing bypasses in rule 931130 (Felipe Zipitría, Christian Folini)
* Correct small omissions in unix-shell.data (Walter Hop)
* Add IIS specific detection to LFI-os-files.data (Manuel Spartan)
* Update examples to match the current cleanup (Federico G. Schwindt)
* Corrected the ordering of actions to meet guidelines (Felipe Zipitría)
* Remove unused capture groups (Federico G. Schwindt)
* Use explicit rx operator (Federico G. Schwindt)
* Update the RCE regular expressions(Walter Hop, Federico G. Schwindt)
* Removing maturity & accuracy from rules (Felipe Zipitría)
* Increasing range header (Christoph Hansen)
* Fixed upgrade.py script argument options (Glyn Mooney)
* Updating to reflect OWASP flagship status (Chaim Sanders)
* Adding Docker support for CRS (Chaim Sanders)
* Initial Travis deployment (Zack Allen, Walter Hop)
* Inital commit of regression tests (Chaim Sanders, Walter Hop)
* Remove test for 921170 because it won't ever fire (Chaim Sanders, Walter Hop)
* Update minor incorrectness in asp.net regex (Chaim Sanders, Walter Hop)
* Add notification for builds against #modsecurity on freenode (Zack Allen, Walter Hop)
* Add all past code contributors and convert to markdown (Walter Hop)
* Block uploads of files with .phps extension (Walter Hop)
* Improve message for script upload with superfluous extension (Walter Hop)
* Remove trailing whitespace in various regexs (Walter Hop)
* Add command popd to direct unix rce list in rule 932150 (Franziska Bühler)
* Remove unnecessary END_XSS_CHECKS marker (Christian Folini)
* Ignore Whitespaces in Rule 942110 (Christoph Hansen)
* Update missing RCE Commands (Umar Farook)
* Update lfi-os-files.data (Umar Farook)
* Removed deprecated t:removeComments from 942100 (Christian Folini)
* Add word boundary to rule 942410 (Franziska Bühler)
== Version 3.0.2 - 5/12/2017 ==
* Remove debug rule that popped up in 3.0.1 (Christian Folini)
== Version 3.0.1 - 5/9/2017 ==
* SECURITY: Removed insecure handling of X-Forwarded-For header;
reported by Christoph Hansen (Walter Hop)
* Fixed documentation errors in RESPONSE-999-... (Chaim Sanders)
* Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler)
* Reduced FPs on 932150 by removing keyword reset (Franziska Bühler)
* Tidied exceptions in 930100 (Roberto Paprocki)
* Reduced FPs for 920120 by splitting into stricter sibling (Franziska Bühler)
* Simplified some Drupal rule exclusions (Damien McKenna, Christian Folini)
* Extended KNOWN_BUGS with remarks on JSON support on Debian (Franziska Bühler)
* Updated README to add gitter support (Chaim Sanders)
* Clarified DoS documentation for static extensions (Roberto Paprocki)
* Added application/octet-stream to allowed content types (Christian Folini)
* Typo in 942220 alert message (Chaim Sanders, @bossloper)
* Moved referrer check of 941100 into new PL2 rule (Franziska Bühler)
* Closed multiple @pmf evasions via lowercase transformation (Roberto Paprocki)
* Clarified libinjection bundling in INSTALL file (@cjdp)
* Reduced FPs via Wordpress Rule Exclusions (Walter Hop)
* Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen)
Make sure you update ModSecurity recommended rule 200000 as well.
* Bugfix in 942410 regex (Christian Folini)
* Reduced FPs for 942360 (Walter Hop)
* Reduced FPs for 941120 by restricting event handler names (Franziska Bühler)
* Extended 931000 with scheme "file" to fix false negative (Federico Schwindt)
* Extended 905100 and 905110 for HTTP/2.0 (includes bugfix, Christoph Hansen)
* Moved 941150 from PL1 to PL2; includes Bugfix for rule (Christian Folini)
* Updated documentation for 920260 (Chaim Sanders)
* Bugfix in upgrade.py (Victor Hora)
* Fixed FP in RCE rule 932140 (Walter Hop)
* Fixed comment for arg limit check rule 920370 (Christian Folini)
* Created CONTRIBUTORS file
* Added Christoph Hansen (emphazer) to CONTRIBUTORS file
* Added Franziska Bühler (franbuehler) to CONTRIBUTORS file
* Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini)
== Version 3.0.0 - 11/10/2016 ==
Huge changeset running in separate branch from September 2013 to September 2016.
This is a cursory summary of the most important changes:
* Huge reduction of false positives (Ryan Barnett, Felipe Zimmerle, Chaim
Sanders, Walter Hop, Christian Folini)
* Anomaly scoring is the new default, renamed thresholds from
tx.(in|out)bound_anomaly_score_level to
tx.(in|out)bound_anomaly_score_threshold
* Introduction of libinjection for SQLi detection
* Introduction of libinjection for XSS detection
* Big improvement on detection of Remote Command Execution (Walter Hop)
* Big improvement on PHP function name detection (Walter Hop)
* Paranoia Mode (Christian Folini, Noël Zindel, Franziska Bühler,
Manuel Leos, Walter Hop)
* Shifted dozens of rules into higher paranoia levels
* Introduced a lot of stricter sibling rules in higher levels
* Generic mechanism to support application specific rule exclusions
(Chaim Sanders)
* Initial Wordpress rule exclusions (Walter Hop)
* Initial Drupal rule exclusions (Christian Folini, @emphazer)
* Renumbering of rules. See folder id_renumbering for a
csv map (Chaim Sanders)
* Consolidation of rules, namely XSS and SQLi (Spider Labs/Trustwave team)
* Sampling mode / Easing in (Christian Folini)
* Cleanup of reputation checks / persistent blocking
(Christian Folini / Walter Hop)
* Tags much more systematic (Walter Hop)
* IP reputation checks / persistent blocking of certain clients
(Spider Labs/Trustwave team)
* Phase actions use request/response/logging now instead of
numerical phases (Spider Labs/Trustwave team)
* Added NoScript XSS Filters (Spider Labs/Trustwave team)
* Updated "severity" action to use words (CRITICAL, WARNING, etc...)
vs. numbers (5, 4, etc..)
* Various regex fixes after research by Vladimir Ivanov (Chaim Sanders)
* Overhaul of the regression mode into debug mode (Walter Hop, Ryan Barnett)
* Introduction of util/upgrade.py (Walter Hop)
* Removal of GeoIP database. Download via util/upgrade.py now.
* Introduction of Initialization rules with
default values (Walter Hop, Christian Folini)
* Sorting out terminology with
whitelisting and rule exclusions (Christian Folini)
* Overhaul of testing (Chaim Sanders)
* Protection from HTTP Parameter Pollution (Franziska Bühler)
* Simplification of setup config file, renamed file to crs-setup.conf.example
* Improved session fixation detection logic (Christian Peron, credits to
Eric Hodel for the discovery)
* Updated list of malicious webscanners
* Splitting scanner user agents data files (github user @ygrek)
* Countless bugfixes in severities, anomaly scores, tags, etc.
across the board
* Cleanup of formerly experimental DDoS rules,
fix documentation (Ryan Barnett, Christian Folini)
* Improves http blacklist checks (Walter Hop)
* Extended XSS detection (as suggested by Mazin Ahmed)
* Added support for Travis CI
* Added support for HTTP/2 in recent Apache 2.4 (Walter Hop)
* Added many, many bots and scanners (among others suggested by
github user @toby78, @jamuse, Matt Koch)
* Fixed mime types suitable for XML processor (Chaim Sanders)
* Include script in util/join-multiline-rules to work around
Apache 2.4 < 2.4.11 bug with long lines (Walter Hop)
* New detection for request smuggling attacks (Achim Hofmann,
Christian Folini)
* Fixes with project honeypot setup (Ryan Barnett)
* Separated DB / SQL messages by DB software (Ryan Barnett)
* CPanel integration (Chaim Sanders)
* Introduction of var for static resources (Chaim Sanders)
* Many improvements to rules in 2014/5 (Ryan Barnett)
== Version 2.2.9 - 09/30/2013 ==
Security Fixes:
Improvements:
* Updated the /util directory structure
Bug Fixes:
* fix 950901 - word boundary added
* modsecurity_35_bad_robots.data - gecko/25 blocks Firefox Android
https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/157
== Version 2.2.8 - 06/30/2013 ==
Security Fixes:
Improvements:
* Updatd the /util directory structure
* Added scripts to check Rule ID duplicates
* Added script to remove v2.7 actions so older ModSecurity rules will work
- https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/43
* Added new PHP rule (958977) to detect PHP exploits (Plesk 0-day from king cope)
- http://seclists.org/fulldisclosure/2013/Jun/21
- http://blog.spiderlabs.com/2013/06/honeypot-alert-active-exploits-attempts-for-plesk-vulnerability-.html
Bug Fixes:
* fix 950901 - word boundary added
- https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/48
* fix regex error
- https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/44
* Updated the Regex in 981244 to include word boundaries
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/36
* Problem with Regression Test (Invalid use of backslash) - Rule 960911 - Test2
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/34
* ModSecurity: No action id present within the rule - ignore_static.conf
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/17
* "Bad robots" rule blocks all Java applets on Windows XP machines
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/16
* duplicated rules id 981173
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/18
== Version 2.2.7 - 12/19/2012 ==
Security Fixes:
Improvements:
* Added JS Overrides file to identify successfull XSS probes
* Added new XSS Detection Rules from Ashar Javed (http://twitter.com/soaj1664ashar)
- http://jsfiddle.net/U9RmU/4/
* Updated the SQLi Filters to add in Oracle specific functions
- https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/7
Bug Fixes:
* Fixed Session Hijacking rules
- https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/8
* Fixed bug in XSS rules checking TX:PM_XSS_SCORE variable
== Version 2.2.6 - 09/14/2012 ==
Security Fixes:
Improvements:
* Started rule formatting update for better readability
* Added maturity and accuracy action data to each rule
* Updated rule revision (rev) action
* Added rule version (ver) action
* Added more regression tests (util/regression_tests/)
* Modified Rule ID 960342 to block large file attachments in phase:1
* Removed all PARANOID rule checks
* Added new Session Fixation rules
Bug Fixes:
* Fixed missing ending double-quotes in XSS rules file
* Moved SecDefaultAction setting from phase:2 to phase:1
* Fixed Session Hijacking SessionID Regex
https://www.modsecurity.org/tracker/browse/CORERULES-79
* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME
https://www.modsecurity.org/tracker/browse/CORERULES-78
== Version 2.2.5 - 06/14/2012 ==
Security Fixes:
* Updated the anomaly scoring value for rule ID 960000 to critical
(Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
(https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses)
* Updated Content-Type check to fix possible evasion with @within
(Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
(https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses)
Improvements:
* Renamed main config file to modsecurity_crs_10_setup.conf
* Updated the rule IDs to start from CRS reserved range: 900000
* Updated rule formatting for readibility
* Updated the CSRF rules to use UNIQUE_ID as the token source
* Added the zap2modsec.pl script to the /util directory which converts
OWASP ZAP Scanner XML data into ModSecurity Virtual Patches
* Updated the Directory Traversal Signatures to include more obfuscated data
* Added Arachni Scanner Integration Lua script/rules files
Bug Fixes:
* Added forceRequestBodyVariable action to rule ID 960904
== Version 2.2.4 - 03/14/2012 ==
Improvements:
* Added Location and Set-Cookie checks to Response Splitting rule ID 950910
* Added a README file to the activated_rules directory
* Consolidate a number of SQL Injection rules into optimized regexs
* Removed multiMatch and replaceComments from SQL Injection rules
* Updated the SQLi regexs for greediness
* Updated the SQLi setvar anomaly score values to use macro expansion
* Removed PARANOID mode rules
Bug Fixes:
* Fixed missing comma before severity action in rules 958291, 958230 and 958231
* Fixed duplidate rule IDs
== Version 2.2.3 - 12/19/2011 ==
Improvements:
* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file
http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies
* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
http://websecuritytool.codeplex.com/wikipage?title=Checks#header
Bug Fixes:
* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to
rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs).
* Updated the regex and added tags for RFI rules.
== Version 2.2.2 - 09/28/2011 ==
Improvements:
* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points
* Added new Range header detection checks to prevent Apache DoS
* Added new Security Scanner User-Agent strings
* Added example script to the /util directory to convert Arachni DAST scanner
XML data into ModSecurity virtual patching rules.
* Updated the SQLi Character Anomaly Detection Rules
* Added Host header info to the RESOURCE collection key for AppSensor profiling rules
Bug Fixes:
* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)
* Fixed Request Limit rules by removing & from variables
* Fixed Session Hijacking IP/UA hash captures
* Updated the SQLi regex for rule ID 981242
== Version 2.2.1 - 07/20/2011 ==
Improvements:
* Extensive SQL Injection signature updates as a result of the SQLi Challenge
http://www.modsecurity.org/demo/challenge.html
* Updated the SQL Error message detection in reponse bodies
* Updated SQL Injection signatures to include more DB functions
* Updated the WEAK SQL Injection signatures
* Added tag AppSensor/RE8 to rule ID 960018
Bug Fixes:
* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches
https://www.modsecurity.org/tracker/browse/CORERULES-70
* Fixed Session Hijacking rules to properly capture IP address network hashes.
* Added the multiMatch action to the SQLi rules
* Fixed a false negative logic flaw within the advanced_filter_converter.lua script
* Fixed missing : in id action in DoS ruleset.
* Updated rule ID 971150 signature to remove ;
== Version 2.2.0 - 05/26/2011 ==
Improvements:
* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2)
http://www.apache.org/licenses/LICENSE-2.0.txt
* Created new INSTALL file outlining quick config setup
* Added a new rule regression testing framework to the /util directory
* Added new activated_rules directory which will allow users to place symlinks pointing
to files they want to run. This allows for easier Apache Include wild-carding
* Adding in new RULE_MATURITY and RULE_ACCURACY tags
* Adding in a check for X-Forwarded-For source IP when creating IP collection
* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset)
http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
* Added new AppSensor rules to experimental_dir
https://www.owasp.org/index.php/AppSensor_DetectionPoints
* Added new Generic Malicious JS checks in outbound content
* Added experimental IP Forensic rules to gather Client hostname/whois info
http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules
http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
* Global collection in the 10 file now uses the Host Request Header as the collection key.
This allows for per-site global collections.
* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties.
This includes both converted web rules from Emerging Threats (ET) and from SLR Team.
* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB
* Added experimental rules for detecting Open Proxy Abuse
http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html
* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API
http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html
* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227)
* Added new SQLi detection rules (959070, 959071 and 959072)
* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data
https://www.modsecurity.org/tracker/browse/CORERULES-64
Bug Fixes:
* Assigned IDs to all active SecRules/SecActions
* Removed rule inversion (!) from rule ID 960902
* Fixed false negative issue in Response Splitting Rule
* Fixed false negative issue with @validateByteRange check
* Updated the TARGETS lising for rule ID 950908
* Updated TX data for REQBODY processing
* Changed the pass action to block in the RFI rules in the 40 generic file
* Updated RFI regex to catch IP address usage in hostname
https://www.modsecurity.org/tracker/browse/CORERULES-68
* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods.
* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions.
They will now inherit the settings from the SecDefaultAction
== Version 2.1.2 - 02/17/2011 ==
Improvements:
* Added experimental real-time application profiling ruleset.
* Added experimental Lua script for profiling the # of page scripts, iframes, etc..
which will help to identify successful XSS attacks and planting of malware links.
* Added new CSRF detection rule which will trigger if a subsequent request comes too
quickly (need to use the Ignore Static Content rules).
Bug Fixes:
* Added missing " in the skipAfter SecAction in the CC Detection rule set
== Version 2.1.1 - 12/30/2010 ==
Bug Fixes:
* Updated the 10 config conf file to add in pass action to User-Agent rule
* Updated the CSRF ruleset to conditionally do content injection - if the
csrf token was created by the session hijacking conf file
* Updated the session hijacking conf file to only enforce rules if a SessionID
Cookie was submitted
* Fixed macro expansion setvar bug in the restricted file extension rule
* Moved the comment spam data file into the optional_rules directory
== Version 2.1.0 - 12/29/2010 ==
Improvements:
* Added Experimental Lua Converter script to normalize payloads. Based on
PHPIDS Converter code and it used with the advanced filters conf file.
* Changed the name of PHPIDS converted rules to Advanced Filters
* Added Ignore Static Content (Performance enhancement) rule set
* Added XML Enabler (Web Services) rule set which will parse XML data
* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set
* Added Denial of Service (DoS) Protection rule set
* Added Slow HTTP DoS (Connection Consumption) Protection rule set
* Added Brute Force Attack Protection rule set
* Added Session Hijacking Detection rule set
* Added Username Tracking rule set
* Added Authentication Tracking rule set
* Added Anti-Virus Scanning of File Attachments rule set
* Added AV Scanning program to /util directory
* Added Credit Card Usage Tracking/Leakage Prevention rule set
* Added experimental CC Track/PAN Leakage Prevention rule set
* Added an experimental_rules directory to hold new BETA rules
* Moved the local exceptions conf file back into base_rules dirctory however
it has a ".example" extension to prevent overwriting customized versions
when upgrading
* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to
the experimental_rules directory
* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will
help to make collections a bit more unique
== Version 2.0.10 - 11/29/2010 ==
Improvements:
* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS
is running in traditional mode.
Bug Fixes:
* Moved all skipAfter actions in chained rules to chain starter SecRules
https://www.modsecurity.org/tracker/browse/MODSEC-159
* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs
== Version 2.0.9 - 11/17/2010 ==
Improvements:
* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that
it will not overwrite existing config settings. Users should rename this file to activate
it.
* Traditional detection mode is now the current default
* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode
by editing the modsecurity_crs_10_config.conf file
* Updated the disruptive actions in most rules to use "block" action instead of "pass". This
is to allow for the toggling between traditional vs. anomaly scoring modes.
* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction
setting in the modsecurity_crs_10_config.conf file
* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match
what is used in the PHPIDS rules. These still have the same factor of severity even though
the numbers themselves are smaller.
* Updated the 49 and 59 blocking rules to include the matched logdata
* Updated the TAG data to further classify attack/vuln categories.
* Updated the SQL Injection filters to detect more boolean logic attacks
* Moved some files to optional_rules directory (phpids, Emerging Threats rules)
Bug Fixes:
* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote
https://www.modsecurity.org/tracker/browse/CORERULES-63
* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher)
https://www.modsecurity.org/tracker/browse/MODSEC-159
* Fixed restricted file extension bug with macro expansion
https://www.modsecurity.org/tracker/browse/CORERULES-60
* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that
it matches what is being set in the sql injection conf file
* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b)
https://www.modsecurity.org/tracker/browse/CORERULES-62
== Version 2.0.8 - 08/27/2010 ==
Improvements:
* Updated the PHPIDS filters
* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
* Updated the SQL Injection fitlers to account for different quotes
* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
* Added Rule ID 950109 to detect multiple URL encodings
* Added two experimental rules to detect anomalous use of special characters
Bug Fixes:
* Fixed Encoding Detection RegEx (950107 and 950108)
* Fixed rules-updater.pl script to better handle whitespace
https://www.modsecurity.org/tracker/browse/MODSEC-167
* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
https://www.modsecurity.org/tracker/browse/CORERULES-55
* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
https://www.modsecurity.org/tracker/browse/CORERULES-54
* Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
https://www.modsecurity.org/tracker/browse/CORERULES-29
== Version 2.0.7 - 06/4/2010 ==
Improvements:
* Added CSRF Protection Ruleset which will use Content Injection to add javascript to
specific outbound data and then validate the csrf token on subsequent requests.
* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie
flags
* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied
data being echoed back to user unchanged.
* Added rules-updater.pl script and configuration file to allow users to automatically
download CRS rules from the CRS rules repository.
* Added new SQLi keyword for ciel() and reverse() functions.
* Updated the PHPIDS filters
Bug Fixes:
* Fixed false positives for Request Header Name matching in the 30 file by
adding boundary characters.
* Added missing pass actions to @pmFromFile prequalifier rules
* Added backslash to SQLi regex
https://www.modsecurity.org/tracker/browse/CORERULES-41
* Fixed hard coded anomaly score in PHPIDS filter file
https://www.modsecurity.org/tracker/browse/CORERULES-45
* Fixed restricted_extension false positive by adding boundary characters
== Version 2.0.6 - 02/26/2010 ==
Bug Fixes:
* Added missing transformation functions to SQLi rules.
https://www.modsecurity.org/tracker/browse/CORERULES-32
* Fixed duplicate rule IDs.
https://www.modsecurity.org/tracker/browse/CORERULES-33
* Fixed typo in @pmFromFile in the Comment SPAM rules
https://www.modsecurity.org/tracker/browse/CORERULES-34
* Added macro expansion to Restricted Headers rule
https://www.modsecurity.org/tracker/browse/CORERULES-35
* Fixed misspelled SecMarker
https://www.modsecurity.org/tracker/browse/CORERULES-36
* Fixed missing chain action in Content-Type header check
https://www.modsecurity.org/tracker/browse/CORERULES-37
* Update phpids filters to use pass action instead of block
== Version 2.0.5 - 02/01/2010 ==
Improvements:
* Removed previous 10 config files as they may conflict with local customized Mod configs.
* Added a new 10 config file that allows the user to globally set TX variables to turn on/off
PARANOID_MODE inspection, set anomaly score levels and http policies.
Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators.
* Added Rule Logic and Reference links to rules descriptions.
* Added Rule IDs to all rules.
* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification
* Removed Apache limit directives from the 23 file
* Added macro expansion to 23 file checks.
* Added @pmFromFile check to 35 bad robots file
* Added malicious UA strings to 35 bad robots check
* Created an experimental rules file
* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection
* Removed TX inspections for generic attacks and reverted to standard ARGS inspection
https://www.modsecurity.org/tracker/browse/MODSEC-120
* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other
variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA)
* Moved converted ET Snort rules to the /optional_rules directory
* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the
request headers.
* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings
* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking.
* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators.
* Updated the SPAMMER RBL check rules logic to only check once per IP/Day.
* Added new outbound malware link detection rules.
* Added PHP "call_user_func" to blacklist
Identified by SOGETI ESEC R&D
Bug Fixes:
* Removed Non-numeric Rule IDs
https://www.modsecurity.org/tracker/browse/CORERULES-28
* Updated the variable list on SQLi rules.
* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring
and blocking
== Version 2.0.4 - 11/30/2009 ==
Improvements:
* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found
then search more generically in request_body|request_uri_raw
* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean
exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the
anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate
alerts for any variable matches that exist.
Bug Fixes:
* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of
phase:4 which would allow for blocking based on information leakage issues.
== Version 2.0.3 - 11/05/2009 ==
Improvements:
* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
* Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php)
* Added new rules to identify multipart/form-data bypass attempts
* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts
Bug Fixes:
* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives
https://www.modsecurity.org/tracker/browse/CORERULES-17
* Added new variable locations to the phpids filters
https://www.modsecurity.org/tracker/browse/CORERULES-19
* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules
https://www.modsecurity.org/tracker/browse/CORERULES-20
* Fixed multipart parsing evasion issues by adding strict parsing rules
https://www.modsecurity.org/tracker/browse/CORERULES-21
* Fixed typo in xss rules (missing |)
https://www.modsecurity.org/tracker/browse/CORERULES-22
* Fixed regex text in IE8 XSS filters (changed to lowercase)
https://www.modsecurity.org/tracker/browse/CORERULES-23
== Version 2.0.2 - 09/11/2009 ==
Improvements:
* Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
https://www.modsecurity.org/tracker/browse/CORERULES-13
Bug Fixes:
* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla.
https://www.modsecurity.org/tracker/browse/CORERULES-15
== Version 2.0.1 - 08/07/2009 ==
Improvements:
* Updated the transformation functions used in the XSS/SQLi rules to improve performance
https://www.modsecurity.org/tracker/browse/CORERULES-10
* Updated the variable/target list in the XSS rules
https://www.modsecurity.org/tracker/browse/CORERULES-11
* Added XSS Filters from IE8
https://www.modsecurity.org/tracker/browse/CORERULES-12
Bug Fixes:
* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule.
https://www.modsecurity.org/tracker/browse/CORERULES-9
== Version 2.0.0 - 07/29/2009 ==
New Rules & Features:
* Fine Grained Policy
The rules have been split to having one signature per rule instead of having
all signatures combined into one optimized regular expression.
This should allow you to modify/disable events based on specific patterns
instead of having to deal with the whole rule.
* Converted Snort Rules
Emerging Threat web attack rules have been converted.
http://www.emergingthreats.net/
* Anomaly Scoring Mode Option
The rules have been updated to include anomaly scoring variables which allow
you to evaluate the score at the end of phase:2 and phase:5 and decide on what
logging and disruptive actions to take based on the score.
* Correlated Events
There are rules in phase:5 that will provide some correlation between inbound
events and outbound events and will provide a result of successful atttack or
attempted attack.
* Updated Severity Ratings
The severity ratings in the rules have been updated to the following:
- 0: Emergency - is generated from correlation where there is an inbound attack and
an outbound leakage.
- 1: Alert - is generated from correlation where there is an inbound attack and an
outbound application level error.
- 2: Critical - is the highest severity level possible without correlation. It is
normally generated by the web attack rules (40 level files).
- 3: Error - is generated mostly from outbound leakabe rules (50 level files).
- 4: Warning - is generated by malicious client rules (35 level files).
- 5: Notice - is generated by the Protocol policy and anomaly files.
- 6: Info - is generated by the search engine clients (55 marketing file).
* Updated Comment SPAM Protections
Updated rules to include RBL lookups and client fingerprinting concepts from
Bad Behavior (www.bad-behavior.ioerror.us)
* Creation of Global Collection
Automatically create a Global collection in the *10* config file. Other rules
can then access it.
* Use of Block Action
Updated the rules to use the "block" action. This allows the Admin to globally
set the desired block action once with SecDefaultAction in the *10* config file
rather than having to edit the disruptive actions in all of the rules or for
the need to have multiple versions of the rules (blocking vs. non-blocking).
* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
* Added new generic RFI detection rules.
http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
* "Possibly malicious iframe tag in output" (Rules 981001,981002)
Planting invisible iframes in a site can be used by attackers to point users
from the victim site to their malicious site. This is actually as if the
user was visiting the attacker's site himself, causing the user's browser to
process the content in the attacker's site.
New Events:
* Rule 960019 - Expect Header Not Allowed.
* Rule 960020 - Pragma Header Requires Cache-Control Header
* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
as it is reserved for use as a fragment identifier within the html page.
* Rule 958291 - Range: field exists and begins with 0.
* Rule 958292 - Invalid Request Header Found.
* Rule 958293 - Lowercase Via Request Header Found.
* Rule 958294 - Common SPAM Proxies found in Via Request Header.
* Rule 958295 - Multiple/Conflicting Connection Header Data Found.
* Rule 958296 - Request Indicates a SPAM client accessed the Site.
* Rule 958297 - Common SPAM/Email Harvester crawler.
* Rule 958298 - Common SPAM/Email Harvester crawler
Bug Fixes:
* Rule 950107 - Split the rule into 2 separate rules to factor in the
Content-Type when inspecting the REQUEST_BODY variable.
* Rule 960017 - Bug fix for when having port in the host header.
* Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
* Rule 950801 - Increased the logic so that the rule will only run if the web site
uses UTF-8 Encoding.
* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
allow the IPv6 loopback address
* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
and to identify offsite hosts by comparing the ARG URI to the Host
header. Due to this rule now being stronger, moved it from optional
tight security rule to *40* generic attacks file.
Other Fixes:
* Added more HTTP Protocol violations to *20* file.
* Set the SecDefaultAction in the *10* config file to log/pass (This was the
default setting, however this sets it explicitly.
* Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This
was added so that when running the SecRuleEngine in DetectionOnly mode, it will
not deny response bodies that go over the size restrictions.
* Changed SecServerSignature to "Apache/1.3.28"
* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have
BEGIN and END SecMarkers for rule groups to more accurately allow moving to
proper locations.
* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
This removes the need for some SecAction/SkipAfter rules.
* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
rules and chained rules).
== Version 1.6.1 - 2008/04/22 ==
* Fixed a bug where phases and transformations where not specified explicitly
in rules. The issue affected a significant number of rules, and we strongly
recommend to upgrade.
== Version 1.6.0 - 2008/02/19 ==
New Rulesets & Features:
* 42 - Tight Security
This ruleset contains currently 2 rules which are considered highly prone
to FPs. They take care of Path Traversal attacks, and RFI attacks. This
ruleset is included in the optional_rulesets dir
* 42 - Comment Spam
Comment Spam is used by the spammers to increase their rating in search
engines by posting links to their site in other sites that allow posting
of comments and messages. The rules in this ruleset will work against that.
(Requires ModSecurity 2.5)
* Tags
A single type of attack is often detected by multiple rules. The new alert
classification tags solve this issue by providing an alternative alert type
indication and can serve for filtering and analysis of audit logs.
The classification tags are hierarchical with slashes separating levels.
Usually there are two levels with the top level describing the alert group
and the lower level denoting the alert type itself, for example:
WEB_ATTACK/SQL_INJECTION.
False Positives Fixes:
* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
* Rule 950107 - Will look for invalid url decoding in variables that are not
automatically url decoded
Additional rules logic:
* Using the new "logdata" action for logging the matched signature in rules
* When logging an event once, init the collection only if the alert needs to log
* Using the new operator @pm as a qualifier before large rules to enhance
performance (Requires ModSecurity 2.5)
* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
only 1=1. (Thanks to Marc Stern for the idea)
* New XSS signatures - iframe & flash XSS
== Version 1.5.1 - 2007/12/6 ==
False Positives Fixes:
* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)
New Events:
* 960019 - Detect HTTP/0.9 Requests
HTTP/0.9 request are not common these days. This rule will log by default,
and block in the blocking version of file 21
Other Fixes:
* File 40, Rules 950004,950005 - Repaired the correction for the double
url decoding problem
* File 55 contained empty regular expressions. Fixed.
== Version 1.5 - 2007/11/23 ==
New Rulesets:
* 23 - Request Limits
"Judging by appearances". This rulesets contains rules blocking based on
the size of the request, for example, a request with too many arguments
will be denied.
Default policy changes:
* XML protection off by default
* BLOCKING dir renamed to optional_rules
* Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
* Ruleset 21 - The exception for apache internal monitor will not log anymore
New Events:
* 960912 - Invalid request body
Malformed content will not be parsed by modsecurity, but still there might
be applications that will parse it, ignoring the errors.
* 960913 - Invalid Request
Will trigger a security event when request was rejected by apache with
code 400, without going through ModSecurity rules.
Additional rules logic:
* 950001 - New signature: delete from
* 950007 - New signature: waitfor delay
False Positives Fixes:
* 950006 - Will not be looking for /cc pattern in User-Agent header
* 950002 - "Internet Explorer" signature removed
* Double decoding bug used to cause FPs. Some of the parameters are already
url-decoded by apache. This caused FPs when the rule performed another
url-decoding transformation. The rules have been split so that parameters
already decoded by apache will not be decoded by the rules anymore.
* 960911 - Expression is much more permissive now
* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
then you should uncomment this rule (in file 20)
version 1.4.3 - 2007/07/21
New Events:
* 950012 - HTTP Request Smuggling
For more info on this attack:
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
* 960912 - Invalid request body
Malformed content will not be parsed by modsecurity, but still there might
be applications that will parse it, ignoring the errors.
* 960913 - Invalid Request
Will trigger a security event when request was rejected by apache with
code 400, without going through ModSecurity rules.
False Positives Fixes:
* 950107 - Will allow a % sign in the middle of a string as well
* 960911 - A more accurate expression based on the rfc:
http://www.ietf.org/rfc/rfc2396.txt
* 950015 - Will not look for http/ pattern in the request headers
Additional rules logic:
* Since Apache applies scope directives only after ModSecurity phase 1
this directives cannot be used to exclude phase 1 rules. Therefore
we moved all inspection rules to phase 2.
version 1.4 build 2 - 2007/05/17
New Feature:
* Search for signatures in XML content
XML Content will be parsed and ispected for signatures
New Events:
* 950116 - Unicode Full/Half Width Abuse Attack Attempt
Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
http://www.kb.cert.org/vuls/id/739224
* 960911 - Invalid HTTP request line
Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
* 960904 - Request Missing Content-Type (when there is content)
When a request contains content, the content-type must be specified. If not, the content will not be inspected
* 970018 - IIS installed in default location (any drive)
Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
* 950019 - Email Injection
Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails
Regular expressions fixes:
* Further optimization of some regular expressions (using the non-greediness operator)
The non-greediness operator, <?>, prevents excessive backtracking
FP fixes:
* Rule 950107 - Will allow a parameter to end in a % sign from now on
version 1.4 - 2007/05/02