From 607c0f5e4f0b0de643a3d3db2c7a9d9e496d281b Mon Sep 17 00:00:00 2001 From: Christian Folini Date: Tue, 25 Jun 2019 09:54:26 +0200 Subject: [PATCH] Backports to v3.1/dev from v3.2/dev (incl. ReDoS fixes) and update version * Backport regex update in regexp-942260.data * Backport rules updates to 942260 and 942490 * Backport regex update in regexp-942490.data * Backporting new regexp-assemble-v2.pl * Describe ReDoS fix backports in CHANGES * Bugfix in 943120 (backport) * Content-Type made case insensitive in 920240, 920400 (backport) * Fix bug in 920470 (backport) * Allow percent encoding in 920240 (backport) * Fix bug in 920440 (backport) * Reduce false positives in 921110 (backport) * Updating version to 3.1.1, copyright year and contributors file --- CHANGES | 9 ++ CONTRIBUTORS.md | 3 + README.md | 2 +- crs-setup.conf.example | 6 +- ...00-EXCLUSION-RULES-BEFORE-CRS.conf.example | 4 +- rules/REQUEST-901-INITIALIZATION.conf | 12 +- ...QUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf | 6 +- ...ST-903.9002-WORDPRESS-EXCLUSION-RULES.conf | 4 +- ...ST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf | 4 +- ...EST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf | 4 +- ...QUEST-903.9005-CPANEL-EXCLUSION-RULES.conf | 4 +- rules/REQUEST-905-COMMON-EXCEPTIONS.conf | 4 +- rules/REQUEST-910-IP-REPUTATION.conf | 4 +- rules/REQUEST-911-METHOD-ENFORCEMENT.conf | 6 +- rules/REQUEST-912-DOS-PROTECTION.conf | 4 +- rules/REQUEST-913-SCANNER-DETECTION.conf | 14 +-- rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 110 +++++++++--------- rules/REQUEST-921-PROTOCOL-ATTACK.conf | 24 ++-- rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf | 12 +- rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf | 12 +- rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 30 ++--- rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 32 ++--- rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf | 58 ++++----- .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf | 102 ++++++++-------- ...3-APPLICATION-ATTACK-SESSION-FIXATION.conf | 12 +- .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf | 22 ++-- rules/REQUEST-949-BLOCKING-EVALUATION.conf | 4 +- rules/RESPONSE-950-DATA-LEAKAGES.conf | 8 +- rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf | 38 +++--- rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf | 8 +- rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf | 10 +- rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf | 12 +- rules/RESPONSE-959-BLOCKING-EVALUATION.conf | 4 +- rules/RESPONSE-980-CORRELATION.conf | 4 +- ...999-EXCLUSION-RULES-AFTER-CRS.conf.example | 4 +- util/regexp-assemble/regexp-942260.data | 2 +- util/regexp-assemble/regexp-942490.data | 2 +- util/regexp-assemble/regexp-assemble-v2.pl | 29 +++++ .../920240.yaml | 6 +- .../920440.yaml | 23 ++++ .../920470.yaml | 16 ++- .../REQUEST-921-PROTOCOL-ATTACK/921110.yaml | 23 +++- 42 files changed, 396 insertions(+), 301 deletions(-) create mode 100755 util/regexp-assemble/regexp-assemble-v2.pl diff --git a/CHANGES b/CHANGES index 2d6f0e80b..4bb3a94b6 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,15 @@ or the CRS mailinglist at * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set +== Version 3.1.1 - 2018-06-26 == + * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt) + * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt) + * Allow % encoding in 920240 (Christoph Hansen) + * Fix bug in 920440 (Andrea Menin) + * Fix bug in 920470 (Walter Hop) + * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt) + * Fix bug in 943120 (XeroChen) + == Version 3.1.0 - 8/7/2018 == * Add Detectify scanner (theMiddle) * Renaming matched_var/s (Victor Hora) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 41ad22eb4..df2c6fe32 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -12,6 +12,7 @@ - [Franziska Bühler](https://github.com/franbuehler) - [Christoph Hansen](https://github.com/emphazer) - [Victor Hora](https://github.com/victorhora) +- [Andrea Menin](https://github.com/theMiddleBlue) - [Federico G. Schwindt](https://github.com/fgsch) - [Manuel Spartan](https://github.com/spartantri) - [Felipe Zimmerle](https://github.com/zimmerle) @@ -51,6 +52,8 @@ - [theMiddle](https://github.com/theMiddleBlue) - [Ben Williams](https://github.com/benwilliams) - [Greg Wroblewski](https://github.com/gwroblew) +- [XeroChen](https://github.com/XeroChen) +- [Yu Yagihashi](https://github.com/yagihash) - [ygrek](https://github.com/ygrek) - [Zino](https://github.com/zinoe) - Josh Zlatin diff --git a/README.md b/README.md index 9f7ccafa8..d5c860088 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg ## License -Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details. diff --git a/crs-setup.conf.example b/crs-setup.conf.example index 41d6f7b79..bfc23958d 100644 --- a/crs-setup.conf.example +++ b/crs-setup.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -842,4 +842,4 @@ SecAction \ nolog,\ pass,\ t:none,\ - setvar:tx.crs_setup_version=310" + setvar:tx.crs_setup_version=311" diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example index 317c54d2c..bd2361632 100644 --- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example +++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf index 94629abe7..b893794da 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -21,11 +21,11 @@ # # Rule version data is added to the "Producer" line of Section H of the Audit log: # -# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. +# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1. # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature # -SecComponentSignature "OWASP_CRS/3.1.0" +SecComponentSignature "OWASP_CRS/3.1.1" # # -=[ Default setup values ]=- @@ -298,7 +298,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ msg:'Enabling body inspection',\ tag:'paranoia-level/1',\ ctl:forceRequestBodyVariable=On,\ - ver:'OWASP_CRS/3.1.0'" + ver:'OWASP_CRS/3.1.1'" # Force body processor URLENCODED SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ @@ -309,7 +309,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \ nolog,\ noauditlog,\ msg:'Enabling forced body inspection for ASCII content',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ chain" SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \ "ctl:requestBodyProcessor=URLENCODED" diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf index f478ed7d4..1f511c383 100644 --- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -296,7 +296,7 @@ SecRule REQUEST_METHOD "@streq POST" \ "chain" SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \ "chain" - SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \ + SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \ "chain" SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \ "ctl:requestBodyAccess=Off" diff --git a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf index 5e3934af6..7d8fff749 100644 --- a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf index c2c9a2a9e..f667c5f2f 100644 --- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf index 2ce28e587..dfb180f18 100644 --- a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf index 07b3ecffc..1553364c3 100644 --- a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf +++ b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf index 04ab90101..3761725f5 100644 --- a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +++ b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-910-IP-REPUTATION.conf b/rules/REQUEST-910-IP-REPUTATION.conf index 917b7ae23..eadbb24b1 100644 --- a/rules/REQUEST-910-IP-REPUTATION.conf +++ b/rules/REQUEST-910-IP-REPUTATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf index d90f50af4..019699065 100644 --- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -40,7 +40,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'OWASP_AppSensor/RE1',\ tag:'PCI/12.1',\ severity:'CRITICAL',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'" diff --git a/rules/REQUEST-912-DOS-PROTECTION.conf b/rules/REQUEST-912-DOS-PROTECTION.conf index cdbbfe4a4..4de94dec7 100644 --- a/rules/REQUEST-912-DOS-PROTECTION.conf +++ b/rules/REQUEST-912-DOS-PROTECTION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index a33761a56..d9868f0fa 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -46,7 +46,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -71,7 +71,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -98,7 +98,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -141,7 +141,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ @@ -178,7 +178,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index ce56d2b97..8cf817c5c 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -57,7 +57,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\ @@ -107,7 +107,7 @@ SecRule FILES_NAMES|FILES "@rx (?" \ "msg:'PHP Injection Attack: PHP Closing Tag Found',\ phase:2,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index 2976f019a..c09a258fa 100644 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -52,7 +52,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -84,7 +84,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -115,7 +115,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -145,7 +145,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -176,7 +176,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -239,7 +239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -270,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -302,7 +302,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -329,7 +329,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -356,7 +356,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -383,7 +383,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -410,7 +410,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -437,7 +437,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -464,7 +464,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -491,7 +491,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -518,7 +518,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -545,7 +545,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -572,7 +572,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -599,7 +599,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -631,7 +631,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -662,7 +662,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -699,7 +699,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \ tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -731,7 +731,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -816,7 +816,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -842,7 +842,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -868,7 +868,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 3c154e225..3a84d8571 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -57,7 +57,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -95,7 +95,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -153,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -185,7 +185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -233,7 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -313,7 +313,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -345,7 +345,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -369,7 +369,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -401,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -433,7 +433,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -476,7 +476,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -516,7 +516,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (^\s*[\"'`;]+|[\"'`]+\s*$)" \ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -553,7 +553,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -590,7 +590,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]* tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.msg=%{rule.msg}',\ @@ -630,7 +630,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(" \ @@ -665,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -698,7 +698,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -731,7 +731,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -741,12 +741,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # Regexp generated from util/regexp-assemble/regexp-942260.data using Regexp::Assemble. # To rebuild the regexp: # cd util/regexp-assemble -# ./regexp-assemble.pl regexp-942260.data +# ./regexp-assemble-v2.pl regexp-942260.data # Note that after assemble an outer bracket with an ignore case flag is added # to the Regexp::Assemble output: -# (?i:ASSEMBLE_OUTPUT) +# ASSEMBLE_OUTPUT | s/^(?:/(?i:/ # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%))" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%)" \ "id:942260,\ phase:2,\ block,\ @@ -764,7 +764,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -797,7 +797,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -830,7 +830,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -906,7 +906,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -943,7 +943,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -977,7 +977,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1008,7 +1008,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1039,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1073,7 +1073,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1111,7 +1111,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1148,7 +1148,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1185,7 +1185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1227,7 +1227,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1275,7 +1275,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1304,7 +1304,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1348,7 +1348,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1364,7 +1364,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME # to the Regexp::Assemble output: # (?:ASSEMBLE_OUTPUT) # -SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])" \ +SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]" \ "id:942490,\ phase:2,\ block,\ @@ -1382,7 +1382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1426,7 +1426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1456,7 +1456,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1490,7 +1490,7 @@ SecRule ARGS "@rx \W{4}" \ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ @@ -1527,7 +1527,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1557,7 +1557,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 31b870c5b..4451c6071 100644 --- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ @@ -67,7 +67,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \ @@ -80,7 +80,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'" -SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ +SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \ "id:943120,\ phase:2,\ block,\ @@ -96,7 +96,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" \ diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf index b248d2c72..cb2dee43a 100644 --- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -35,7 +35,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -67,7 +67,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \ @@ -96,7 +96,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \ @@ -124,7 +124,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/1',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -166,7 +166,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -191,7 +191,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -216,7 +216,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -241,7 +241,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ @@ -280,7 +280,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES tag:'OWASP_TOP_10/A1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\ diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf index 24fc1f57b..104a6504b 100644 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf index 369cc20b1..8c7570013 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -79,7 +79,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'PCI/6.5.6',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\ diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf index ff5b043a2..20b5fa1ee 100644 --- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -35,7 +35,7 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-disclosure',\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ setvar:'tx.sql_error_match=1'" SecRule TX:sql_error_match "@eq 1" \ @@ -53,7 +53,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ @@ -79,7 +79,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ @@ -105,7 +105,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \ @@ -131,7 +131,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \ @@ -157,7 +157,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ @@ -184,7 +184,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \ @@ -210,7 +210,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ @@ -236,7 +236,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \ @@ -263,7 +263,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \ @@ -290,7 +290,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" \ @@ -316,7 +316,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ @@ -342,7 +342,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \ @@ -368,7 +368,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \ @@ -394,7 +394,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \ @@ -420,7 +420,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \ @@ -446,7 +446,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \ diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index 9499ba86c..5b7b027e6 100644 --- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf index f97932cbb..e223f5eba 100644 --- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmf php-errors.data" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -99,7 +99,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \ diff --git a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf index 9539b6bbf..d7317872f 100644 --- a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +++ b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 @@ -34,7 +34,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \ tag:'platform-windows',\ tag:'attack-disclosure',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -57,7 +57,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -85,7 +85,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -111,7 +111,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.1.0',\ + ver:'OWASP_CRS/3.1.1',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \ diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf index 7243931e1..93a20705d 100644 --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/RESPONSE-980-CORRELATION.conf b/rules/RESPONSE-980-CORRELATION.conf index 44bee64d2..2ea250846 100644 --- a/rules/RESPONSE-980-CORRELATION.conf +++ b/rules/RESPONSE-980-CORRELATION.conf @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example index c4c4d0eb7..bf687d924 100644 --- a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example +++ b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.1.0 -# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved. +# OWASP ModSecurity Core Rule Set ver.3.1.1 +# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved. # # The OWASP ModSecurity Core Rule Set is distributed under # Apache Software License (ASL) version 2 diff --git a/util/regexp-assemble/regexp-942260.data b/util/regexp-assemble/regexp-942260.data index e581550e3..93b87cdb3 100644 --- a/util/regexp-assemble/regexp-942260.data +++ b/util/regexp-assemble/regexp-942260.data @@ -17,6 +17,6 @@ like\s*?[\"'`]\% [\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+ [\"'`]\s*?\*\s*?\w+\W+[\"'`] -[\"'`]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w +[\"'`]\s*?[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w select\s+?[\[\]()\s\w\.,\"'`-]+from\s+ find_in_set\s*?\( diff --git a/util/regexp-assemble/regexp-942490.data b/util/regexp-assemble/regexp-942490.data index 8e17930f9..660895981 100644 --- a/util/regexp-assemble/regexp-942490.data +++ b/util/regexp-assemble/regexp-942490.data @@ -1 +1 @@ -[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d] +[\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d] diff --git a/util/regexp-assemble/regexp-assemble-v2.pl b/util/regexp-assemble/regexp-assemble-v2.pl new file mode 100755 index 000000000..3d903fc67 --- /dev/null +++ b/util/regexp-assemble/regexp-assemble-v2.pl @@ -0,0 +1,29 @@ +#!/usr/bin/env perl +# +# Create one regexp from a set of regexps. +# Regexps can be submitted via standard input, one per line. +# +# Requires Regexp::Assemble Perl module. +# To install: cpan install Regexp::Assemble +# +# See: http://blog.modsecurity.org/2007/06/optimizing-regu.html +# + +use strict; +use Regexp::Assemble; + +my $ra = Regexp::Assemble->new; +while (<>) +{ + # Handle possessive qualifiers + # https://rt.cpan.org/Public/Bug/Display.html?id=50228#txn-672717 + my $arr = $ra->lexstr($_); + for (my $n = 0; $n < $#$arr - 1; ++$n) + { + if ($arr->[$n] =~ /\+$/ and $arr->[$n + 1] eq '+') { + $arr->[$n] .= splice(@$arr, $n + 1, 1); + } + } + $ra->insert(@$arr); +} +print $ra->as_string() . "\n"; diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml index 000f8261a..a5f5df009 100644 --- a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml +++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml @@ -59,7 +59,7 @@ no_log_contains: "id \"920240\"" - - # Test URL Encoding Abuse Attack Attempt/XML from orig modsec regression + # We have a valid percentencoding here test_title: 920240-4 stages: - @@ -87,7 +87,7 @@ - " " - "" output: - log_contains: "id \"920240\"" + no_log_contains: "id \"920240\"" - # test URL Encoding Abuse Attack Attempt from old regression tests test_title: 920240-5 @@ -133,4 +133,4 @@ Content-Type: "application/x-www-form-urlencoded" data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%" output: - log_contains: "id \"920240\"" \ No newline at end of file + log_contains: "id \"920240\"" diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml index da79346f0..ca4ed958f 100644 --- a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml +++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml @@ -75,3 +75,26 @@ version: HTTP/1.1 output: log_contains: id "920440" + - + test_title: 920440-4 + desc: URL file extension is restricted by policy (920440) - GH issue 1296 + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 + Accept-Encoding: gzip,deflate + Accept-Language: en-us,en;q=0.5 + Host: localhost + Keep-Alive: '300' + Proxy-Connection: keep-alive + User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv + method: GET + port: 80 + uri: /foo.bar.sql + version: HTTP/1.1 + output: + log_contains: id "920440" diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml index c1d9373bf..e1ee95d8b 100644 --- a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml +++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml @@ -112,4 +112,18 @@ Content-Type: 'application/json' Content-Length: 0 output: - no_log_contains: "id \"920470\"" \ No newline at end of file + no_log_contains: "id \"920470\"" + - test_title: 920470-9 + stages: + - stage: + input: + dest_addr: 127.0.0.1 + port: 80 + method: POST + headers: + User-Agent: "ModSecurity CRS 3 Tests" + Host: "localhost" + Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013' + Content-Length: 0 + output: + no_log_contains: "id \"920470\"" diff --git a/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml b/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml index 76c48478c..59236a65f 100644 --- a/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml +++ b/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml @@ -5,11 +5,11 @@ enabled: true name: 921110.yaml tests: - - + - test_title: 921110-1 desc: "HTTP Response Splitting" stages: - - + - stage: input: dest_addr: 127.0.0.1 @@ -18,7 +18,24 @@ Cache-Control: "no-cache, no-store, must-revalidate" method: POST port: 80 - data: "var=%0aPOST /" + data: "var=%0aPOST / HTTP/1.0" version: HTTP/1.0 output: log_contains: id "921110" + - + test_title: 921110-2 + desc: "HTTP Response Splitting (is test 921110-5 in v3.2/dev)" + stages: + - + stage: + input: + dest_addr: 127.0.0.1 + headers: + Host: "localhost" + Cache-Control: "no-cache, no-store, must-revalidate" + method: POST + port: 80 + data: "var=aaa%0d%0aGet+foo+bar" + version: HTTP/1.0 + output: + no_log_contains: id "921110"