diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_35_bad_robots.data modsecurity-crs-2.2.0/base_rules/modsecurity_35_bad_robots.data
--- modsecurity-crs-2.1.2/base_rules/modsecurity_35_bad_robots.data 2010-02-05 17:37:07.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_35_bad_robots.data 2011-03-02 19:38:02.000000000 +0000
@@ -4,6 +4,7 @@
prowebwalker
hanzoweb
email
+toata dragostea mea pentru diavola
gameBoy, powered by nintendo
missigua
poe-component-client
diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_20_protocol_violations.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_20_protocol_violations.conf
--- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_20_protocol_violations.conf 2011-01-27 16:35:58.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_20_protocol_violations.conf 2011-05-26 18:18:01.000000000 +0000
@@ -1,8 +1,9 @@
# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.1.2
+# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
-# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
@@ -20,6 +21,7 @@
# Validate request line against the format specified in the HTTP RFC
#
# -=[ Rule Logic ]=-
+#
# Uses rule negation against the regex for positive security. The regex specifies the proper
# construction of URI request lines such as:
#
@@ -28,13 +30,31 @@
# It also outlines proper construction for CONNECT, OPTIONS and GET requests.
#
# -=[ References ]=-
+# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
#
SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
- "t:none,t:lowercase,phase:1,rev:'2.1.2',block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+ "phase:1,t:none,t:lowercase,block,msg:'Invalid HTTP Request Line',id:'960911',severity:'4',rev:'2.2.0',logdata:'%{request_line}',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_MATURITY/8',tag:'RULE_ACCURACY/8',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
+
+#
+# Identify Invalid URIs Blocked by Apache
+#
+# -=[ Rule Logic ]=-
+#
+# There are some request violations that Apache will handle internally, prior to the
+# ModSecurity phase:1 POST-READ-REQUEST hook. For these requests, we can still get
+# visibility by running a check in phase:5 logging to look for the Apache error msg.
+#
+# -=[ References ]=-
+# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-981227
+#
+SecRule WEBSERVER_ERROR_LOG "@contains Invalid URI in request" "phase:5,t:none,log,pass,msg:'Apache Error: Invalid URI in Request',id:'981227',rev:'2.2.0',logdata:'%{matched_var}',severity:'4',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1',tag:'RULE_MATURITY/0',tag:'RULE_ACCURACY/9',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:'tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
+
#
# Identify multipart/form-data name evasion attempts
+#
# There are possible impedance mismatches between how
# ModSecurity interprets multipart file names and how
# a destination app server such as PHP might parse the
@@ -47,9 +67,69 @@
# either the file or file name variables.
#
# -=[ References ]=-
+# https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000
# http://www.ietf.org/rfc/rfc2183.txt
#
-SecRule FILES_NAMES|FILES "['\";=]" "phase:2,id:'960000',rev:'2.1.2',pass,t:none,nolog,auditlog,capture,msg:'Attempted multipart/form-data bypass',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"
+SecRule FILES_NAMES|FILES "['\";=]" "phase:2,t:none,id:'960000',rev:'2.2.0',block,capture,msg:'Attempted multipart/form-data bypass',logdata:'%{matched_var}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{tx.0}"
+
+
+#
+# Verify that we've correctly processed the request body.
+#
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+# -=[ Rule Logic ]=-
+# Checks for the existence of the REQBODY_ERROR variable that is created
+# by the request body processor if it encounters errors.
+#
+# -=[ References ]=-
+# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#REQBODY_ERROR
+#
+SecRule REQBODY_ERROR "!@eq 0" \
+ "phase:2,t:none,block,msg:'Failed to parse request body.',id:'960912',logdata:'%{reqbody_error_msg}',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Strict Multipart Parsing Checks
+#
+# -=[ Rule Logic ]=-
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+# -=[ References ]=-
+# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_STRICT_ERROR
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "phase:2,t:none,block,msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_SEMICOLON_MISSING}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+IH %{MULTIPART_FILE_LIMIT_EXCEEDED}',id:'960914',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
+
+#
+# Multipart Unmatched Boundary Check
+#
+# -=[ Rule Logic ]=-
+# Check for the MULTIPART_UNMATCHED_BOUNDARY flag and alert
+#
+# -=[ References ]=-
+# https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#MULTIPART_UNMATCHED_BOUNDARY
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "phase:2,t:none,block,msg:'Multipart parser detected a possible unmatched boundary.',id:'960915',severity:2,setvar:'tx.msg=%{rule.msg}',setvar:'tx.id=%{rule.id}',tag:'RULE_MATURITY/7',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}"
+
#
# Accept only digits in content length
@@ -61,7 +141,7 @@
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
#
-SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:1,rev:'2.1.2',t:none,block,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "phase:1,rev:'2.2.0',t:none,block,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'WASCTC/WASC-26',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{matched_var}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
#
# Do not accept GET or HEAD requests with bodies
@@ -78,8 +158,8 @@
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3
#
-SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:1,rev:'2.1.2',t:none,block,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3'"
- SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:1,rev:'2.2.0',t:none,block,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3'"
+ SecRule REQUEST_HEADERS:Content-Length "!^0?$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Require Content-Length to be provided with every POST request.
@@ -91,8 +171,8 @@
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
#
-SecRule REQUEST_METHOD "^POST$" "chain,phase:1,rev:'2.1.2',t:none,block,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5'"
- SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_METHOD "^POST$" "chain,phase:1,rev:'2.2.0',t:none,block,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5'"
+ SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Deny inbound compressed content
@@ -107,7 +187,7 @@
# -=[ References ]=-
# http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html
#
-SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" "phase:1,rev:'2.1.2',t:none,block,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.5',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS:Content-Encoding "^Identity$" "phase:1,rev:'2.2.0',t:none,block,msg:'ModSecurity does not support content encodings',id:'960902',severity:'4',setvar:tx.id=%{rule.id},tag:'RULE_MATURITY/9',tag:'RULE_ACCURACY/9',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.5',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/ENCODING_RESTRICTED-%{matched_var_name}=%{matched_var}"
#
# Expect header is an HTTP/1.1 protocol feature
@@ -121,8 +201,8 @@
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
-SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,rev:'2.1.2',t:none,nolog,pass,auditlog,msg:'Expect Header Not Allowed.',severity:'5',id:'960022',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'"
- SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS:Expect "100-continue" "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Expect Header Not Allowed for HTTP 1.0.',severity:'5',id:'960022',tag:'RULE_MATURITY/4',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'"
+ SecRule REQUEST_PROTOCOL "@streq HTTP/1.0" "setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Pragma Header requires a Cache-Control Header
@@ -137,9 +217,9 @@
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
-SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'"
+SecRule &REQUEST_HEADERS:Pragma "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Pragma Header requires Cache-Control Header for HTTP/1.1 requests.',severity:'5',id:'960020',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/'"
SecRule &REQUEST_HEADERS:Cache-Control "@eq 0" "chain"
- SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+ SecRule REQUEST_PROTOCOL "@streq HTTP/1.1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Range Header exists and begins with 0 - normal browsers don't do this.
@@ -151,7 +231,7 @@
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
-SecRule REQUEST_HEADERS:Range "@contains =0-" "phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,msg:'Range: field exists and begins with 0.',severity:'5',id:'958291',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS:Range "@streq bytes=0-" "phase:2,rev:'2.2.0',t:none,block,msg:'Range: field exists and begins with 0.',logdata:'%{matched_var}'severity:'5',id:'958291',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/7',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Broken/Malicous clients often have duplicate or conflicting headers
@@ -164,7 +244,7 @@
# -=[ References ]=-
# http://www.bad-behavior.ioerror.us/documentation/how-it-works/
#
-SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
+SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" "phase:2,rev:'2.2.0',t:none,block,msg:'Multiple/Conflicting Connection Header Data Found.',id:'958295',tag:'PROTOCOL_VIOLATION/INVALID_HREQ',tag:'RULE_MATURITY/5',tag:'RULE_ACCURACY/8',tag:'https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-%{tx.id}',tag:'http://www.bad-behavior.ioerror.us/documentation/how-it-works/',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.id=%{rule.id},setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
#
# Check URL encodings
@@ -178,16 +258,17 @@
# http://www.ietf.org/rfc/rfc1738.txt
#
SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
- "chain,phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+ "chain,phase:2,rev:'2.2.0',t:none,block,msg:'URL Encoding Abuse Attack Attempt',id:'950107',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
SecRule REQUEST_URI "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
- "phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'Multiple URL Encoding Detected',id:'950109',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',t:none,block,msg:'Multiple URL Encoding Detected',id:'950109',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+
+SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+ "chain,phase:2,rev:'2.2.0',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
+ SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
+ SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
-SecRule REQUEST_HEADERS:Content-Type "^application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
- "chain,phase:2,rev:'2.1.2',t:none,pass,nolog,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950108',tag:'PROTOCOL_VIOLATION/EVASION',severity:'5'"
- SecRule REQUEST_BODY "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
- SecRule REQUEST_BODY "@validateUrlEncoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
#
# Check UTF enconding
@@ -198,7 +279,7 @@
# This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING
# variable in the modsecurity_crs_10_config.conf file.
#
-SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',severity:'5'"
+SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,block,msg:'UTF8 Encoding Abuse Attack Attempt',id:'950801',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-20',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/EE2',tag:'PCI/6.5.2',severity:'5'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
@@ -213,7 +294,7 @@
# http://www.kb.cert.org/vuls/id/739224
#
SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \
- "t:none,phase:2,rev:'2.1.2',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',tag:'http://www.kb.cert.org/vuls/id/739224',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+ "t:none,phase:2,rev:'2.2.0',block,msg:'Unicode Full/Half Width Abuse Attack Attempt',id:'950116',severity:'5',setvar:'tx.msg=%{rule.msg}',tag:'http://www.kb.cert.org/vuls/id/739224',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
#
# Proxy access attempt
@@ -221,15 +302,15 @@
# included in case Apache proxy is misconfigured.
# NOTE There are some clients (mobile devices) that will send a full URI even when connecting to
# your local application and this rule allows it.
-# NOTE Need to have UseCononicalName On in Apache config to properly set the SERVER_NAME variable.
-# If you have set UseCononicalName, the you can uncomment this rule.
+# NOTE Need to have UseCanonicalName On in Apache config to properly set the SERVER_NAME variable.
+# If you have set UseCanonicalName, the you can uncomment this rule.
#
# -=[ Rule Logic ]=-
# This chained rule first inspects the URI to see if a full domain name is specified.
# If it is, then this data is compared against the Cononical SERVER_NAME. If it does
# not match, then the client is making a request for an off-site location.
#
-#SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,rev:'2.1.2',t:none,block,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS',tag:'WASCTC/WASC-14',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10'"
+#SecRule REQUEST_URI_RAW ^\w+:/ "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Proxy access attempt', severity:'2',id:'960014',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS',tag:'WASCTC/WASC-14',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10'"
# SecRule MATCHED_VAR "!@beginsWith http://%{SERVER_NAME}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/PROXY_ACCESS-%{matched_var_name}=%{matched_var}"
#
@@ -249,10 +330,10 @@
#
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
- "phase:2,rev:'2.1.2',block,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',tag:'http://i-technica.com/whitestuff/asciichart.html',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',block,msg:'Invalid character in request',id:'960901',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',tag:'http://i-technica.com/whitestuff/asciichart.html',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
-SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',block,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,tag:'http://i-technica.com/whitestuff/asciichart.html'"
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',block,msg:'Invalid character in request',id:'960018',tag:'PROTOCOL_VIOLATION/EVASION',tag:'WASCTC/WASC-28',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE3',tag:'PCI/6.5.2',severity:'4',t:none,t:urlDecodeUni,tag:'http://i-technica.com/whitestuff/asciichart.html'"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA \
"@validateByteRange 32-126" \
- "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+ "t:urlDecodeUni,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_21_protocol_anomalies.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_21_protocol_anomalies.conf
--- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_21_protocol_anomalies.conf 2011-01-27 16:35:58.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_21_protocol_anomalies.conf 2011-05-03 19:01:25.000000000 +0000
@@ -1,8 +1,9 @@
# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.1.2
+# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
-# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
@@ -25,9 +26,9 @@
SecMarker BEGIN_HOST_CHECK
SecRule &REQUEST_HEADERS:Host "@eq 0" \
- "skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+ "skipAfter:END_HOST_CHECK,phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:Host "^$" \
- "phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecMarker END_HOST_CHECK
@@ -43,10 +44,10 @@
SecMarker BEGIN_ACCEPT_CHECK
SecRule REQUEST_METHOD "!^OPTIONS$" \
- "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'"
+ "skipAfter:END_ACCEPT_CHECK,chain,phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10'"
SecRule &REQUEST_HEADERS:Accept "@eq 0" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_METHOD "!^OPTIONS$" \
- "chain,phase:2,rev:'2.1.2',t:none,block,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
+ "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Request Has an Empty Accept Header', severity:'2',id:'960021',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
SecRule REQUEST_HEADERS:Accept "^$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecMarker END_ACCEPT_CHECK
@@ -62,7 +63,7 @@
SecMarker BEGIN_UA_CHECK
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
- "skipAfter:END_UA_CHECK,phase:2,rev:'2.1.2',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+ "skipAfter:END_UA_CHECK,phase:2,rev:'2.2.0',t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent "^$" \
"t:none,block,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_UA',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
@@ -80,7 +81,7 @@
#
SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
- "chain,phase:2,rev:'2.1.2',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
+ "chain,phase:2,rev:'2.2.0',t:none,block,msg:'Request Containing Content, but Missing Content-Type header',id:'960904',severity:'5'"
SecRule REQUEST_HEADERS:Content-Length "!^0$" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
# Check that the host header is not an IP address
@@ -94,7 +95,7 @@
# http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
#
-SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.1.2',t:none,block,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
+SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.2.0',t:none,block,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}'"
# Log a security event when the request is rejected by apache
#
diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_23_request_limits.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_23_request_limits.conf
--- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_23_request_limits.conf 2011-01-27 16:35:58.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_23_request_limits.conf 2011-05-03 19:01:25.000000000 +0000
@@ -1,8 +1,9 @@
# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.1.2
+# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
-# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
@@ -19,29 +20,29 @@
## -- Arguments limits --
# Limit argument name length
-SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.1.2'"
+SecRule &TX:ARG_NAME_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument name too long',id:'960209',severity:'4',rev:'2.2.0'"
SecRule &ARGS_NAMES "@gt %{tx.arg_name_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit value name length
-SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.1.2'"
+SecRule &TX:ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Argument value too long',id:'960208',severity:'4',rev:'2.2.0'"
SecRule &ARGS "@gt %{tx.arg_length}" "t:none,t:length,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Maximum number of arguments in request limited
-SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.1.2'"
+SecRule &TX:MAX_NUM_ARGS "@eq 1" "chain,phase:2,t:none,block,msg:'Too many arguments in request',id:'960335',severity:'4',rev:'2.2.0'"
SecRule &ARGS "@gt %{tx.max_num_args}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Limit arguments total length
-SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.1.2'"
+SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" "chain,phase:2,t:none,block,msg:'Total arguments size exceeded',id:'960341',severity:'4',rev:'2.2.0'"
SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
## -- File upload limits --
# Individual file size is limited
-SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.1.2'"
+SecRule &TX:MAX_FILE_SIZE "@eq 1" "chain,phase:2,t:none,block,msg:'Uploaded file size too large',id:'960342',severity:'4',rev:'2.2.0'"
SecRule FILES_SIZES "@gt %{tx.max_file_size}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
# Combined file size is limited
-SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.1.2'"
+SecRule &TX:COMBINED_FILE_SIZES "@eq 1" "chain,phase:2,t:none,block,msg:'Total uploaded files size too large',id:'960343',severity:'4',rev:'2.2.0'"
SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" "t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_30_http_policy.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_30_http_policy.conf
--- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_30_http_policy.conf 2011-01-27 16:35:58.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_30_http_policy.conf 2011-05-03 19:01:25.000000000 +0000
@@ -1,8 +1,9 @@
# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.1.2
+# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
-# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_35_bad_robots.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_35_bad_robots.conf
--- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_35_bad_robots.conf 2011-01-27 16:35:58.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_35_bad_robots.conf 2011-05-03 19:01:25.000000000 +0000
@@ -1,8 +1,9 @@
# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.1.2
+# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
-# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
@@ -16,14 +17,14 @@
# site.
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \
- "phase:2,rev:'2.1.2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
- "phase:2,rev:'2.1.2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_FILENAME "^/nessustest" \
- "phase:2,rev:'2.1.2',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}"
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_bad_robots.data" \
- "phase:2,rev:'2.1.2',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+ "phase:2,rev:'2.2.0',t:none,block,msg:'Rogue web site crawler',id:'990012',tag:'AUTOMATION/MALICIOUS',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',capture,logdata:'%{TX.0}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
SecMarker END_ROBOT_CHECK
diff -Nru modsecurity-crs-2.1.2/base_rules/modsecurity_crs_40_generic_attacks.conf modsecurity-crs-2.2.0/base_rules/modsecurity_crs_40_generic_attacks.conf
--- modsecurity-crs-2.1.2/base_rules/modsecurity_crs_40_generic_attacks.conf 2011-01-27 16:35:58.000000000 +0000
+++ modsecurity-crs-2.2.0/base_rules/modsecurity_crs_40_generic_attacks.conf 2011-05-26 18:18:01.000000000 +0000
@@ -1,8 +1,9 @@
# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.1.2
+# Core ModSecurity Rule Set ver.2.2.0
# Copyright (C) 2006-2011 Trustwave All rights reserved.
#
-# The OWASP ModSecurity Core Rule Set is distributed under GPL version 2
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
@@ -21,9 +22,9 @@
# http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
- "phase:2,rev:'2.1.2',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
+ "phase:2,rev:'2.2.0',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
-SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'959907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"
SecRule "REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
"(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
"t:none,t:urlDecodeUni,t:normalisePath,t:lowercase,capture,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0}"
@@ -40,9 +41,9 @@
# http://www.adobe.com/devnet/security/security_zone/asb99-10.html
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
- "phase:2,rev:'2.1.2',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
+ "phase:2,rev:'2.2.0',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'Session Fixation',id:'950009',tag:'WEB_ATTACK/SESSION_FIXATION',tag:'WASCTC/WASC-37',tag:'OWASP_TOP_10/A3',tag:'PCI/6.5.7',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_CF_INJECTION"
-SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,ctl:auditLogParts=+E,block,msg:'Injection of Undocumented ColdFusion Tags',id:'950008',tag:'WEB_ATTACK/CF_INJECTION',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "\bcf(?:usion_(?:d(?:bconnections_flush|ecrypt)|set(?:tings_refresh|odbcini)|getodbc(?:dsn|ini)|verifymail|encrypt)|_(?:(?:iscoldfusiondatasourc|getdatasourceusernam)e|setdatasource(?:password|username))|newinternal(?:adminsecurit|registr)y|admin_registry_(?:delete|set)|internaldebug|execute)\b" \
"capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.cf_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CF_INJECTION-%{matched_var_name}=%{tx.0}"
@@ -58,9 +59,9 @@
# http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
- "phase:2,rev:'2.1.2',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
+ "phase:2,rev:'2.2.0',capture,t:none,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,block,msg:'LDAP Injection Attack',id:'950010',tag:'WEB_ATTACK/LDAP_INJECTION',tag:'WASCTC/WASC-29',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_LDAP_INJECTION"
-SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.1.2',t:none,id:'950912',severity:'4',msg:'LDAP Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/LDAP_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog"
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,rev:'2.2.0',t:none,id:'950912',severity:'4',msg:'LDAP Injection Attack',logdata:'%{TX.0}',tag:WEB_ATTACK/LDAP_INJECTION,ctl:auditLogParts=+E,pass,nolog,auditlog"
SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|TX:HPP_DATA "(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])" \
"capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.ldap_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/LDAP_INJECTION-%{matched_var_name}=%{tx.0}"
@@ -76,9 +77,9 @@
# http://projects.webappsec.org/SSI-Injection
#
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* ")|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common comment types',id:'9000035',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:--[^\n]*$)|(?:\)|(?:[^*]\/\*|\*\/[^*])|(?:(?:[\W\d]#|--|{)$)|(?:\/{3,}.*$)|(?:)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:%c0%ae\/)|(?:(?:\/|\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\))|(?:(?:\/|\\\\)inetpub|localstart\.asp|boot\.ini)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects specific directory and path traversal',id:'9000011',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%c0%ae\/)|(?:(?:\/|\\\\\\\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\\\\\\\))|(?:(?:\/|\\\\\\\\)inetpub|localstart\.asp|boot\.ini)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 1/2',id:'9000048',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\d+\s*or\s*\d+\s*[\-+])|(?:\/\w+;?\s+(?:having|and|or|select))|(?:\d\s+group\s+by.+\()|(?:(?:;|#|--)\s*(?:drop|alter))|(?:(?:;|#|--)\s*(?:update|insert)\s*\w{2,})|(?:[^\w]SET\s*@\w+)|(?:(?:n?and|x?or|not |\|\||\&\&)[\s(]+\w+[\s)]*[!=+]+[\s\d]*[\"=()])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic XSS DoS attempts',id:'9000065',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/DOS'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(^|\W)const\s+[\w\-]+\s*=)|(?:(?:do|for|while)\s*\([^;]+;+\))|(?:(?:^|\W)on\w+\s*=[\w\W]*(?:on\w+|alert|eval|print|confirm|prompt))|(?:groups=\d+\(\w+\))|(?:(.)\1{128,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/DOS-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects bindings and behavior injections',id:'9000029',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:binding\s?=|moz-binding|behavior\s?=)|(?:[\s\/]style\s*=\s*[-\\\\\\\\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects SQL benchmark and sleep injection attempts including conditional queries',id:'9000050',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(select|;)\s+(?:benchmark|if|sleep)\s*?\(\s*\(?\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:[01fe][\db-ce-f])|(?:\\\\[01fe][\db-ce-f])|(?:[01fe][\db-ce-f])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects nullbytes and other dangerous characters',id:'9000039',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/XSS'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\x[01fe][\db-ce-f])|(?:%[01fe][\db-ce-f])|(?:[01fe][\db-ce-f])|(?:\\\\\\\\[01fe][\db-ce-f])|(?:[01fe][\db-ce-f])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects perl echo shellcode injection and LDAP vectors',id:'9000064',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.pl\?\w+=\w?\|\w+;)|(?:\|\(\w+=\*)|(?:\*\s*\)+\s*;)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 1/3',id:'9000058',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:@[\w-]+\s*\()|(?:]\s*\(\s*[\"!]\s*\w)|(?:<[?%](?:php)?.*(?:[?%]>)?)|(?:;[\s\w|]*\$\w+\s*=)|(?:\$\w+\s*=(?:(?:\s*\$?\w+\s*[(;])|\s*\".*\"))|(?:;\s*\{\W*\w+\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects conditional SQL injection attempts',id:'9000041',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s()]case\s*\()|(?:\)\s*like\s*\()|(?:having\s*[^\s]+\s*[^\w\s])|(?:if\s?\([\d\w]\s*[=<>~])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:etc\/\W*passwd)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects etc/passwd inclusion attempts',id:'9000012',tag:'WEB_ATTACK/DT',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:etc\/\W*passwd)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/DT-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript DOM/miscellaneous properties and methods',id:'9000015',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:create(?:element|attribute|textnode)|[a-z]+events?|setattribute|getelement\w+|appendchild|createrange|createcontextualfragment|removenode|parentnode|decodeuricomponent|\wettimeout|option|useragent)(?(1)[^\w%\"]|(?:\s*[^@\s\w%\",.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL charset switch and MSSQL DoS attempts',id:'9000052',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:alter\s*\w+.*character\s+set\s+\w+)|(\";\s*waitfor\s+time\s+\")|(?:\";.*:\s*goto)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 3/3',id:'9000060',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*[^\w](?:echo|print|print_r|var_dump|[fp]open))|(?:;\s*rm\s+-\w+\s+)|(?:;.*{.*\$\w+\s*=)|(?:\$\w+\s*\[\]\s*=\s*)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'9000056',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:merge.*using\s*\()|(execute\s*immediate\s*\")|(?:\W+\d*\s*having\s*[^\s])|(?:match\s*[\w(),+-]+\s*against\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'9000045',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w+\s+like\s+\")|(?:like\s*\"\%)|(?:\"\s*like\W*[\"\d])|(?:\"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:\"\s*\*\s*\w+\W+\")|(?:\"\s*[^?\w\s=.,;)(]+\s*[(@\"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript string properties and methods',id:'9000019',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?\-\|])(\s*return\s*)?(?:set|atob|btoa|charat|charcodeat|charset|concat|crypto|frames|fromcharcode|indexof|lastindexof|match|navigator|toolbar|menubar|replace|regexp|slice|split|substr|substring|escape|\w+codeuri\w*)(?(1)[^\w%\"]|(?:\s*[^@\s\w%,.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common function declarations and special JS operators',id:'9000062',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:function[^(]*\([^)]*\))|(?:(?:delete|void|throw|instanceof|new|typeof)[^\w.]+\w+\s*[([])|([)\]]\s*\.\s*\w+\s*=)|(?:\(\s*new\s+\w+\s*\)\.)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects Postgres pg_sleep injection, waitfor delay attacks and database shutdown attempts',id:'9000054',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:select\s*pg_sleep)|(?:waitfor\s*delay\s?\"+\s?\d)|(?:;\s*shutdown\s*(?:;|--|#|\/\*|{))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects unknown attack vectors based on PHPIDS Centrifuge detection',id:'9000067',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\({2,}\+{2,}:{2,})|(?:\({2,}\+{2,}:+)|(?:\({3,}\++:{2,})|(?:\$\[!!!\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic MongoDB SQL injection attempts',id:'9000070',tag:'WEB_ATTACK/SQLI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\[\$(?:ne|eq|lte?|gte?|n?in|mod|all|size|exists|type|slice|or)\])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:[\s\/\"]+[-\w\/\\\\\*]+\s*=.+(?:\/\s*>))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including obfuscated attributes',id:'9000068',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\s\/\"]+[-\w\/\\\\\\\\\*]+\s*=.+(?:\/\s*>))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds attribute breaking injections including whitespace attacks',id:'900002',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"+.*[<=]\s*\"[^\"]+\")|(?:\"\w+\s*=)|(?:>\w=\/)|(?:#.+\)[\"\s]*>)|(?:\"\s*(?:src|style|on\w+)\s*=\s*\")|(?:[^\"]?\"[,;\s]+\w*[\[\(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "([^*:\s\w,.\/?+-]\s*)?(?])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'9000017',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "([^*:\s\w,.\/?+-]\s*)?(?])(\s*return\s*)?(?:hash|name|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|top|this|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%.+\-]))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds html breaking injections including whitespace attacks',id:'900001',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"[^\"]*[^-]?>)|(?:[^\w\s]\s*\/>)|(?:>\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects common XSS concatenation patterns 1/2',id:'9000030',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*\w+\s*\+\s*\")|(?:\+=\s*\(\s\")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:\"\s*\+\s*\")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:\"\s*[&|]+\s*\")|(?:\/\s*\?\s*\")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects obfuscated JavaScript script injections',id:'9000025',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*[$\w]\s*[\(\[])|(?:\(\s*(?:this|top|window|self|parent|_?content)\s*\))|(?:src\s*=s*(?:\w+:|\/\/))|(?:\w+\[(\"\w+\"|\w+\|\|))|(?:[\d\W]\|\|[\d\W]|\W=\w+,)|(?:\/\s*\+\s*[a-z\"])|(?:=\s*\$[^([]*\()|(?:=\s*\(\s*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%u\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects IE firefoxurl injections, cache poisoning attempts and local file inclusion/execution',id:'9000028',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:firefoxurl:\w+\|)|(?:(?:file|res|telnet|nntp|news|mailto|chrome)\s*:\s*[\%u\/]+)|(wyciwyg|firefoxurl\s*:\s*\/\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL comments, conditions and ch(a)r injections',id:'9000040',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\)\s*when\s*\d+\s*then)|(?:\"\s*(?:#|--|{))|(?:\/\*!\s?\d+)|(?:ch(?:a)?r\s*\(\s*\d)|(?:(?:(n?and|x?or|not)\s+|\|\||\&\&)\s*\w+\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects possible includes, VBSCript/JScript encodeed and packed functions',id:'9000014',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:#@~\^\w+)|(?:\w+script:|@import[^\w]|;base64|base64,)|(?:\w+\s*\([\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+,[\w\s]+\))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds basic VBScript injection attempts',id:'9000069',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:msgbox|eval)\s*\+|(?:language\s*=\*vbscript))" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects code injection attempts 2/3',id:'9000059',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:(?:[;]+|(<[?%](?:php)?)).*(?:define|eval|file_get_contents|include|require|require_once|set|shell_exec|phpinfo|system|passthru|preg_\w+|execute)\s*[\"(@])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects chained SQL injection attempts 2/2',id:'9000049',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s+and\s*=\W)|(?:\(\s*select\s*\w+\s*\()|(?:\*\/from)|(?:\+\s*\d+\s*\+\s*@)|(?:\w\"\s*(?:[-+=|@]+\s*)+[\d(])|(?:coalesce\s*\(|@@\w+\s*[^\w\s])|(?:\W!+\"\w)|(?:\";\s*(?:if|while|begin))|(?:\"[\s\d]+=\s*\d)|(?:order\s+by\s+if\w*\s*\()|(?:[\s(]+case\d*\W.+[tw]hen[\s(])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic obfuscated JavaScript script injections',id:'9000024',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\".]script\s*\()|(?:\$\$?\s*\(\s*[\w\"])|(?:\/[\w\s]+\/\.)|(?:=\s*\/\w+\/\s*\.)|(?:(?:this|window|top|parent|frames|self|content)\[\s*[(,\"]*\s*[\w\$])|(?:,\s*new\s+\w+\s*[,;)])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL and PostgreSQL stored procedure/function injections',id:'9000053',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:procedure\s+analyse\s*\()|(?:;\s*(declare|open)\s+[\w-]+)|(?:create\s+(procedure|function)\s*\w+\s*\(\s*\)\s*-)|(?:declare[^\w]+[@#]\s*\w+)|(exec\s*\(\s*@)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects advanced XSS probings via Script(), RexExp, constructors and XML namespaces',id:'9000022',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/RFE'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:=\s*(?:top|this|window|content|self|frames|_content))|(?:\/\s*\w*\s*[)}])|(?:[^\s]\s*=\s*script)|(?:\.\s*constructor)|(?:default\s+xml\s+namespace\s*=)|(?:\/\s*\+[^+]+\s*\+\s*\/)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/RFE-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\"\s*or\s*\d)|(?:\\\\x(?:23|27|3d))|(?:^.?\"$)|(?:^.*\\\\\".+(?^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects basic SQL authentication bypass attempts 3/3',id:'9000046',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:in\s*\(+\s*select)|(?:(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w+]+(?:regexp\s*\(|sounds\s+like\s*\"|[=\d]+x))|(\"\s*\d\s*(?:--|#))|(?:\"[\%&<>^=]+\d\s*(=|or))|(?:\"\W+[\w+-]+\s*=\s*\d\W+\")|(?:\"\s*is\s*\d.+\"?\w)|(?:\"\|?[\w-]{3,}[^\w\s.,]+\")|(?:\"\s*is\s*[\d.]+\s*\W.*\")" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+7,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects JavaScript location/document property access and window access obfuscation',id:'9000023',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\.\s*\w+\W*=)|(?:\W\s*(?:location|document)\s*\W[^({[;]+[({[;])|(?:\(\w+\?[:\w]+\))|(?:\w{2,}\s*=\s*\d+[^&\w]\w+)|(?:\]\s*\(\s*\w+)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects halfwidth/fullwidth encoded unicode HTML breaking attempts',id:'9000013',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:%u(?:ff|00|e\d)\w\w)|(?:(?:%(?:e\w|c[^3\W]|))(?:%\w\w)(?:%\w\w)?)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+3,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects self contained xss via with(), common loops and regex to string conversion',id:'900006',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:with\s*\(\s*.+\s*\)\s*\w+\s*\()|(?:(?:do|while|for)\s*\([^)]*\)\s*\{)|(?:\/[\w\s]*\[\W*\w)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:^>[\w\s]*<\/?\w{2,}>)" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'finds unquoted attribute breaking injections',id:'900003',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:^>[\w\s]*<\/?\w{2,}>)" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\\\\u00[a-f0-9]{2})|(?:\\\\x0*[a-f0-9]{2})|(?:\\\\\d{2,3})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects the IE octal, hex and unicode entities',id:'900009',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\\\\\\\\u00[a-f0-9]{2})|(?:\\\\\\\\x0*[a-f0-9]{2})|(?:\\\\\\\\\d{2,3})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+2,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects MySQL UDF injection and other data/structure manipulation attempts',id:'9000051',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:create\s+function\s+\w+\s+returns)|(?:;\s*(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s*[\[(]?\w{2,})" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects concatenated basic SQL injection and SQLLFI attempts',id:'9000047',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[\d\W]\s+as\s*[\"\w]+\s*from)|(?:^[\W\d]+\s*(?:union|select|create|rename|truncate|load|alter|delete|update|insert|desc))|(?:(?:select|create|rename|truncate|load|alter|delete|update|insert|desc)\s+(?:concat|char|load_file)\s?\(?)|(?:end\s*\);)|(\"\s+regexp\W)|(?:[\s(]load_file\s*\()" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\/\w*\s*\)\s*\()|(?:\(.*\/.+\/\w*\s*\))|(?:\([\w\s]+\([\w\s]+\)[\w\s]+\))|(?:(?]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects url-, name-, JSON, and referrer-contained payload attacks',id:'900004',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:[+\/]\s*name[\W\d]*[)+])|(?:;\W*url\s*=)|(?:[^\w\s\/?:>]\s*(?:location|referrer|name)\s*[^\/\w\s-])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+5,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects attributes in closing tags and conditional compilation tokens',id:'9000034',tag:'WEB_ATTACK/XSS',tag:'WEB_ATTACK/CSRF'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\<\/\w+\s\w+)|(?:@(?:cc_on|set)[\s@,\"=])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+4,setvar:'tx.%{tx.msg}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/CSRF-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\%+-][\w-]+[^\w\s]+\"[^,])" "phase:2,capture,t:none,t:lowercase,pass,skip:1,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:PARANOID_MODE "@eq 1" "chain,phase:2,t:none,logdata:'%{TX.0}',severity:'2',pass,nolog,auditlog,msg:'Detects classic SQL injection probings 2/2',id:'9000043',tag:'WEB_ATTACK/SQLI',tag:'WEB_ATTACK/ID',tag:'WEB_ATTACK/LFI'"
+ SecRule ARGS|REQUEST_BODY|REQUEST_URI_RAW "(?:\"\s*\*.+(?:or|id)\W*\"\d)|(?:\^\")|(?:^[\w\s\"-]+(?<=and\s)(?<=or\s)(?<=xor\s)(?<=nand\s)(?<=not\s)(?<=\|\|)(?<=\&\&)\w+\()|(?:\"[\s\d]*[^\w\s]+\W*\d\W*.*[\"\d])|(?:\"\s*[^\w\s?]+\s*[^\w\s]+\s*\")|(?:\"\s*[^\w\s]+\s*[\W\d].*(?:#|--))|(?:\".*\*\s*\d)|(?:\"\s*or\s[\w-]+.*\d)|(?:[()*<>%+-][\w-]+[^\w\s]+\"[^,])" "capture,multiMatch,t:none,t:urlDecodeUni,t:cssDecode,t:jsDecode,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.anomaly_score=+6,setvar:'tx.%{tx.msg}-WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/ID-%{matched_var_name}=%{tx.0}',setvar:'tx.%{tx.msg}-WEB_ATTACK/LFI-%{matched_var_name}=%{tx.0}'"
+
+SecRule TX:'/_normalized/' "(?:\W\s*hash\s*[^\w\s-])|(?:\w+=\W*[^,]*,[^\s(]\s*\()|(?:\?\"[^\s\"]\":)|(?:(?" "phase:2,id:'981146',t:none,nolog,pass,nolog,setvar:tx.restricted_char_payload=%{matched_var}"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ~" "phase:2,id:'981147',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains `" "phase:2,id:'981148',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains !" "phase:2,id:'981149',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains @" "phase:2,id:'981150',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains #" "phase:2,id:'981151',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains $" "phase:2,id:'981152',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains %" "phase:2,id:'981153',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ^" "phase:2,id:'981154',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains &" "phase:2,id:'981155',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains *" "phase:2,id:'981156',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains (" "phase:2,id:'981157',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains )" "phase:2,id:'981158',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains -" "phase:2,id:'981159',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains +" "phase:2,id:'981160',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains =" "phase:2,id:'981161',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains {" "phase:2,id:'981162',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains }" "phase:2,id:'981163',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains [" "phase:2,id:'981164',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ]" "phase:2,id:'981165',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains |" "phase:2,id:'981166',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains :" "phase:2,id:'981167',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains ;" "phase:2,id:'981168',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains \"" "phase:2,id:'981169',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains '" "phase:2,id:'981170',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains <" "phase:2,id:'981171',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_PAYLOAD "@contains >" "phase:2,id:'981172',t:none,pass,nolog,setvar:tx.restricted_char_count=+1"
+SecRule TX:RESTRICTED_CHAR_COUNT "@ge 5" "phase:2,t:none,block,nolog,auditlog,id:'960023',rev:'2.2.0',msg:'Restricted Character Anomaly Detection Alert - Total # of special characters exceeded',logdata:'%{matched_var}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}"
+
+#
+# This rule attempts to identify when multiple (3 or more) speciail, non-word characters are repeated
+#
+SecRule ARGS "\W{4,}" "phase:2,capture,t:none,block,nolog,auditlog,id:'960024',rev:'2.2.0',msg:'Restricted Character Anomaly Detection Alert - Repetative Non-Word Characters',logdata:'%{tx.0}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score}"
+
diff -Nru modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf
--- modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_55_response_profiling.conf 2011-05-03 19:01:25.000000000 +0000
@@ -0,0 +1,27 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.0
+# Copyright (C) 2006-2011 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+SecRuleScript profile_page_scripts.lua "phase:4,id:'981187',t:none,nolog,pass"
+
+SecRule &RESOURCE:'/(niframes|nscripts|nlinks|nimages)/' "@eq 0" "skipAfter:END_PAGE_PROFILE,phase:4,id:'981188',t:none,nolog,pass,setvar:resource.niframes=%{tx.niframes},setvar:resource.nscripts=%{tx.nscripts},setvar:resource.nlinks=%{tx.nlinks},setvar:resource.nimages=%{tx.nimages}"
+
+SecRule TX:NIFRAMES "@eq %{resource.niframes}" "phase:4,id:'981189',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
+SecRule TX:NSCRIPTS "@eq %{resource.nscripts}" "phase:4,id:'981190',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
+SecRule TX:NLINKS "@eq %{resource.nlinks}" "phase:4,id:'981191',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
+SecRule TX:NIMAGES "@eq %{resource.nimages}" "phase:4,id:'981192',t:none,nolog,pass,setvar:resource.profile_confidence_counter=+1"
+
+SecRule RESOURCE:PROFILE_CONFIDENCE_COUNTER "@lt 40" "phase:4,id:'981193',t:none,nolog,pass,skipAfter:END_PAGE_PROFILE"
+
+SecRule TX:NIFRAMES "!@eq %{resource.niframes}" "phase:4,id:'981194',t:none,block,msg:'Number of IFrames in Page Have Changed.',logdata:'Previous #: %{resource.niframes} and Current #: %{tx.niframes}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
+SecRule TX:NSCRIPTS "!@eq %{resource.nscripts}" "phase:4,id:'981195',t:none,block,msg:'Number of Scripts in Page Have Changed.',logdata:'Previous #: %{resource.nscripts} and Current #: %{tx.nscripts}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
+SecRule TX:NLINKS "!@eq %{resource.nlinks}" "phase:4,id:'981196',t:none,block,msg:'Number of Links in Page Have Changed.',logdata:'Previous #: %{resource.nlinks} and Current #: %{tx.nlinks}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
+SecRule TX:NIMAGES "!@eq %{resource.nimages}" "phase:4,id:'981197',t:none,block,msg:'Number of Images in Page Have Changed.',logdata:'Previous #: %{resource.nimages} and Current #: %{tx.nimages}',severity:'3',setvar:'tx.msg=%{rule.msg}',setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},setvar:tx.anomaly_score=+{tx.error_anomaly_score},setvar:tx.%{rule.id}-PROFILE/ANOMALY-%{matched_var_name}=%{tx.0}"
+
+SecMarker END_PAGE_PROFILE
diff -Nru modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf
--- modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_56_pvs_checks.conf 2011-05-03 19:01:25.000000000 +0000
@@ -0,0 +1,13 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.0
+# Copyright (C) 2006-2011 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+SecRule &RESOURCE:OSVDB_CHECK "@eq 0" "chain,phase:5,id:'981198',t:none,nolog,pass"
+ SecRule RESPONSE_STATUS "@streq 200" "exec:/usr/local/apache/conf/modsec_current/base_rules/osvdb.lua"
+SecRule TX:OSVDB_MSG "!^$" "phase:5,id:'981199',t:none,log,pass,msg:'Passive Vulnerabilty Check with OSVDB - %{matched_var}'"
diff -Nru modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf
--- modsecurity-crs-2.1.2/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/experimental_rules/modsecurity_crs_61_ip_forensics.conf 2011-05-03 19:01:25.000000000 +0000
@@ -0,0 +1,41 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.0
+# Copyright (C) 2006-2011 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Gather IP/Host Data for Audit Logging
+#
+# - http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
+#
+
+#
+# Execute the IP Lookup/Whois Check when anomaly scores are not 0
+#
+# You must update the local path for the exec action to point to the lua script.
+#
+SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,nolog,id:'960004',exec:/usr/local/apache/conf/crs/lua/gather_ip_data.lua"
+SecRule TX:HOSTNAME ".*" "phase:5,t:none,pass,log,id;'960005',msg:'Client Nslookup/WHOIS Abuse Info.',logdata:'Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',setvar:'ip.hostname=Hostname: %{tx.hostname} and WHOIS Abuse Contact: %{tx.abuse_contact}',expirevar:ip.hostname=86400,skip:1"
+SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,t:none,pass,log,id:'960006',msg:'Client Nslookup/WHOIS Abust Info.',logdata:'%{ip.hostname}'"
+
+
+#
+# Download the GeoIP DB from MaxMind
+#
+# GeoLite City - http://www.maxmind.com/app/geolitecity
+# GeoLite Country - http://www.maxmind.com/app/geoip_country
+#
+# Define the proper path to the GeoIP DB
+SecGeoLookupDb /usr/local/apache/conf/modsec_current/base_rules/GeoLiteCity.dat
+
+#
+# Check the Transactional Anomaly Score - if it is not 0 then record the GeoIP data
+# for the client in the audit log.
+#
+SecRule TX:ANOMALY_SCORE "@gt 0" "chain,phase:5,pass,t:none,log,id:'960007',severity:'5',msg:'Logging GeoIP Data due to anomaly score.',logdata:'Country Code=%{geo.country_code}, Country Code3=%{geo.country_code3}, Country Name=%{geo.country_name}, Country Continent=%{geo.country_continent}, City=%{geo.city}'"
+ SecRule REMOTE_ADDR "@geoLookup"
diff -Nru modsecurity-crs-2.1.2/trunk/INSTALL modsecurity-crs-2.2.0/trunk/INSTALL
--- modsecurity-crs-2.1.2/trunk/INSTALL 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/INSTALL 2011-05-26 18:18:01.000000000 +0000
@@ -0,0 +1,93 @@
+Core Rule Set Quick Setup
+=========================
+
+To activate the rules for your web server installation:
+
+ 1) Copy the modsecurity_crs_10_config.conf.example file to modsecurity_crs_10_config.conf
+ and customize the settings for your local environment.
+
+ The modsecurity_crs_10_config.conf file includes management rules and directives
+ that can control important CRS functions. Pay attention to
+ the SecRuleEngine setting (On by default) and that the SecDefaultAction
+ directive is set to "pass". The 49 inbound blocking and 59 outbound blocking
+ rules files use the "block" action which
+ inherits this setting. The effectively means that you can toggle the
+ SecDefaultAction setting to decide if you would like to deny on an
+ anomaly scoring/correlation match.
+
+ Update the PARANOID_MODE variable setting if you want to become more
+ aggressive in your detection. Caution - this will cause more false positives.
+
+ Should also update the appropriate anomaly scoring levels that will be propagated
+ to the inbound/outbound blocking files.
+
+ Update the TX policy settings for allowed Request Methods, File Extensions, etc...
+
+ 2) Enable the CRS rules files you want to use by creating symlinks under the
+ "activated_rules" directory location. You will want to create symlinks for the
+ following:
+
+ 1) The main modsecurity_crs_10_config.conf file
+ 2) Any rules from the base_rules directory
+ 3) Any remaining rules from the optional_rules, slr_rules or experimental_rules directories.
+
+ $ pwd
+ /usr/local/apache/conf/crs
+ $ ls
+ CHANGELOG app_sensor modsecurity_crs_10_config.conf slr_rules
+ LICENSE base_rules modsecurity_crs_10_config.conf.example util
+ README experimental_rules modsecurity_crs_15_customrules.conf
+ activated_rules lua optional_rules
+ $ sudo ln -s /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf activated_rules/modsecurity_crs_10_config.conf
+ $ for f in `ls base_rules/` ; do sudo ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done
+ $ for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done
+ $ ls -l activated_rules
+ total 216
+ lrwxr-xr-x 1 root wheel 52 May 17 14:01 GsbMalware.dat -> /usr/local/apache/conf/crs/base_rules/GsbMalware.dat
+ lrwxr-xr-x 1 root wheel 68 May 17 14:01 modsecurity_35_bad_robots.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_bad_robots.data
+ lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_35_scanners.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_35_scanners.data
+ lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_40_generic_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_40_generic_attacks.data
+ lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_41_sql_injection_attacks.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_41_sql_injection_attacks.data
+ lrwxr-xr-x 1 root wheel 74 May 17 14:14 modsecurity_42_comment_spam.data -> /usr/local/apache/conf/crs/optional_rules/modsecurity_42_comment_spam.data
+ lrwxr-xr-x 1 root wheel 66 May 17 14:01 modsecurity_50_outbound.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound.data
+ lrwxr-xr-x 1 root wheel 74 May 17 14:01 modsecurity_50_outbound_malware.data -> /usr/local/apache/conf/crs/base_rules/modsecurity_50_outbound_malware.data
+ lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_14_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_14_customrules.conf
+ lrwxr-xr-x 1 root wheel 57 May 17 14:22 modsecurity_crs_10_config.conf -> /usr/local/apache/conf/crs/modsecurity_crs_10_config.conf
+ lrwxr-xr-x 1 root wheel 81 May 17 14:01 modsecurity_crs_20_protocol_violations.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
+ lrwxr-xr-x 1 root wheel 80 May 17 14:01 modsecurity_crs_21_protocol_anomalies.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
+ lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_23_request_limits.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_23_request_limits.conf
+ lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_30_http_policy.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_30_http_policy.conf
+ lrwxr-xr-x 1 root wheel 72 May 17 14:01 modsecurity_crs_35_bad_robots.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_35_bad_robots.conf
+ lrwxr-xr-x 1 root wheel 77 May 17 14:01 modsecurity_crs_40_generic_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
+ lrwxr-xr-x 1 root wheel 83 May 17 14:01 modsecurity_crs_41_sql_injection_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+ lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_41_xss_attacks.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
+ lrwxr-xr-x 1 root wheel 78 May 17 14:14 modsecurity_crs_42_comment_spam.conf -> /usr/local/apache/conf/crs/optional_rules/modsecurity_crs_42_comment_spam.conf
+ lrwxr-xr-x 1 root wheel 76 May 17 14:01 modsecurity_crs_42_tight_security.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_42_tight_security.conf
+ lrwxr-xr-x 1 root wheel 69 May 17 14:01 modsecurity_crs_45_trojans.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_45_trojans.conf
+ lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_47_common_exceptions.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
+ lrwxr-xr-x 1 root wheel 86 May 17 14:01 modsecurity_crs_48_local_exceptions.conf.example -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
+ lrwxr-xr-x 1 root wheel 78 May 17 14:01 modsecurity_crs_49_inbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
+ lrwxr-xr-x 1 root wheel 70 May 17 14:01 modsecurity_crs_50_outbound.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_50_outbound.conf
+ lrwxr-xr-x 1 root wheel 79 May 17 14:01 modsecurity_crs_59_outbound_blocking.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
+ lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_correlation.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_correlation.conf
+ lrwxr-xr-x 1 root wheel 73 May 17 14:01 modsecurity_crs_60_customrules.conf -> /usr/local/apache/conf/crs/base_rules/modsecurity_crs_60_customrules.conf
+
+
+ 3) Add the following line to your httpd.conf (assuming
+ you've placed the rule files into conf/crs/):
+
+
+ Include conf/crs/modsecurity_crs_10_config.conf
+ Include conf/crs/activated_rules/*.conf
+
+
+ 3) Restart web server.
+
+ 4) Make sure your web sites are still running fine.
+
+ 5) Simulate an attack against the web server. Then check
+ the attack was correctly logged in the Apache error log,
+ ModSecurity debug log (if you enabled it) and ModSecurity
+ audit log (if you enabled it).
+
+
diff -Nru modsecurity-crs-2.1.2/trunk/LICENSE modsecurity-crs-2.2.0/trunk/LICENSE
--- modsecurity-crs-2.1.2/trunk/LICENSE 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/LICENSE 2011-05-03 19:01:25.000000000 +0000
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff -Nru modsecurity-crs-2.1.2/trunk/lua/advanced_filter_converter.lua modsecurity-crs-2.2.0/trunk/lua/advanced_filter_converter.lua
--- modsecurity-crs-2.1.2/trunk/lua/advanced_filter_converter.lua 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/lua/advanced_filter_converter.lua 2010-12-29 16:46:58.000000000 +0000
@@ -0,0 +1,795 @@
+#!/opt/local/bin/lua
+local rex = require "rex_pcre"
+local B = require "bit"
+
+function main()
+
+function dec2hex(nValue)
+ if type(nValue) == "string" then
+ nValue = String.ToNumber(nValue);
+ end
+ nHexVal = string.format("%X", nValue);
+ sHexVal = nHexVal.."";
+ return sHexVal;
+end
+
+function hex2dec (arg)
+ local dec = {}
+ for str in string.gfind(arg, "%w%w") do
+ local str = '0X'..str
+ table.insert(dec, tonumber(str))
+ end
+
+ return unpack(dec)
+end
+
+function explode ( seperator, str )
+ local pos, arr = 0, {}
+ for st, sp in function() return string.find( str, seperator, pos, true ) end
+ do
+ table.insert( arr, string.sub( str, pos, st-1 ) );
+ pos = sp + 1;
+ end
+ table.insert( arr, string.sub( str, pos ) );
+ return arr
+end
+
+
+function oct2dec(octstr)
+ local i, len, num;
+
+ num = 0;
+ i = 0;
+ octstr = string.reverse(octstr);
+ len = string.len(octstr);
+
+ if (len > 11) then
+ return 1;
+ end
+
+ for str in string.gfind(octstr, "%w") do
+ number = tonumber(str);
+ if((number < 0) or (number > 7)) then
+ num = 0;
+ return 0;
+ end
+
+ i = tonumber(i);
+ num_shr = B.lshift(number ,(i*3));
+ num = B.bor(num,num_shr);
+ i = i + 1;
+ end
+ return num;
+end
+
+
+function str_split_unique(data)
+ a = {}
+ b = {}
+ -- use table to eliminate duplicates
+ for i=1,string.len(data) do
+ v = string.sub(data,i,i)
+ a[v] = v
+ end
+ -- insert into ordered array and sort
+ for k,v in pairs(a) do
+ table.insert(b,k)
+ end
+ table.sort(b)
+ return b
+end
+
+function str_split(data)
+ a = {}
+ for i=1,string.len(data) do
+ a[i] = string.sub(data,i,i)
+ end
+ return a
+end
+
+-- character table string
+local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
+
+-- base64 decoding
+function base64decode(data)
+ data = string.gsub(data, '[^'..b..'=]', '')
+ return (data:gsub('.', function(x)
+ if (x == '=') then return '' end
+ local r,f='',(b:find(x)-1)
+ for i=6,1,-1 do r=r..(f%2^i-f%2^(i-1)>0 and '1' or '0') end
+ return r;
+ end):gsub('%d%d%d?%d?%d?%d?%d?%d?', function(x)
+ if (#x ~= 8) then return '' end
+ local c=0
+ for i=1,8 do c=c+(x:sub(i,i)=='1' and 2^(8-i) or 0) end
+ return string.char(c)
+ end))
+end
+
+function urldecode(s)
+ return (string.gsub (string.gsub (s, "+", " "),
+ "%%(%x%x)",
+ function (str)
+ return string.char (tonumber (str, 16))
+ end ))
+end
+
+function urlencode(s)
+ return (string.gsub (s, "%W",
+ function (str)
+ return string.format ("%%%02X", string.byte (str))
+ end ))
+end
+
+function strip_tags(h)
+ local newstr = rex.gsub(h, "<(\/?)(\\w+)[^\>]*>", "%2", nil, 0, 0);
+ return newstr
+end
+
+function hexdecode(s)
+ s = string.gsub(s, "%%(%x%x)", function (h)
+ return string.char(tonumber(h, 16))
+ end)
+ return s
+end
+
+function sql_hexdecode(s)
+ s = string.gsub(s, "(%x%x)", function (h)
+ return string.char(tonumber(h, 16))
+ end)
+ return s
+end
+
+
+--[[ Retrieve all ARGS parameters from ModSec
+
+ urlDecodeUni, htmlEntityDecode and jsDecode can be used here with the initial
+ extraction of data since they are able to decode any inline value vs.
+ other transformation functions which will attempt to decode the entire
+ string value. For those situations, we must create our own Lua functions
+]]
+
+local args = {};
+args = m.getvars("ARGS", {"none"});
+
+-- Only run checks if ARGS are present
+if (#args == "0") then
+ m.log(4, "# of ARGS: " ..#args.. ".");
+ return nil;
+end
+
+
+-- Place ARGS data into key/value pairs for inspection
+for k,v in pairs(args) do
+ name = v["name"];
+ value = v["value"];
+ original_value = value;
+ m.log(4, "Arg Name: " ..name.. " and Arg Value: " ..value.. ".");
+
+--[[ Start Converter code ]]
+
+--[[ Make sure the value to normalize and monitor doesn't contain
+ possibilities for a regex DoS.]]
+ -- remove obvious repetition patterns
+ value = rex.gsub(value, "(?:(.{2,})\\1{32,})|(?:[\-+=|@\\s]{128,})", "x", nil, 0, 0);
+ m.log(4, "Remove repetition patterns: " .. value .. "");
+
+--[[ Check for comments and erases them if available ]]
+ -- check for existing comments
+ if rex.match(value, "(?ms:(?:\\|\\/\\*|\\*\\/|\\/\\/\\W*\\w+\\s*$)|(?:\-\-[^\\-]*\-))", 1) then
+ converted = rex.gsub(value, "(?ms:(?:(?:))|(?:(?:\\/\\*\\/*[^\\/\\*]*)+\\*\\/)|(?:\-\-[^\\-]*\-))", ";", nil, 0, 0);
+ value = (value .. "\n" .. converted);
+ m.log(4, "Check for Existing Comments: " .. value .. "");
+ end
+
+ -- make sure inline comments are detected and converted correctly
+ value = rex.gsub(value, "(?m:(<\\w+)\\/+(\\w+=?))", "%1/%2", nil, 0, 0);
+ m.log(4, "Remove Inline Comments1: " .. value .. "");
+ value = rex.gsub(value, "(?m:[^\\\\:]\\/\\/(.*)$)", "/**/%1", nil, 0, 0);
+ m.log(4, "Remove Inline Comments2: " .. value .. "");
+
+--[[ Strip newlines ]]
+ -- check for inline linebreaks
+ value = rex.gsub(value, "\\\\(r|n|f|t|v)", ";", nil, 0, 0);
+ m.log(4, "Check for inline linebreaks: " .. value .. "");
+ -- replace replacement characters regular spaces
+ value = string.gsub(value, "�", ' ', nil, 0, 0);
+ m.log(4, "Replace replacement chars: " .. value .. "");
+ -- convert real linebreaks
+ value = rex.gsub(value, "(?m:[\\r\\n\\f\\t\\v])", " ", nil, 0, 0);
+ m.log(4, "Convert real linebreaks: " .. value .. "");
+
+--[[ Checks for common charcode pattern and decodes them ]]
+function convertFromJSCharcode(value)
+
+ local matches, matches2, matches3;
+ local changed = 0;
+ local sum = 0;
+ local chr = 0;
+ local converted = "";
+ local tmp_value = value;
+
+ -- check if value matches typical charCode pattern
+
+ for line in rex.gmatch(tmp_value, "(?ms:(?:[\\d+-=\/\* ]+(?:\\s?,\\s?[\\d+-=\/\* ]+)){4,})", 0, 0)
+ do
+ if(matches ~= nil) then
+ matches = matches .. "," .. line;
+ else
+ matches = line;
+ end
+ end
+
+ if(matches ~= nil) then
+
+ matches = rex.gsub(matches,"(\\s)", "");
+ matches = rex.gsub(matches,"(\\w+=)", "");
+
+ str = explode(",",matches);
+
+ for i=1, table.getn(str) do
+
+ chr = str[i];
+
+ if(string.len(str[i]) > 0) then
+
+ chr = rex.gsub(chr,"(?s:\\W0)", "");
+
+ if(chr ~= nil) then
+
+ for line2 in rex.gmatch(chr, "(\\d*[+-\/\* ]\\d+)",0, 0)
+ do
+ if(matches2 ~= nil) then
+ matches2 = matches2 .. "" .. line2;
+ else
+ matches2 = line2;
+ end
+ end
+
+ if( matches2 ~= nil )then
+ for line3 in rex.split(matches2, "((\\W?\\d+))",0, 0)
+ do
+ if(line ~= nil) then
+ changed = 1;
+ sum = sum + tonumber(line3);
+ end
+
+ if(matches3 ~= nil) then
+ matches3 = matches3 .. line3;
+ else
+ matches3 = line3;
+ end
+ end
+ end
+
+ if(changed == 1) then
+ if(sum >= 20) then
+ if(sum <= 127) then
+ converted = converted .. string.char(sum);
+ end
+ end
+ end
+
+ if(changed == 0) then
+ local num = 0;
+ if(string.len(chr) > 0) then
+ num = tonumber(chr);
+ end
+ converted = converted .. string.char(num);
+ end
+ end
+
+ value = tmp_value .. "\n" .. converted;
+ end
+ end
+ end
+end
+
+function convertFromJSCharcode_hex(value)
+ -- check for hexadecimal charcode pattern
+ local matches_hex = "";
+ local converted = "";
+ local tmp_value = value;
+
+ for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\w+\\s*){8,}))", 0, 0)
+ do
+ if(matches_hex ~= nil) then
+ matches_hex = matches_hex .. "," .. line;
+ else
+ matches_hex = line;
+ end
+ end
+
+ if(matches_hex ~= nil) then
+
+ matches_hex = rex.gsub(matches_hex,"([ux])", "");
+
+ converted = "";
+
+ str = explode(",",matches_hex);
+
+ for i=1, table.getn(str) do
+
+ chr = str[i];
+
+ if(tonumber(chr) ~= 0) then
+ converted = converted .. string.char(hex2dec(chr));
+ end
+ end
+
+ value = tmp_value .. "\n" .. converted;
+ end
+
+ print(value);
+ return value;
+end
+
+function convertFromJSCharcode_oct(value)
+
+ local matches_oct = "";
+ local converted_oct = "";
+ local tmp_value = value;
+
+ -- check for octal charcode pattern
+
+ for line in rex.gmatch(tmp_value, "(?ims:(?:(?:[\\\\]+\\d+){8,}))", 0, 0)
+ do
+ if(matches_oct ~= nil) then
+ matches_oct = matches_oct .. "," .. line;
+ else
+ matches_oct = line;
+ end
+ end
+
+ if(matches_oct ~= nil) then
+
+ matches_oct = rex.gsub(matches_oct,"(\\s)", "");
+
+ str = explode(",",matches_oct);
+
+ print(str);
+
+ for i=1, table.getn(str) do
+
+ chr = str[i];
+
+ if (tonumber(str[i]) ~= 0) then
+
+ n = oct2dec(chr);
+
+ n = dec2hex(n);
+
+ if(n ~= 0)then
+ str2 = string.char(hex2dec(n));
+
+ if(converted_oct ~= nil) then
+ converted_oct = converted_oct .. str2;
+ else
+ converted_oct = str2;
+ end
+ end
+ end
+ end
+
+ if(converted_oct ~= nil) then
+ value = tmp_value .. "\n" .. converted_oct;
+ else
+ value = tmp_value;
+ end
+ end
+
+ print(value);
+
+ return value;
+end
+
+convertFromJSCharcode(value);
+ m.log(4, "convertFromJSCharcode: " .. value .. "");
+convertFromJSCharcode_hex(value);
+m.log(4, "convertFromJSCharcode_hex: " .. value .. "");
+convertFromJSCharcode_oct(value);
+m.log(4, "convertFromJSCharcode_oct: " .. value .. "");
+
+--[[ Eliminate JS regex modifiers ]]
+ value = rex.gsub(value, "\/[gim]+", "\/", nil, 0, 0);
+ m.log(4, "Eliminate JS regex modifiers: " .. value .. ".");
+
+--[[ Converts from hex/dec entities ]]
+
+ -- deal with double encoded payload
+function htmlEntityDecode(value)
+ value = rex.gsub(value, "&", "&", nil, 0, 0);
+ local result;
+ local tmp_value = value;
+
+ for line in rex.gmatch(tmp_value, "(?ms:?([\\w]{2}\\d?);?)", 0, 0)
+ do
+ if(line ~= nil) then
+ if(result ~= nil) then
+ result = result .. line;
+ else
+ result = line;
+ end
+ end
+ end
+
+
+ if(result ~= nil) then
+ result = sql_hexdecode(result);
+ value = tmp_value .. "\n" .. result;
+ result = rex.gsub(result, ";;", ";", nil, 0, 0);
+ else
+ value = tmp_value;
+ end
+
+
+ print(result);
+
+ return result;
+
+end
+
+htmlEntityDecode(value);
+ m.log(4, "Converts from hex/dex entities: " .. value .. ".");
+
+ -- normalize obfuscated protocol handlers
+ value = rex.gsub(value, "(?ms:(?:j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\s*)|(d\\s*a\\s*t\\s*a\\s*))", "javascript", nil, 0, 0);
+
+--[[ Normalize Quotes ]]
+ -- normalize different quotes to "
+ value = rex.gsub(value, "[\'\`\´\’\‘]", "\"", nil, 0, 0);
+ m.log(4, "Normalize Quotes: " .. value .. ".");
+
+ -- make sure harmless quoted strings don't generate false alerts
+ value = rex.gsub(value, "^\"([^\"=\\!><~]+)\"$", "%1", nil, 0, 0);
+ m.log(4, "Harmless Quotes: " .. value .. ".");
+
+
+--[[ Converts SQLHEX to plain text ]]
+ local tmp_value = value;
+ while true do
+ sql_hex_value = rex.match(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)");
+ if (sql_hex_value == nil) then break end
+ m.log(4, "SQL Hex Data: " .. sql_hex_value .. ".");
+ local sql_hex_decoded = sql_hexdecode(sql_hex_value);
+ m.log(4, "SQL Hex Data Decoded: " .. sql_hex_decoded .. ".");
+ tmp_value = rex.gsub(tmp_value, "(?im:0x([a-fA-F\\d]{2,}[a-fA-F\\d]*)+)", sql_hex_decoded, 1, 0, 0);
+ m.log(4, "SQL Hex Data Normalized: " .. tmp_value .. ".");
+ end
+ value = rex.gsub(tmp_value, "(?m:0x\\d+)", "1", nil, 0, 0);
+
+--[[ Converts basic SQL keywords and obfuscations ]]
+ value = rex.gsub(value, "(?ims:(?:IS\\s+null)|(LIKE\\s+null)|(?:(?:^|\\W)IN[\+\\s]*\([\\s\\d\"]+[^\(\)]*\)))", "\"=0", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:\\W+\\s*like\\s*\\W+)", "1\" OR \"1\"", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:null[,\"\\s])", ",0", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:\\d+\\.)", " 1", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:,null)", ",0", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:between|mod)", "or", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:and\\s+\\d+\.?\\d*)", "", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:\\s+and\\s+)", " or ", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:[^\\w,\(]NULL|\\\\N|TRUE|FALSE|UTC_TIME|LOCALTIME(?:STAMP)?|CURRENT_\\w+|BINARY|(?:(?:ASCII|SOUNDEX|FIND_IN_SET|MD5|R?LIKE)[\+\\s]*\\([^\(\)]+\\))|(?:\-+\\d))", "0", nil, 0, 0);
+ value = rex.gsub(value, "(?ims:(?:NOT\\s+BETWEEN)|(?:IS\\s+NOT)|(?:NOT\\s+IN)|(?:XOR|\\WDIV\\W|\\WNOT\\W|<>|RLIKE(?:\\s+BINARY)?)|(?:REGEXP\\s+BINARY)|(?:SOUNDS\\s+LIKE))", "!", nil, 0, 0);
+ value = rex.gsub(value, "\"\\s+\\d", "\"", nil, 0, 0);
+ value = rex.gsub(value, "\\/(?i:\\d+|null)", "", nil, 0, 0);
+
+ m.log(4, "Convert SQL Keywords and Obfuscations: " .. value .. ".");
+
+--[[ Detects nullbytes and controls chars via ord() ]]
+ -- critical ctrl values
+ value = rex.gsub(value, "(?i:cha?r\\((0|1|2|3|4|5|6|7|8|11|12|14|15|16|17|18|19|24|25|192|193|238|255)\\))", "%%00", nil, 0, 0);
+ m.log(4, "Convert nullbytes and control chars via ord(): " .. value .. ".");
+
+ -- take care for malicious unicode characters
+ value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%E(?:2|3)\%8(?:0|1)\%(?:A|8|9)\\w|\%EF\%BB\%BF|\%EF\%BF\%BD)|(?:(?:65|8)\\d{3};?))", "", nil, 0, 0));
+
+ value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BE))", ">", nil, 0, 0));
+ value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%BC))", "<", nil, 0, 0));
+ value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A2))", "\"", nil, 0, 0));
+ value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%F0\%80\%A7))", "\'", nil, 0, 0));
+ value = urldecode(rex.gsub(urlencode(value), "(?i:(?:\%ff1c))", "<", nil, 0, 0));
+
+ value = rex.gsub(value, "(?i:(?:&[#x]*(200|820|200|820|zwn?j|lrm|rlm)\\w?;?))", "", nil, 0, 0);
+ value = rex.gsub(value, "(?i:(?:(?:65|8)\\d{3};?)|(?:(?:56|7)3\\d{2};?)|(?:(?:fe|20)\\w{2};?)|(?:(?:d[c-f])\\w{2};?))", "", nil, 0, 0);
+ value = rex.gsub(value, "(«|〈|<|‹|〈|⟨)", "<", nil, 0, 0);
+ value = rex.gsub(value, "(»|〉|>|›|〉|⟩)", ">", nil, 0, 0);
+ m.log(4, "Malicious unicode characters: " .. value .. "");
+
+
+--[[ This method matches and translates base64 strings and fragments
+ used in data URIs ]]
+
+ tmp_value = value;
+ while true do
+ base64_value = rex.match(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", 1, 0, 0);
+ if (base64_value == nil) then break end
+ m.log(4, "Base64 Data is: " .. base64_value .. ".");
+ base64_value_decoded = base64decode(base64_value);
+ m.log(4, "Base64 Data Decoded is: " .. base64_value_decoded .. ".");
+ tmp_value = rex.gsub(tmp_value, "([a-zA-Z0-9\+\/]{32,}={0,2})", base64_value_decoded, 1, 0, 0);
+ m.log(4, "Base64 Data Normalized: " .. tmp_value .. ".");
+ end
+ value = tmp_value;
+
+
+--[[ Detects nullbytes and controls chars via ord() ]]
+ local mytable = {};
+ mytable = str_split(value);
+ j = 1
+ while mytable[j] do
+ if (string.byte(mytable[j]) >= 127) then
+ mytable[j] = rex.gsub(mytable[j], ".*", " ", nil, 0, 0);
+ end
+ j = j + 1
+ end
+
+ value = table.concat(mytable);
+ m.log(4, "Detect nullbytes and control chars via ord(): " .. value .. ".");
+
+
+--[[ Strip XML patterns ]]
+ converted = strip_tags(value);
+ if (converted ~= value) then
+ value = (value .. "\n" .. converted);
+ m.log(4, "Strip XML patterns: " .. value .. ".");
+ end
+
+--[[ This method converts JS unicode code points to regular characters ]]
+
+function convertFromJSUnicode(args)
+ local new_value = "";
+
+ for line in rex.gmatch(args, "(?ims:\\\\u[0-9a-f]{4})", 0, 0)
+ do
+ hex = print(string.sub(line,3,6))
+ chr = string.char(hex2dec(string.sub(line,5,7)));
+ if ( new_value == nil ) then
+ new_value = chr;
+ else
+ new_value = new_value .. chr;
+ end
+ end
+
+ if ( string.len(new_value) > 0 ) then
+ value = new_value .. "\n\\u0001";
+ end
+end
+
+ convertFromJSUnicode(value);
+ m.log(4, "Convert JS unicode code points to regular chars: " .. value .. "");
+
+
+--[[ Converts relevant UTF-7 tags to UTF-8 ]]
+ value = string.gsub(value,"+ACI-","\"");
+ value = string.gsub(value,"+ADw-","<");
+ value = string.gsub(value,"+AD4-",">");
+ value = string.gsub(value,"+AFs-","%[");
+ value = string.gsub(value,"+AF0-","]");
+ value = string.gsub(value,"+AHs-","{");
+ value = string.gsub(value,"+AH0-","}");
+ value = string.gsub(value,"+AFw-","\\");
+ value = string.gsub(value,"+ADs-",";");
+ value = string.gsub(value,"+ACM-","#");
+ value = string.gsub(value,"+ACY-","&");
+ value = string.gsub(value,"+ACU-","%%");
+ value = string.gsub(value,"+ACQ-","$");
+ value = string.gsub(value,"+AD0-","=");
+ value = string.gsub(value,"+AGA-","`");
+ value = string.gsub(value,"+ALQ-","\"");
+ value = string.gsub(value,"+IBg-","\"");
+ value = string.gsub(value,"+IBk-","\"");
+ value = string.gsub(value,"+AHw-","|");
+ value = string.gsub(value,"+ACo-","*");
+ value = string.gsub(value,"+AF4-","%^");
+ value = string.gsub(value,"+ACIAPg-","\">");
+ value = string.gsub(value,"+ACIAPgA8-","\">");
+ m.log(4, "Convert relevant UTF-7 tags to UTF-8: " .. value .. "");
+
+
+--[[ Converts basic concatenations ]]
+function stripslashes(args)
+
+ local value = rex.gsub(args,"(\\\\(.?))","");
+
+ return value;
+end
+
+function convertFromConcatenated(value)
+
+ --normalize remaining backslashes
+ if (value ~= rex.gsub(value,"((\\w)\\\\)", "%1")) then
+ value = value .. rex.gsub(value,"((\\w)\\\\)", "%1");
+ end
+
+ local compare = stripslashes(value);
+
+ pattern = { "(?s:(?:<\/\\w+>\+<\\w+>))",
+ "(?s:(?:\":\\d+[^\"\[]+\"))",
+ "(?s:(?:\"?\"\+\\w+\+\"))",
+ "(?s:(?:\"\\s*;[^\"]+\")|(?:\";[^\"]+:\\s*\"))",
+ "(?s:(?:\"\\s*(?:\;|\\+).{8,18}:\\s*\"))",
+ "(?s:(?:\";\\w+=)|(?:!\"\"&&\")|(?:~))",
+ "(?s:(?:\"?\"\\+\"\"?\\+?\"?)|(?:;\\w+=\")|(?:\"[|&]{2,}))",
+ "(?s:(?:\"\\s*\\W+\"))",
+ "(?s:(?:\";\\w\\s*\\+=\\s*\\w?\\s*\"))",
+ "(?s:(?:\"[|&;]+\\s*[^\|\&\\n]*[\|\&]+\\s*\"?))",
+ "(?s:(?:\";\\s*\\w+\\W+\\w*\\s*[\|\&]*\"))",
+ "(?s:(?:\"\\s*\"\\s*\.))",
+ "((?:\\s*new\\s+\\w+\\s*[\\+\\\"\,]))",
+ "((?:(?:^|\\s+)(?:do|else)\\s+))",
+ "((?:(?:^|\\s+)(?:do|else)\\s+))",
+ "((?:[{(]\\s*new\\s+\\w+\\s*[\)\}]))",
+ "((?:(this|self)\.))",
+ "((?:undefined))",
+ "((?:in\\s+))" };
+
+ for i=1, table.getn(pattern) do
+ -- strip out concatenations
+ converted = rex.gsub(compare,pattern[i],"");
+ end
+
+ -- strip object traversal
+ converted = rex.gsub(converted,"(\\w(\.\\w\()))", "%1");
+
+ -- normalize obfuscated method calls
+ converted = rex.gsub(converted,"(\\)\\s*\+)", ")");
+
+ --convert JS special numbers
+ converted = rex.gsub(converted,"(?ims:(?:\\(*[.\\d]e[\+\-]*[^a-z\\W]+\\)*)|(?:NaN|Infinity)\\W)", "1");
+
+ if (converted ~= nil) then
+ if (compare ~= converted) then
+ value = value .. "\n" .. converted;
+ end
+ end
+
+ -- return value;
+end
+
+ convertFromConcatenated(value);
+ m.log(4, "Convert basic concatenations: " .. value .. "");
+
+
+--[[ This method collects and decodes proprietary encoding types ]]
+
+function convertFromProprietaryEncodings(args)
+
+ local value = args;
+
+ --Xajax error reportings
+ value = rex.gsub(value,"(?im:)","%1", nil, 0, 0);
+
+ --strip false alert triggering apostrophes
+ value = rex.gsub(value,"(?m:(\\w)\"(s))", "%1%2");
+
+ --strip quotes within typical search patterns
+ value = rex.gsub(value,"(^\"([^\"=\\!><~]+)\"/$)", "%1");
+
+ --OpenID login tokens
+ value = rex.gsub(value,"({[\\w-]{8,9}\}(?:\{[\w=]{8}\}){2})", "");
+
+ --convert Content and \sdo\s to null
+ value = rex.gsub(value,"(?s:Content|\\Wdo)", "");
+
+ --strip emoticons
+ value = rex.gsub(value,
+ "(?m:(?:\\s[:;]-[)\/PD]+)|(?:\\s;[)PD]+)|(?:\\s:[)PD]+)|-\.-|\^\^)",
+ "");
+
+ --normalize separation char repetion
+ value = rex.gsub(value,"(?m:([.+~=*_;\-])\1{2,})", "%1");
+
+ --normalize multiple single quotes
+ value = rex.gsub(value,"(?m:/\"{2,})", "\"");
+
+ --normalize quoted numerical values and asterisks
+ value = rex.gsub(value,"(?m:\"(\\d+)\")", "%1");
+
+ --normalize pipe separated request parameters
+ value = rex.gsub(value,"(?m:\|(\\w+=\\w+))", "&%1");
+
+ --normalize ampersand listings
+ value = rex.gsub(value,"((\\w\\s)&\\s(\\w))", "%1%2");
+
+ --normalize escaped RegExp modifiers
+ value = rex.gsub(value,"(\/\\\\(\\w))", "/%1");
+
+end
+
+ convertFromProprietaryEncodings(value);
+ m.log(4, "convertFromProprietaryEncodings: " .. value .. "");
+
+
+
+
+
+ normalized_name = rex.gsub(name, "^(.*)$", "tx.%1_normalized");
+ m.setvar(normalized_name, value);
+
+
+--[[ This method is the centrifuge prototype ]]
+ m.log(4, "Starting Centrifuge.. Arg Name = " ..name.. " and Arg Value = " ..value.. ".");
+
+ threshold = 3.49;
+
+ -- Examine each value
+ if string.len(value) > 25 then
+ local name = name;
+ -- strip padding
+ tmp_value = rex.gsub(value, "\\s{4}|==$", "", nil, 0, 0);
+ m.log(4, "Strip Padding1 - name is: " .. name .. " and value is: " .. tmp_value ..".");
+ tmp_value = rex.gsub(tmp_value, "\\s{4}|[\\p{L}\\d\+\-\=\,\.\%\(\)]{8,}", "aaa", nil, 0, 0);
+ m.log(4, "Strip Padding2 - name is: " .. name .. " and value is: " .. tmp_value ..".");
+
+ -- Check for the attack char ratio
+ tmp_value = rex.gsub(tmp_value, "([\*\.\!\?\+\-])\\1{1,}", "%1", nil, 0, 0);
+ tmp_value = rex.gsub(tmp_value, "\"[\\p{L}\\d\\s]+\"", "", nil, 0, 0);
+
+ stripped_length = string.len(rex.gsub(tmp_value, "[\\d\\s\\p{L}\.\:\,\%\&\/\>\<\\-)\!\|]+", "", nil, 0, 0));
+ m.log(4, "stripped_length is: " .. stripped_length .. ".");
+ overall_value = rex.gsub(tmp_value, "([\\d\\s\\p{L}\:\,\.]{3,})+", "aaa", nil, 0, 0);
+ m.log(4, "overall_value is: " .. overall_value .. ".");
+ overall_length = string.len(rex.gsub(overall_value, "\\s{2,}", "", nil, 0, 0));
+ m.log(4, "overall_length is: " .. overall_length .. ".");
+
+ if ((stripped_length ~= 0) and (overall_length/stripped_length <= threshold)) then
+ ratio_value = (overall_length/stripped_length);
+ ratio_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_ratio");
+ m.setvar(ratio_name, ratio_value);
+ m.log(4, "Threshold is: " .. threshold .. " and Ratio Value is: " .. ratio_value .. ".");
+ end
+ end
+
+ -- Examine each value
+ if string.len(value) > 40 then
+
+ converted = value;
+
+ mytable = str_split_unique(converted)
+
+ j = 1
+ while mytable[j] do
+ print(mytable[j])
+ j = j + 1
+ end
+
+ converted = table.concat(mytable);
+ m.log(4, "Unique/Sorted: " .. converted .. ".");
+
+ -- Replace all non-special chars
+ converted = rex.gsub(converted, "[\\w\\s\\p{L},\.:!]", "");
+ m.log(4, "Replace non-special chars: " .. converted .. ".");
+
+
+ -- Normalize certain tokens
+ converted = rex.gsub(converted, "(\\~|\\^|\\||\\*|\\%|\\&|\\/)", "+");
+ m.log(4, "Normalize certain tokens: " .. converted .. ".");
+ converted = rex.gsub(converted, "(\\+|\\-)\\s*\\d+", "+");
+ m.log(4, "Normalize certain tokens: " .. converted .. ".");
+ converted = rex.gsub(converted, "(\\(|\\)|\\[|\\]|\\{|\\})", "(");
+ m.log(4, "Normalize certain tokens: " .. converted .. ".");
+ converted = rex.gsub(converted, "(\\!|\\?|\\:|\=)", ":");
+ m.log(4, "Normalize certain tokens: " .. converted .. ".");
+ converted = rex.gsub(converted, "[^:(+]", "");
+ m.log(4, "Normalize certain tokens: " .. converted .. ".");
+ converted = string.gsub(converted, "\\", "");
+ m.log(4, "Normalize certain tokens: " .. converted .. ".");
+
+ mytable = str_split(converted)
+ table.sort(mytable);
+ converted = table.concat(mytable);
+ m.log(4, "Sorted: " .. converted .. ".");
+ stripped_name = rex.gsub(name, "^(.*)$", "tx.%1_centrifuge_converted");
+ m.setvar(stripped_name, converted);
+
+ end
+
+
+ if value ~= "." then
+
+ return ("Normalized Payload: " .. name .. " = " .. value .. "");
+ else
+ -- Nothing wrong found.
+ return nil;
+ end
+end
+end
diff -Nru modsecurity-crs-2.1.2/trunk/lua/gather_ip_data.lua modsecurity-crs-2.2.0/trunk/lua/gather_ip_data.lua
--- modsecurity-crs-2.1.2/trunk/lua/gather_ip_data.lua 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/lua/gather_ip_data.lua 2011-04-15 18:25:15.000000000 +0000
@@ -0,0 +1,37 @@
+#!/opt/local/bin/lua
+require("io");
+
+function main()
+local anomaly_score = m.getvar("TX.ANOMALY_SCORE", "none");
+ m.log(4, "Anomaly Score is: " .. anomaly_score .. ".");
+local remote_addr = m.getvar("ARGS.REMOTE_ADDR", "none");
+ m.log(4, "Remote IP is: " .. remote_addr .. ".");
+local ip_hostname = m.getvar("IP.HOSTNAME", "none");
+
+if ((anomaly_score ~= nil) and (ip_hostname == nil)) then
+local hostname = "NONE";
+local abuse_contact = "NONE";
+ n = os.tmpname ()
+ os.execute ("nslookup '" .. remote_addr .. "' > " .. n)
+ os.execute ("whois '" .. remote_addr .. "' >> " .. n)
+ for line in io.lines (n) do
+ if string.match(line, "name = ") then
+ hostname = line
+ end
+
+ if string.match(line, "abuse") then
+ abuse_contact = line
+ end
+ end
+ m.log(4, "Hostname is: " .. hostname .. ".");
+ m.setvar("tx.hostname", hostname);
+
+ m.log(4, "Abuse Contact is: " .. abuse_contact .. ".");
+ m.setvar("tx.abuse_contact", abuse_contact);
+
+ os.remove (n)
+return("Nslookup: " .. hostname .. " and WHOIS Abuse Info: " .. abuse_contact .. "");
+
+end
+return nil;
+end
diff -Nru modsecurity-crs-2.1.2/trunk/lua/osvdb.lua modsecurity-crs-2.2.0/trunk/lua/osvdb.lua
--- modsecurity-crs-2.1.2/trunk/lua/osvdb.lua 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/lua/osvdb.lua 2011-02-23 14:19:26.000000000 +0000
@@ -0,0 +1,25 @@
+#!/opt/local/bin/lua
+
+local request_filename = m.getvar("REQUEST_FILENAME", "none")
+local args = {};
+args = m.getvars("ARGS_NAMES", "none")
+
+function main ()
+for line in io.lines("/usr/local/apache/conf/modsec_current/base_rules/vulnerabilities.txt") do
+ if line:find(request_filename) then
+ if string.find(line, "^%d+\,") then
+ for k,v in pairs(args) do
+ local arg_name = v["value"] .. "=";
+ if string.find(line, arg_name) then
+ m.setvar("resource.osvdb_check", "1")
+ m.setvar("resource.osvdb_vulnerable", "1")
+ m.setvar("tx.osvdb_msg", line)
+ return(line)
+ end
+ end
+ end
+ end
+end
+ m.setvar("resource.osvdb_check", "1")
+ return nil
+end
diff -Nru modsecurity-crs-2.1.2/trunk/lua/profile_page_scripts.lua modsecurity-crs-2.2.0/trunk/lua/profile_page_scripts.lua
--- modsecurity-crs-2.1.2/trunk/lua/profile_page_scripts.lua 1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-2.2.0/trunk/lua/profile_page_scripts.lua 2011-01-07 20:29:52.000000000 +0000
@@ -0,0 +1,40 @@
+#!/opt/local/bin/lua
+
+function main()
+
+ local rex = require "rex_pcre"
+
+ local response_body = m.getvar("RESPONSE_BODY", "none");
+
+ if response_body ~= "" then
+
+ local _, nscripts = string.gsub(response_body, "