From 59685455d9ecb1dac02e0f7f19662d28665b1da9 Mon Sep 17 00:00:00 2001
From: brectanus <brectanus@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Thu, 20 Dec 2007 17:01:12 +0000
Subject: [PATCH] Update core rules to 1.5.1.

---
 CHANGES                                       |  4 +++-
 rules/CHANGELOG                               | 21 +++++++++++++++++--
 rules/LICENSE                                 | 14 ++++++-------
 rules/modsecurity_crs_10_config.conf          |  2 +-
 ...odsecurity_crs_20_protocol_violations.conf | 16 +++++++-------
 ...modsecurity_crs_21_protocol_anomalies.conf | 12 ++++++++---
 rules/modsecurity_crs_23_request_limits.conf  |  2 +-
 rules/modsecurity_crs_30_http_policy.conf     |  2 +-
 rules/modsecurity_crs_35_bad_robots.conf      |  2 +-
 rules/modsecurity_crs_40_generic_attacks.conf | 14 ++++++-------
 rules/modsecurity_crs_45_trojans.conf         |  2 +-
 rules/modsecurity_crs_50_outbound.conf        |  4 ++--
 ...odsecurity_crs_20_protocol_violations.conf | 16 +++++++-------
 ...modsecurity_crs_21_protocol_anomalies.conf | 12 ++++++++---
 .../modsecurity_crs_40_generic_attacks.conf   | 14 ++++++-------
 .../modsecurity_crs_55_marketing.conf         |  6 +++---
 16 files changed, 87 insertions(+), 56 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0cd6e49d..c17b81e9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,11 @@
 
-17 Dec 2007 - 2.5.0-rc1
+20 Dec 2007 - 2.5.0-rc1
 -----------------------
 
 Changes since 2.5.0-dev2:
 
+ * Updated included Core Ruleset to version 1.5.1.
+
  * Changed how allow works. Used on its own it now allows phases 1-4. Used
    with parameter "phase" (e.g. SecAction allow:phase) it only affects
    the current phase. Used with parameter "request" it allows phases
diff --git a/rules/CHANGELOG b/rules/CHANGELOG
index a94f9cb3..c4ec56d5 100644
--- a/rules/CHANGELOG
+++ b/rules/CHANGELOG
@@ -1,3 +1,20 @@
+-------------------------
+Version 1.5.1 - 2007/12/6
+-------------------------
+
+False Positives Fixes:
+- Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)
+
+New Events:
+- 960019 - Detect HTTP/0.9 Requests
+  HTTP/0.9 request are not common these days. This rule will log by default,
+  and block in the blocking version of file 21
+  
+Other Fixes:
+- File 40, Rules 950004,950005 - Repaired the correction for the double
+  url decoding problem
+- File 55 contained empty regular expressions. Fixed.             
+
 ------------------------
 Version 1.5 - 2007/11/23
 ------------------------
@@ -154,8 +171,8 @@ Regular expressions fixes:
 - Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
 - The command injection wget is not searched in the UA header as it has different meaning there.
 - LDAP Fixed to reduce FPs:
-  + More accurate regular expressions
-  + high bit characters not accpeted between signature tokens.
+	+ More accurate regular expressions
+	+ high bit characters not accpeted between signature tokens.
 - Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
 - Removed Java from automation UA
 - When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"
diff --git a/rules/LICENSE b/rules/LICENSE
index fd94e166..d511905c 100644
--- a/rules/LICENSE
+++ b/rules/LICENSE
@@ -1,12 +1,12 @@
-            GNU GENERAL PUBLIC LICENSE
-               Version 2, June 1991
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
 
  Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
-                Preamble
+			    Preamble
 
   The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -56,7 +56,7 @@ patent must be licensed for everyone's free use or not licensed at all.
   The precise terms and conditions for copying, distribution and
 modification follow.
 
-            GNU GENERAL PUBLIC LICENSE
+		    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
   0. This License applies to any program or other work which contains
@@ -255,7 +255,7 @@ make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 
-                NO WARRANTY
+			    NO WARRANTY
 
   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
@@ -277,9 +277,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-             END OF TERMS AND CONDITIONS
+		     END OF TERMS AND CONDITIONS
 
-        How to Apply These Terms to Your New Programs
+	    How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
diff --git a/rules/modsecurity_crs_10_config.conf b/rules/modsecurity_crs_10_config.conf
index 034ce8cb..7468cd41 100644
--- a/rules/modsecurity_crs_10_config.conf
+++ b/rules/modsecurity_crs_10_config.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
diff --git a/rules/modsecurity_crs_20_protocol_violations.conf b/rules/modsecurity_crs_20_protocol_violations.conf
index b1377cb4..e352e5ee 100644
--- a/rules/modsecurity_crs_20_protocol_violations.conf
+++ b/rules/modsecurity_crs_20_protocol_violations.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -21,7 +21,7 @@ SecDefaultAction "log,pass,phase:2,status:400"
 
 # Validate request line
 #
-SecRule REQUEST_LINE "!^(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+))??/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+$" \
+SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+))??/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
     "t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
 
 
@@ -61,7 +61,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,ms
 
 # Check encodings
 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
-    "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
+	"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
 
 # Check UTF enconding
@@ -83,14 +83,14 @@ SecRule REQUEST_URI_RAW ^\w+:/ "deny,log,auditlog,status:400,msg:'Proxy access a
 # NOTE In order to be broad and support localized applications this rule
 #      only validates that NULL Is not used.
 #
-#       The strict policy version also validates that protocol and application 
-#       generated fields are limited to printable ASCII. 
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
 #
 # TODO If your application use the range 32-126 for parameters.
 #
 SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
-    "@validateByteRange 1-255" \
-    "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',severity:'4',t:urlDecodeUni"
+	"@validateByteRange 1-255" \
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',severity:'4',t:urlDecodeUni"
 
 SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
-    "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni"
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni"
diff --git a/rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/modsecurity_crs_21_protocol_anomalies.conf
index 07ee2910..01316cc5 100644
--- a/rules/modsecurity_crs_21_protocol_anomalies.conf
+++ b/rules/modsecurity_crs_21_protocol_anomalies.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -19,13 +19,19 @@
 SecDefaultAction "log,pass,phase:2,status:400"
 
 # Do not accept requests without common headers. 
-#
 # Implies either an attacker or a legitimate automation client. 
 #
-SecRule REQUEST_URI "^/$" "chain,skip:4,nolog,pass"
+# Exception for Apache SSL pinger
+SecRule REQUEST_LINE "^GET /$" "chain,skip:8,nolog,pass"
+SecRule REMOTE_ADDR "^127\.0\.0\.1$"
+# Exception for Apache internal dummy connection
+SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,skip:5,nolog,pass"
 SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
 SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
 
+# Detect HTTP/0.9 Requests
+SecRule REQUEST_PROTOCOL ^http/0.9$ "t:lowercase,log,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'"
+
 SecRule &REQUEST_HEADERS:Host "@eq 0" \
     "skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'"
 SecRule REQUEST_HEADERS:Host "^$" \
diff --git a/rules/modsecurity_crs_23_request_limits.conf b/rules/modsecurity_crs_23_request_limits.conf
index 10d2c528..4ca83400 100644
--- a/rules/modsecurity_crs_23_request_limits.conf
+++ b/rules/modsecurity_crs_23_request_limits.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
diff --git a/rules/modsecurity_crs_30_http_policy.conf b/rules/modsecurity_crs_30_http_policy.conf
index b9a9191a..f101253f 100644
--- a/rules/modsecurity_crs_30_http_policy.conf
+++ b/rules/modsecurity_crs_30_http_policy.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
diff --git a/rules/modsecurity_crs_35_bad_robots.conf b/rules/modsecurity_crs_35_bad_robots.conf
index 3360730a..6f57eaa4 100644
--- a/rules/modsecurity_crs_35_bad_robots.conf
+++ b/rules/modsecurity_crs_35_bad_robots.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
diff --git a/rules/modsecurity_crs_40_generic_attacks.conf b/rules/modsecurity_crs_40_generic_attacks.conf
index 5b118195..9197da74 100644
--- a/rules/modsecurity_crs_40_generic_attacks.conf
+++ b/rules/modsecurity_crs_40_generic_attacks.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -77,18 +77,18 @@ SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b
 #
 # XSS
 #
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
         "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
 
 
 #
 # File Injection
 #
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
         "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
+SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
 
 
@@ -108,10 +108,10 @@ SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
 
 SecRule ARGS \
-        "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
         "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
 SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
-        "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
 
 
diff --git a/rules/modsecurity_crs_45_trojans.conf b/rules/modsecurity_crs_45_trojans.conf
index 9827eef8..edf42f20 100644
--- a/rules/modsecurity_crs_45_trojans.conf
+++ b/rules/modsecurity_crs_45_trojans.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
diff --git a/rules/modsecurity_crs_50_outbound.conf b/rules/modsecurity_crs_50_outbound.conf
index b9e86e06..e3430033 100644
--- a/rules/modsecurity_crs_50_outbound.conf
+++ b/rules/modsecurity_crs_50_outbound.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -54,7 +54,7 @@ SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if
 SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b" \
      "ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970015',severity:'4'"
 SecRule RESPONSE_BODY "<\?(?!xml)" \
-     "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',severity:'4'"
+	 "chain,ctl:auditLogParts=+E,log,auditlog,msg:'PHP source code leakage',id:'970902',severity:'4'"
 SecRule RESPONSE_BODY "!(?:\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|r(?:iff\b|ar!B)|gif)|B(?:%pdf|\.ra)\b)"        
 
 SecRule RESPONSE_BODY "\b<cf" \
diff --git a/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf b/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
index d677fabd..11595200 100644
--- a/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
+++ b/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -21,7 +21,7 @@ SecDefaultAction "log,pass,phase:2,status:400"
 
 # Validate request line
 #
-SecRule REQUEST_LINE "!^(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+))??/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+$" \
+SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+))??/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
     "t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',id:'960911',severity:'2'"
 
 
@@ -61,7 +61,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,ms
 
 # Check encodings
 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
-    "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
+	"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
 
 # Check UTF enconding
@@ -83,14 +83,14 @@ SecRule REQUEST_URI_RAW ^\w+:/ "deny,log,auditlog,status:400,msg:'Proxy access a
 # NOTE In order to be broad and support localized applications this rule
 #      only validates that NULL Is not used.
 #
-#       The strict policy version also validates that protocol and application 
-#       generated fields are limited to printable ASCII. 
+#	   The strict policy version also validates that protocol and application 
+#	   generated fields are limited to printable ASCII. 
 #
 # TODO If your application use the range 32-126 for parameters.
 #
 SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
-    "@validateByteRange 32-126" \
-    "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',severity:'4',t:urlDecodeUni"
+	"@validateByteRange 32-126" \
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960018',severity:'4',t:urlDecodeUni"
 
 SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
-    "deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni"
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni"
diff --git a/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
index b2fb3acf..1dc1921f 100644
--- a/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
+++ b/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -19,13 +19,19 @@
 SecDefaultAction "log,pass,phase:2,status:400"
 
 # Do not accept requests without common headers. 
-#
 # Implies either an attacker or a legitimate automation client. 
 #
-SecRule REQUEST_URI "^/$" "chain,skip:4,nolog,pass"
+# Exception for Apache SSL pinger
+SecRule REQUEST_LINE "^GET /$" "chain,skip:8,nolog,pass"
+SecRule REMOTE_ADDR "^127\.0\.0\.1$"
+# Exception for Apache internal dummy connection
+SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,skip:5,nolog,pass"
 SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
 SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
 
+# Detect HTTP/0.9 Requests
+SecRule REQUEST_PROTOCOL ^http/0.9$ "t:lowercase,deny,log,auditlog,status:400,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'"
+
 SecRule &REQUEST_HEADERS:Host "@eq 0" \
     "skip:1,deny,log,auditlog,status:400,msg:'Request Missing a Host Header',id:'960008',severity:'4'"
 SecRule REQUEST_HEADERS:Host "^$" \
diff --git a/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf b/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
index 1af6005f..9c5cdbab 100644
--- a/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
+++ b/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -77,18 +77,18 @@ SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer|!REQUEST_HEADERS:via "\b
 #
 # XSS
 #
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
         "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
+SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage|script|meta)\b|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
 
 
 #
 # File Injection
 #
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
         "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
+SecRule REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
 
 
@@ -108,10 +108,10 @@ SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs)$/
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
 
 SecRule ARGS \
-        "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
         "capture,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
 SecRule "REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:'/^(Cookie|Referer|X-OS-Prefs|User-Agent)$/'|REQUEST_COOKIES|REQUEST_COOKIES_NAMES" \
-        "(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+		"(?:(?:[\;\|\`]\W*?\bcc|\bwget)\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
         "capture,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
 
 
diff --git a/rules/optional_rules/modsecurity_crs_55_marketing.conf b/rules/optional_rules/modsecurity_crs_55_marketing.conf
index 92264707..ba59864a 100644
--- a/rules/optional_rules/modsecurity_crs_55_marketing.conf
+++ b/rules/optional_rules/modsecurity_crs_55_marketing.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5
+# Core ModSecurity Rule Set ver.1.5.1
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -16,8 +16,8 @@ SecDefaultAction "log,pass,phase:2,t:lowercase"
 SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
         "log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'"
 
-SecRule REQUEST_HEADERS:User-Agent "" \
+SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
         "log,auditlog,msg:'Yahoo robot activity',id:'910007',severity:'5'"
 
-SecRule REQUEST_HEADERS:User-Agent "" \
+SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
         "log,auditlog,msg:'Google robot activity',id:'910006',severity:'5'"