Update to core rules 1.4.3

rules/blocking/modsecurity_crs_20_protocol_violations.conf

@@ -19,12 +19,22 @@
 # are in essence bad requests.
 SecDefaultAction "log,pass,phase:2,status:400"
 
-
 # Validate request line
-SecRule REQUEST_LINE "!^[a-z]{3,10}\s*(?:http\:\/\/[\w\-\.\/]*)??\/[\w\-\.\/]*(?:\?[\S]*)??\s*http\/[01]\.[901]$" \
+#
+SecRule REQUEST_LINE "!^[a-z]{3,10}\s*(?:\w{3,7}?\:\/\/[\w\-\.\/]*)??\/[\w\-\.\/~%:@&=+$,;]*(?:\?[\S]*)??\s*http\/\d\.\d$" \
     "t:none,t:lowercase,deny,log,auditlog,status:400,msg:'Invalid HTTP Request Line',,id:'960911',severity:'2'"
 
 
+# HTTP Request Smuggling
+#
+SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "," "deny,log,auditlog,status:400,msg:'HTTP Request Smuggling Attack.',,id:'950012',severity:'1'"
+
+# Block request with malformed content.
+# ModSecurity will not inspect these, but the server application might do so
+#
+SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "t:none,deny,log,auditlog,status:400,msg:'Invalid request body',,id:'960912',severity:'2'"
+
+
 # Accept only digits in content length 
 #
 SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,msg:'Content-Length HTTP header is not numeric', severity:'2',,id:'960016',"
@@ -34,7 +44,7 @@ SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,status:400,ms
 # feature is not used in real life. Attackers could try to force
 # a request body on an unsuspecting web applications.
 #
-SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',,id:'960011',"
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',,id:'960011',"
 SecRule REQUEST_HEADERS:Content-Length "!^0?$"
 
 # Require Content-Length to be provided with every POST request.
@@ -52,7 +62,7 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "deny,log,auditlog,status:501,ms
 # Check decodings
 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
 	"chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"
-SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
+SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
 
 SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,status:400,msg:'UTF8 Encoding Abuse Attack Attempt',,id:'950801',severity:'4'"
 
@@ -63,7 +73,7 @@ SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS
 # Proxy access attempt
 # NOTE Apache blocks such access by default if not set as a proxy. The rule is 
 #      included in case Apache proxy is misconfigured.
-SecRule REQUEST_URI_RAW ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',,id:'960014',"
+SecRule REQUEST_URI_RAW ^\w+:/ "deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',,id:'960014',"
 
 #
 # Restrict type of characters sent
@@ -78,7 +88,7 @@ SecRule REQUEST_URI_RAW ^http:/ "deny,log,auditlog,status:400,msg:'Proxy access
 #
 SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
 	"@validateByteRange 32-126" \
-	"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960018',severity:'4',t:urlDecodeUni,phase:1"
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960018',severity:'4',t:urlDecodeUni"
 
 SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
-	"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960901',severity:'4',t:urlDecodeUni,phase:2"
+	"deny,log,auditlog,status:400,msg:'Invalid character in request',,id:'960901',severity:'4',t:urlDecodeUni"