diff --git a/rules/CHANGELOG b/rules/CHANGELOG index 5451c328..1b5b56ca 100644 --- a/rules/CHANGELOG +++ b/rules/CHANGELOG @@ -1,6 +1,6 @@ ------------------------------- -Version 1.6.0-rc3 - 2008/02/11 ------------------------------- +-------------------------- +Version 1.6.0 - 2008/02/19 +-------------------------- New Rulesets & Features: - 42 - Tight Security diff --git a/rules/modsecurity_crs_10_config.conf b/rules/modsecurity_crs_10_config.conf index 42d0b78a..5e41120a 100644 --- a/rules/modsecurity_crs_10_config.conf +++ b/rules/modsecurity_crs_10_config.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -114,7 +114,7 @@ SecServerSignature "Apache/2.2.0 (Fedora)" # Add ruleset identity to the logs # -SecComponentSignature "core ruleset/1.6.0-rc3" +SecComponentSignature "core ruleset/1.6.0" ## -- File uploads configuration ----------------------------------------------- # Temporary file storage path. diff --git a/rules/modsecurity_crs_20_protocol_violations.conf b/rules/modsecurity_crs_20_protocol_violations.conf index 91915210..611c94a5 100644 --- a/rules/modsecurity_crs_20_protocol_violations.conf +++ b/rules/modsecurity_crs_20_protocol_violations.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -15,10 +15,6 @@ # # -# Use status code 400 response status code by default as protocol violations -# are in essence bad requests. -SecDefaultAction "log,pass,phase:2,status:400" - # Validate request line # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ diff --git a/rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/modsecurity_crs_21_protocol_anomalies.conf index 1486f4dc..2a0f9603 100644 --- a/rules/modsecurity_crs_21_protocol_anomalies.conf +++ b/rules/modsecurity_crs_21_protocol_anomalies.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -14,10 +14,6 @@ # the request such as URL and not allow the violation generally. # -# Use status code 400 response status code by default as protocol violations -# are in essence bad requests. -SecDefaultAction "log,pass,phase:2,status:400" - # Do not accept requests without common headers. # Implies either an attacker or a legitimate automation client. # diff --git a/rules/modsecurity_crs_23_request_limits.conf b/rules/modsecurity_crs_23_request_limits.conf index ca26a4e3..1a531468 100644 --- a/rules/modsecurity_crs_23_request_limits.conf +++ b/rules/modsecurity_crs_23_request_limits.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -16,8 +16,6 @@ # Uncomment the rules you need # -SecDefaultAction "pass,log,status:400,phase:2" - ## -- Arguments limits -- # Limit argument name length diff --git a/rules/modsecurity_crs_30_http_policy.conf b/rules/modsecurity_crs_30_http_policy.conf index 4b25551c..19755fc2 100644 --- a/rules/modsecurity_crs_30_http_policy.conf +++ b/rules/modsecurity_crs_30_http_policy.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 diff --git a/rules/modsecurity_crs_35_bad_robots.conf b/rules/modsecurity_crs_35_bad_robots.conf index c787cee7..81139b09 100644 --- a/rules/modsecurity_crs_35_bad_robots.conf +++ b/rules/modsecurity_crs_35_bad_robots.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -15,8 +15,6 @@ # reduction, eliminating most of the random attacks against your web # site. -SecDefaultAction "log,pass,phase:2,t:lowercase" - SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|webinspect|\.nasl)" \ "deny,log,auditlog,status:404,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',severity:'2'" SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \ diff --git a/rules/modsecurity_crs_40_generic_attacks.conf b/rules/modsecurity_crs_40_generic_attacks.conf index 83354a35..57c47965 100644 --- a/rules/modsecurity_crs_40_generic_attacks.conf +++ b/rules/modsecurity_crs_40_generic_attacks.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -17,8 +17,6 @@ # application requires exceptions for a specific URL, Pattern or source IP # before moving to blocking mode. -SecDefaultAction "log,pass,phase:2,status:500,t:none" - # # Session fixation # diff --git a/rules/modsecurity_crs_45_trojans.conf b/rules/modsecurity_crs_45_trojans.conf index 8a8e0a8d..61baed5d 100644 --- a/rules/modsecurity_crs_45_trojans.conf +++ b/rules/modsecurity_crs_45_trojans.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -27,8 +27,6 @@ # Trojans upload to file uploading inspection. # -SecDefaultAction "log,pass,phase:2,t:lowercase,status:404" - SecRule REQUEST_HEADERS_NAMES "x_(?:key|file)\b" "ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950110',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'" SecRule REQUEST_FILENAME "root\.exe" \ "t:urlDecodeUni,t:htmlEntityDecode,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Backdoor access',id:'950921',tag:'MALICIOUS_SOFTWARE/TROJAN',severity:'2'" diff --git a/rules/modsecurity_crs_50_outbound.conf b/rules/modsecurity_crs_50_outbound.conf index c0ec8f65..452d38d1 100644 --- a/rules/modsecurity_crs_50_outbound.conf +++ b/rules/modsecurity_crs_50_outbound.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -13,8 +13,6 @@ # of this status code which normally refers to unsupported HTTP methods. # It is used in order to confuse automated clients and scanners. -SecDefaultAction "log,pass,status:501,phase:4,t:none" - # Statistics pages revealed SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \ diff --git a/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf b/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf index 67b45b97..7ca87752 100644 --- a/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf +++ b/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -15,10 +15,6 @@ # # -# Use status code 400 response status code by default as protocol violations -# are in essence bad requests. -SecDefaultAction "log,pass,phase:2,status:400" - # Validate request line # SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \ diff --git a/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf b/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf index f9a51cf2..0bd829a5 100644 --- a/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf +++ b/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -14,10 +14,6 @@ # the request such as URL and not allow the violation generally. # -# Use status code 400 response status code by default as protocol violations -# are in essence bad requests. -SecDefaultAction "log,pass,phase:2,status:400" - # Do not accept requests without common headers. # Implies either an attacker or a legitimate automation client. # diff --git a/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf b/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf index 3cf92447..f1a9b554 100644 --- a/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf +++ b/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -17,8 +17,6 @@ # application requires exceptions for a specific URL, Pattern or source IP # before moving to blocking mode. -SecDefaultAction "log,pass,phase:2,status:500,t:none" - # # Session fixation # diff --git a/rules/optional_rules/modsecurity_crs_42_comment_spam.conf b/rules/optional_rules/modsecurity_crs_42_comment_spam.conf index 601babd7..8bbf6b07 100644 --- a/rules/optional_rules/modsecurity_crs_42_comment_spam.conf +++ b/rules/optional_rules/modsecurity_crs_42_comment_spam.conf @@ -1,5 +1,5 @@ # --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.1.6.0-rc3 +# Core ModSecurity Rule Set ver.1.6.0 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved. # # The ModSecuirty Core Rule Set is distributed under GPL version 2 @@ -16,19 +16,17 @@ # more noticable in search results. # -SecDefaultAction "log,pass,phase:2,status:501,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase" - # Prequalifier. Look for first -SecRule ARGS|ARGS_NAMES "\bhttp:" "skip:1,pass,nolog,id:'999010',severity:'5'" +SecRule ARGS|ARGS_NAMES "\bhttp:" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'5'" SecAction pass,nolog,skipAfter:999011 # Look for 2 ways of posting a link -SecRule ARGS|ARGS_NAMES "\[url\b" "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'" +SecRule ARGS|ARGS_NAMES "\[url\b" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'" SecRule ARGS|ARGS_NAMES "\