Update rules to 1.6.0.

2025-09-30 11:44:32 +03:00 · 2008-02-19 15:21:33 +00:00
parent e4eaade2ca
commit bdc746baff
16 changed files with 23 additions and 57 deletions
--- a/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
+++ b/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.0-rc3
+# Core ModSecurity Rule Set ver.1.6.0
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -15,10 +15,6 @@
 #  
 #

-# Use status code 400 response status code by default as protocol violations 
-# are in essence bad requests.
-SecDefaultAction "log,pass,phase:2,status:400"
-
 # Validate request line
 #
 SecRule REQUEST_LINE "!^(?:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
--- a/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
+++ b/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.0-rc3
+# Core ModSecurity Rule Set ver.1.6.0
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -14,10 +14,6 @@
 #      the request such as URL and not allow the violation generally. 
 #

-# Use status code 400 response status code by default as protocol violations 
-# are in essence bad requests.
-SecDefaultAction "log,pass,phase:2,status:400"
-
 # Do not accept requests without common headers. 
 # Implies either an attacker or a legitimate automation client. 
 #
--- a/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
+++ b/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.0-rc3
+# Core ModSecurity Rule Set ver.1.6.0
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -17,8 +17,6 @@
 #      application requires exceptions for a specific URL, Pattern or source IP
 #      before moving to blocking mode.  
 
-SecDefaultAction "log,pass,phase:2,status:500,t:none"
-
 #
 # Session fixation
 #
--- a/rules/optional_rules/modsecurity_crs_42_comment_spam.conf
+++ b/rules/optional_rules/modsecurity_crs_42_comment_spam.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.0-rc3
+# Core ModSecurity Rule Set ver.1.6.0
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -16,19 +16,17 @@
 #   more noticable in search results.
 #

-SecDefaultAction "log,pass,phase:2,status:501,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase"
-
 # Prequalifier. Look for <http> first
-SecRule ARGS|ARGS_NAMES "\bhttp:" "skip:1,pass,nolog,id:'999010',severity:'5'"
+SecRule ARGS|ARGS_NAMES "\bhttp:" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'5'"

 SecAction pass,nolog,skipAfter:999011

 # Look for 2 ways of posting a link
-SecRule ARGS|ARGS_NAMES "\[url\b" "chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
+SecRule ARGS|ARGS_NAMES "\[url\b" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950923',severity:'2'"
 SecRule ARGS|ARGS_NAMES "\<a"

 # Look for too many links in argument (Prone to FPs)
-SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"
+SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'Comment Spam',id:'950020',severity:'3'"


-SecAction "pass,nolog,id:'999011',severity:'5'"
+SecMarker 999011
--- a/rules/optional_rules/modsecurity_crs_42_tight_security.conf
+++ b/rules/optional_rules/modsecurity_crs_42_tight_security.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.0-rc3
+# Core ModSecurity Rule Set ver.1.6.0
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -15,8 +15,6 @@
 #      many legit requests. 
 #
 
-SecDefaultAction "log,pass,phase:2,status:400,t:none"
-
 #
 # Directory Traversal
 #
--- a/rules/optional_rules/modsecurity_crs_55_marketing.conf
+++ b/rules/optional_rules/modsecurity_crs_55_marketing.conf
@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.6.0-rc3
+# Core ModSecurity Rule Set ver.1.6.0
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -11,8 +11,6 @@
 # monitoring and logging HTTP transactions.
 # --

-SecDefaultAction "log,pass,phase:2,t:lowercase"
-
 SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
        "log,auditlog,msg:'MSN robot activity',id:'910008',severity:'5'"