Fixed files overwriting in installer; added OWASP CRS.

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_42_comment_spam.data

@@ -0,0 +1,42 @@
+super happy fun
+psycheclone
+grub crawler
+core-project/
+winnie poh
+mozilla/4.0+(
+email siphon
+internet explorer
+nutscrape/
+mozilla/4.0(
+missigua
+libwww-perl
+movable type
+user
+blogsearchbot-martin
+emailsiphon
+digger
+8484 boston project
+nutchcvs
+pycurl
+java 1.
+isc systems irc
+emailcollector
+mj12bot/v1.0.8
+trackback/
+microsoft url
+diamond
+autoemailspider
+lwp
+pussycat
+jakarta commons
+java/1.
+user-agent:
+<sc
+adwords
+omniexplorer
+wordpress
+httpproxy
+user agent:
+ecollector
+msie
+cherrypicker

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_10_ignore_static.conf

@@ -0,0 +1,47 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# The rules in this file will cause ModSecurity to let requests for static
+#   content go into the server without being examined (mostly media content). 
+#   This can reduce the load on the server considerably.
+#
+# This ruleset will skip all tests for media files, but will skip only the
+#   request body phase (phase 2) for text files. To skip the outbound stage
+#   for text files, add file 47 (skip_outbound_checks) to your configuration,
+#   in addition to this file
+#
+# NOTE  If you are using mod_rewrite to rewrite URLs, please keep in mind
+#         that some URLs may seem static, when they are not. for example,
+#         if you have a rule like this in your configuration:
+#           RewriteRule (.*).gif images.php?id=$1 [QSA]
+#         then requests to the gif files will pass through ModSecurity without
+#         inspection.
+#
+
+
+# We skip inspection GET & HEAD requests that have no parameters
+# and that end with static content file extension
+SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,skip:1,pass,nolog,id:'999001',severity:'6'"
+SecRule &ARGS "@eq 0" "t:none,setvar:tx.no_parameters=1"
+
+SecAction "phase:2,t:none,nolog,pass,skipAfter:END_STATIC_CONTENT_CHECK"
+
+# Determine actions based on static file extensions
+# Images
+SecRule REQUEST_FILENAME "\.(?:(?:jpe?|pn)g|gif|ico)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999003',severity:'6'"
+# Documents
+SecRule REQUEST_FILENAME "\.(?:doc|pdf|txt|xls)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999004',severity:'6'"
+# HTML
+SecRule REQUEST_FILENAME "\.(?:(?:cs|j)s|html?)$" "phase:2,t:none,t:lowercase,setvar:tx.text_file_extension=1,allow:phase,nolog,id:'999005',severity:'6'"
+# Media files
+SecRule REQUEST_FILENAME "\.(?:mp(?:e?g|3)|avi|flv|swf|wma)$" "phase:2,t:none,t:lowercase,allow,nolog,id:'999006',severity:'6'"
+
+SecMarker END_STATIC_CONTENT_CHECK 

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_11_avs_traffic.conf

@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# This ruleset allows you to control how ModSecurity will handle traffic originating
+# from Authorized Vulnerability Scanning (AVS) sources.
+# See related blog post -
+# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
+#
+
+#
+# White-list ASV network block (no blocking or logging of AVS traffic)
+# Update IP network block as appropriate for your AVS traffic
+#SecRule REMOTE_ADDR "@beginsWith 192.168.1." "phase:1,id:'981033',t:none,nolog,pass,allow"
+
+#
+# Recommended "Block but Don't Log" rule for scanning traffic
+# Update IP address/network block as appropriate for your ASV traffic
+#SecRule REMOTE_ADDR "@streq 192.168.1.101" "phase:1,id:'981034',t:none,nolog,pass,ctl:auditEngine=Off"
+
+# Recommended phase 3 rule that will re-enable the audit engine if the request
+# was not blocked by one of the normal rules.
+# Update IP address/network block as appropriate for your ASV traffic
+#SecRule REMOTE_ADDR "@streq 192.168.1.101" "phase:3,id:'981035',t:none,nolog,pass,ctl:auditEngine=On" 

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_13_xml_enabler.conf

@@ -0,0 +1,18 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+
+# The rules in this file will trigger the XML parser upon an XML request
+
+# Initiate XML Processor in case of xml content-type
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+"phase:1,id:'981053',t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_authentication_tracking.conf

@@ -0,0 +1,38 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Create an audit log of a successful Authentication.
+#                                                                      
+# We also set the username in the Session and User collections.  This allows
+# for showing the UserID associated with the SESSIONID in any alerts generated.
+#
+# Must review the ModSecurity audit log data to review what a successful auth attempt
+# looks like and then customize this template ruleset for it.
+#
+#SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,nolog,auditlog,msg:'Successful Authentication Attempt.',logdata:'Username - %{args.userid}'"
+# SecRule REQUEST_METHOD "@streq POST" "chain,t:none"
+#  SecRule ARGS:event "@streq LOGON" "chain,t:none"
+#   SecRule RESPONSE_STATUS "@streq 302" "chain,t:none"
+#    SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=WELCOME" "chain,t:none"
+#     SecRule ARGS:userid ".*" "t:none,setvar:session.username=%{args.userid},setuid:%{args.userid},setvar:session.successful_auth=1"
+
+#
+# Create an alert when a user fails authenticating.
+#
+# Must review the ModSecurity audit log data to review what a failed auth attempt
+# looks like and then customize this template ruleset for it.
+#
+#SecRule REQUEST_FILENAME "@streq /path/to/login.jsp" "chain,phase:3,t:none,pass,log,severity:'2',msg:'Failed Authentication Attempt.',logdata:'Username - %{args.userid}'"
+# SecRule REQUEST_METHOD "@streq POST" "chain,t:none"
+#  SecRule ARGS:event "@streq LOGON" "chain,t:none"
+#   SecRule RESPONSE_STATUS "@streq 302" "chain,t:none"
+#    SecRule RESPONSE_HEADERS:Location "@streq http://www.example.com/path/to/login.jsp?event=ERROR&ErrorDesc=Invalid User ID/Password Please try again." "t:none"
+

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_session_hijacking.conf

@@ -0,0 +1,51 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# This rule file will identify outbound Set-Cookie/Set-Cookie2 response headers and 
+# then initiate the proper ModSecurity session persistent collection (setsid).
+# The rules in this file are required if you plan to run other checks such as 
+# Session Hijacking, Missing HTTPOnly flag, etc...
+#
+
+#
+# This rule set will identify subsequent SessionIDs being submitted by clients in
+# Request Headers.  First we check that the SessionID submitted is a valid one 
+#
+SecMarker BEGIN_SESSION_STARTUP
+
+SecRule REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' ".*" "chain,phase:1,id:'981054',t:none,block,log,msg:'Invalid SessionID Submitted.',setsid:%{matched_var},setvar:tx.sessionid=%{matched_var},skipAfter:END_SESSION_STARTUP"
+        SecRule SESSION:VALID "!@eq 1" "t:none,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/INVALID_SESSIONID-%{matched_var_name}=%{tx.0}"
+
+SecRule &REQUEST_COOKIES:'/(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)/' "@eq 0" "phase:1,id:'981055',t:none,nolog,pass,skipAfter:END_SESSION_STARTUP"
+
+SecAction "phase:1,id:'981056',t:none,nolog,pass,setuid:%{session.username},setvar:session.sessionid=%{tx.sessionid}"
+
+SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)" "chain,phase:1,id:'981057',capture,t:none,nolog,pass" 
+	SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:tx.ip_hash=%{matched_var}"
+SecRule REQUEST_HEADERS:User-Agent ".*" "phase:1,id:'981058',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:tx.ua_hash=%{matched_var}"
+
+SecRule TX:IP_HASH "!@streq %{SESSION.IP_HASH}" "phase:1,id:'981059',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning - Sticky SessionID Data Changed - IP Address Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
+SecRule TX:UA_HASH "!@streq %{SESSION.UA_HASH}" "phase:1,id:'981060',t:none,block,setvar:tx.sticky_session_anomaly=+1,msg:'Warning - Sticky SessionID Data Changed - User-Agent Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
+SecRule TX:STICKY_SESSION_ANOMALY "@eq 2" "phase:1,id:'981061',t:none,block,msg:'Possible Session Hijacking - IP Address and User-Agent Mismatch.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SESSION_HIJACK-%{matched_var_name}=%{tx.0}"
+
+SecMarker END_SESSION_STARTUP
+
+#
+# This rule will identify the outbound Set-Cookie SessionID data and capture it in a setsid
+#
+SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid)=([^\s].*?)\;\s?)" "chain,phase:3,id:'981062',t:none,pass,nolog,capture,setsid:%{TX.6},setvar:session.sessionid=%{TX.6},setvar:tx.ip=%{remote_addr},setvar:tx.ua=%{request_headers.user-agent},setvar:session.valid=1"
+	SecRule UNIQUE_ID "(.*)" "t:none,t:sha1,t:hexEncode,capture,setvar:session.csrf_token=%{TX.1}"
+
+SecRule REMOTE_ADDR "^(\d{1,3}\.\d{1,3}\.\d{1,3}\.)"  "chain,phase:3,id:'981063',capture,t:none,nolog,pass"
+	SecRule TX:1 ".*" "t:sha1,t:hexEncode,setvar:session.ip_hash=%{matched_var}"
+SecRule REQUEST_HEADERS:User-Agent ".*" "phase:3,id:'981064',t:none,t:sha1,t:hexEncode,nolog,pass,setvar:session.ua_hash=%{matched_var}"
+
+

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_16_username_tracking.conf

@@ -0,0 +1,35 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Template rules for login/audit rules.
+# Uncomment the following lines and specify the path or specific login resource for protection
+#
+#<LocationMatch "^/(?:(admin|account\/login\.jsp$))">
+#
+# Identify/Set the UserID name and collection
+# Must correctly specify the parameter name that holds the username data (example ARGS:username)
+#
+#SecRule ARGS:username ".*" "phase:2,id:'981075',t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"
+
+#
+# Password Complexity Check
+# Must correctly specify the parameter name that holds the password data (example ARGS:password)
+# The regex below requires 8 length, one upper, one lower, and one number.
+#
+#SecRule ARGS:password "^(?=[a-zA-Z0-9]*?[A-Z])(?=[a-zA-Z0-9]*?[a-z])(?=[a-zA-Z0-9]*?[0-9])[a-zA-Z0-9]{8,}$" "phase:2,id:'981076',t:none,block,log,msg:'Password does meet complexity requirements.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-POLICY-%{matched_var_name}=%{matched_var}"
+
+#
+# Sanitize the user's password data in the audit logs
+# Set the appropriate password parameter name
+#SecAction "phase:5,id:'981077',t:none,pass,nolog,sanitiseArg:password"
+
+#</LocationMatch>
+

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_25_cc_known.conf

@@ -0,0 +1,110 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# Detect CC# in input, log transaction and sanitize
+SecRule ARGS "@verifyCC (?:^|[^\d])(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \
+        "phase:2,id:'981078',t:none,pass,nolog,skip:1"
+
+SecAction "phase:2,id:'981079',t:none,pass,nolog,skipAfter:END_KNOWN_CC_INBOUND_CHECK"
+
+
+# GSA SmartPay
+SecRule ARGS "@verifyCC (?:^|[^\d])((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'GSA SmartPay Credit Card Number detected in user input',id:'920019',tag:'PCI/10.2',severity:'5'"
+
+# MasterCard
+SecRule ARGS "@verifyCC (?:^|[^\d])(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'MasterCard Credit Card Number detected in user input',id:'920005',tag:'PCI/10.2',severity:'5'"
+
+# Visa
+SecRule ARGS "@verifyCC (?:^|[^\d])(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Visa Credit Card Number detected in user input',id:'920007',tag:'PCI/10.2',severity:'5'"
+
+# American Express
+SecRule ARGS "@verifyCC (?:^|[^\d])(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'American Express Credit Card Number detected in user input',id:'920009',tag:'PCI/10.2',severity:'5'"
+
+# Diners Club
+SecRule ARGS "@verifyCC (?:^|[^\d])((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Diners Club Credit Card Number detected in user input',id:'920011',tag:'PCI/10.2',severity:'5'"
+
+# enRoute
+#SecRule ARGS "(?:^|[^\d])(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+#        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'enRoute Credit Card Number detected in user input',id:'920013',tag:'PCI/10.2',severity:'5'"
+
+# Discover
+SecRule ARGS "@verifyCC (?:^|[^\d])(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'Discover Credit Card Number detected in user input',id:'920015',tag:'PCI/10.2',severity:'5'"
+
+# JCB
+SecRule ARGS "@verifyCC (?:^|[^\d])(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+        "phase:2,t:none,sanitiseMatched,log,auditlog,pass,msg:'JCB Credit Card Number detected in user input',id:'920017',tag:'PCI/10.2',severity:'5'"
+
+
+SecMarker END_KNOWN_CC_INBOUND_CHECK
+
+# Detect CC# in output and block transaction
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})(?:[^\d]|$)" \
+        "phase:4,id:'981080',t:none,pass,nolog,skip:1"
+
+SecAction "phase:4,id:'981081',t:none,pass,nolog,skipAfter:END_KNOWN_CC_OUTBOUND_CHECK"
+
+
+# GSA SmartPay
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:5568|4(?:486|716))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|8699\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+        "chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'GSA SmartPay Card Number sent from site to user',id:'920020',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+# MasterCard
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(5[1-5]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
+	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'MasterCard Credit Card Number sent from site to user',id:'920006',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"        
+
+# Visa
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(4\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d(?:\d{3})??)(?:[^\d]|$)" \
+	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Visa Credit Card Number sent from site to user',id:'920008',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+# American Express
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3[47]\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'American Express Credit Card Number sent from site to user',id:'920010',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+# Diners Club
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)((?:30[0-5]|3[68]\d)\d\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2})(?:[^\d]|$)" \
+	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Diners Club Credit Card Number sent from site to user',id:'920012',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+# enRoute
+#SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "(?:^|[^\d])(?<!google_ad_client = \"pub-)(2(?:014|149)\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{2}|55\d{2}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+#	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'enRoute Credit Card Number sent from site to user',id:'920014',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+#        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+#                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+# Discover
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(6(?:011|5\d{2})\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4})(?:[^\d]|$)" \
+	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'Discover Credit Card Number sent from site to user',id:'920016',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+# JCB
+SecRule RESPONSE_BODY|RESPONSE_HEADERS:Location "@verifyCC (?:^|[^\d])(?<!google_ad_client = \"pub-)(3\d{3}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{4}|(?:1800|21(?:31|00))\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{3})(?:[^\d]|$)" \
+	"chain,logdata:'Start of CC #: %{tx.ccdata_begin}***...',phase:4,t:none,ctl:auditLogParts=-E,block,msg:'JCB Credit Card Number sent from site to user',id:'920018',tag:'WASCTC/5.2',tag:'PCI/3.3',severity:'1'"
+        SecRule TX:1 "(\d{4}\-?\d{4}\-?\d{2}\-?\d{2}\-?\d{1,4})" "chain,capture,setvar:tx.ccdata=%{tx.1}"
+                SecRule TX:CCDATA "^(\d{4}\-?)" "capture,setvar:tx.ccdata_begin=%{tx.1},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-LEAKAGE/CC-%{matched_var_name}=%{tx.0}"
+
+
+SecMarker END_KNOWN_CC_OUTBOUND_CHECK
+

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_42_comment_spam.conf

@@ -0,0 +1,47 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Comment spam is an attack against blogs, guestbooks, wikis and other types of
+#   interactive web sites that accept and display hyperlinks submitted by
+#   visitors. The spammers automatically post specially crafted random comments
+#   which include links that point to the spammer's web site. The links
+#   artificially increas the site's search engine ranking and may make the site
+#   more noticable in search results.
+#
+
+SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" "phase:1,id:'981137',t:none,pass,nolog,skipAfter:END_RBL_LOOKUP"
+  SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org" "phase:1,id:'981138',t:none,pass,nolog,auditlog,msg:'RBL Match for SPAM Source',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},setvar:ip.spammer=1,expirevar:ip.spammer=86400,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400,skipAfter:END_RBL_CHECK"
+
+  SecAction "phase:1,id:'981139',t:none,nolog,pass,setvar:ip.previous_rbl_check=1,expirevar:ip.previous_rbl_check=86400"
+SecMarker END_RBL_LOOKUP
+
+SecRule IP:SPAMMER "@eq 1" "phase:1,id:'981140',t:none,pass,nolog,auditlog,msg:'Request from Known SPAM Source (Previous RBL Match)',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_RBL_CHECK
+
+SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_42_comment_spam.data" \
+        "chain,phase:2,rev:'2.2.6',t:none,t:lowercase,pass,nolog,auditlog,status:404,msg:'Common SPAM/Email Harvester crawler',id:'958297',tag:'AUTOMATION/MALICIOUS',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'"
+	SecRule REQUEST_HEADERS:User-Agent "^(?:m(?:o(?:zilla\/4\.0\+?\(|vable type)|i(?:crosoft url|ssigua)|j12bot\/v1\.0\.8|sie)|e(?:mail(?:collector| ?siphon)|collector)|(?:blogsearchbot-marti|super happy fu)n|i(?:nternet explorer|sc systems irc)|ja(?:karta commons|va(?:\/| )1\.)|c(?:ore-project\/|herrypicker)|p(?:sycheclone|ussycat|ycurl)|(?:grub crawl|omniexplor)er|a(?:utoemailspider|dwords)|w(?:innie poh|ordpress)|nut(?:scrape/|chcvs)|8484 boston project|user(?:[- ]agent:)?|l(?:ibwww-perl|wp)|di(?:amond|gger)|trackback\/|httpproxy|<sc)"
+
+
+# Prequalifier. Look for <http> first
+SecRule ARGS|ARGS_NAMES "\bhttp:" "phase:2,rev:'2.2.6',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,skip:1,pass,nolog,id:'999010',severity:'6'"
+
+SecAction phase:2,rev:'2.2.6',pass,nolog,skipAfter:END_COMMENT_SPAM
+
+	# Look for 2 ways of posting a link
+	SecRule ARGS|ARGS_NAMES "\[url\b" "phase:2,rev:'2.2.6',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,chain,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950923',severity:'2'"
+		SecRule ARGS|ARGS_NAMES "\<a" "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{tx.0}'"
+
+	# Look for too many links in an argument (Prone to FPs)
+	SecRule ARGS|ARGS_NAMES "(http:\/.*?){4}" "phase:2,rev:'2.2.6',t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Comment Spam',id:'950020',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'"
+
+SecMarker END_COMMENT_SPAM 

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_43_csrf_protection.conf

@@ -0,0 +1,109 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# You must have also activated the 16 session hijacking conf file as
+# it initiates the Session Collection and creates the CSRF token
+#
+
+#
+# CSRF Protections
+#
+# Must set this directive to On to inject content in the response.
+#
+SecContentInjection On
+
+#
+# It is most likely not appropriate to force CSRF tokens/validation on *all* resources.
+# You should edit the LocationMatch Regular Expression below and specify what resources
+# you wish to protect.  Some ideas would be for post-authentiacation directories, etc...
+#
+# Limitations - this implementation does not currently work with AJAX
+#
+<LocationMatch .*>
+SecRule &ARGS "@ge 1" "chain,phase:2,id:'981143',t:none,block,msg:'CSRF Attack Detected - Missing CSRF Token.'"
+ SecRule &ARGS:CSRF_TOKEN "!@eq 1" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"
+
+SecRule &ARGS "@ge 1" "chain,phase:2,id:'981144',t:none,block,msg:'CSRF Attack Detected - Invalid Token.'"
+ SecRule ARGS:CSRF_TOKEN "!@streq %{SESSION.CSRF_TOKEN}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/CSRF-%{matched_var_name}=%{matched_var}"
+
+
+
+#
+# This rule will use Content Injection to append the CSRF Token 
+#
+SecRule &SESSION:CSRF_TOKEN "@eq 1" "phase:4,id:'981145',t:none,nolog,pass,append:'<html><script language=\"JavaScript\"> \
+\
+var tokenName = \'CSRF_TOKEN\'; \
+var tokenValue = \'%{session.csrf_token}\'; \
+\
+function updateTags() { \
+\
+        var all = document.all ? document.all : document.getElementsByTagName(\'*\'); \
+        var len = all.length; \
+\
+        for(var i=0; i<len; i++) { \
+                var e = all[i]; \
+                \
+                updateTag(e, \'src\'); \
+                updateTag(e, \'href\'); \
+        } \
+} \
+\
+function updateForms() { \
+\
+        var forms = document.getElementsByTagName(\'form\'); \
+                \
+        for(i=0; i<forms.length; i++) { \
+                var html = forms[i].innerHTML; \
+                \
+                html += \'<input type=hidden name=\' + tokenName + \' value=\' + tokenValue + \' />\'; \
+\
+                forms[i].innerHTML = html; \
+        } \
+\
+} \
+\
+function updateTag(element, attr) { \
+\
+        var location = element.getAttribute(attr); \
+\
+        if(location != null && location != \'\' && isHttpLink(location)) { \
+\
+                var index = location.indexOf(\'?\'); \
+\
+                if(index != -1) { \
+                        location = location + \'&\' + tokenName + \'=\' + tokenValue; \
+                } else { \
+                        location = location + \'?\' + tokenName + \'=\' + tokenValue; \
+                } \
+\
+                element.setAttribute(attr, location); \
+\
+        } \
+\
+} \
+\
+function isHttpLink(src) { \
+        var result = 0; \
+                \
+        if(src.substring(0, 4) != \'http\' || src.substring(0, 1) == \'/\') { \
+                result = 1; \
+        } \
+        \
+        return result; \
+} \
+\
+updateTags(); \
+updateForms(); \
+\
+</script></html>'"
+
+</LocationMatch>

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_46_av_scanning.conf

@@ -0,0 +1,17 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# Modify the operator to use the correct AV scanning script/tool
+# Example tools are in the util directory.
+#
+
+SecRule FILES_TMPNAMES "@inspectFile /bin/runAV" \
+	"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf

@@ -0,0 +1,21 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# This ruleset is a complementary to ruleset 34 - Ignore Static. By default,
+#   ruleset 34 doesn't skip inspection for leakages in html/documents.
+#   Adding this ruleset to your configuration will cause ModSecurity to also
+#   skip the rules in files
+#
+
+
+# Skip outbound inspection on requests for text content which have no parameters
+SecRule TX:text_file_extension "@eq 1" "chain,phase:3,allow,nolog,id:'999008',severity:'6'"
+SecRule TX:no_parameters "@eq 1"

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_49_header_tagging.conf

@@ -0,0 +1,52 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# This file will add Request Header Tagging which allows ModSecurity to communicate
+# any event/rule matches it finds with the downstream application server.  The concept
+# is similar to that of Anti-SPAM apps for Email (such as SpamAssassin).
+#
+# The idea is that if the WAF is in a DetectionOnly mode, it can still share data
+# with the destination app server and then the app server may choose to inspect
+# the new WAF request headers and factor in this data into a possible blocking
+# decision.
+#
+# This concept is tremendously useful in a distributed architecture and/or when
+# there are Fraud Detection Systems at the app server layer that can correlate
+# the WAF data into the overall Fraud Score.  This is also useful in Hosting
+# Environments where the decision to block may not be as clear.
+#
+
+SecRule TX:ANOMALY_SCORE "@eq 0" "phase:2,id:'981173',t:none,nolog,pass,skipAfter:END_HEADER_TAGGING"
+
+SecRule TX:/^\d/ "." "phase:2,id:'981174',t:none,nolog,pass,setvar:tx.counter=+1,setenv:matched_rule-%{tx.counter}=%{matched_var_name},setenv:anomaly_score=%{tx.anomaly_score},setenv:sql_injection_score=%{tx.sql_injection_score},setenv:xss_score=%{tx.xss_score}"
+
+RequestHeader append X-WAF-Events "%{matched_rule-1}e" env=matched_rule-1
+RequestHeader append X-WAF-Events "%{matched_rule-2}e" env=matched_rule-2
+RequestHeader append X-WAF-Events "%{matched_rule-3}e" env=matched_rule-3
+RequestHeader append X-WAF-Events "%{matched_rule-4}e" env=matched_rule-4
+RequestHeader append X-WAF-Events "%{matched_rule-5}e" env=matched_rule-5
+RequestHeader append X-WAF-Events "%{matched_rule-6}e" env=matched_rule-6
+RequestHeader append X-WAF-Events "%{matched_rule-7}e" env=matched_rule-7
+RequestHeader append X-WAF-Events "%{matched_rule-8}e" env=matched_rule-8
+RequestHeader append X-WAF-Events "%{matched_rule-9}e" env=matched_rule-9
+RequestHeader append X-WAF-Events "%{matched_rule-10}e" env=matched_rule-10
+RequestHeader append X-WAF-Events "%{matched_rule-11}e" env=matched_rule-11
+RequestHeader append X-WAF-Events "%{matched_rule-12}e" env=matched_rule-12
+RequestHeader append X-WAF-Events "%{matched_rule-13}e" env=matched_rule-13
+RequestHeader append X-WAF-Events "%{matched_rule-14}e" env=matched_rule-14
+RequestHeader append X-WAF-Events "%{matched_rule-15}e" env=matched_rule-15
+RequestHeader append X-WAF-Events "%{matched_rule-16}e" env=matched_rule-16
+RequestHeader append X-WAF-Events "%{matched_rule-17}e" env=matched_rule-17
+RequestHeader append X-WAF-Events "%{matched_rule-18}e" env=matched_rule-18
+RequestHeader append X-WAF-Events "%{matched_rule-19}e" env=matched_rule-19
+RequestHeader append X-WAF-Events "%{matched_rule-20}e" env=matched_rule-20
+RequestHeader set X-WAF-Score "Total=%{anomaly_score}e; sqli=%{sql_injection_score}e; xss=%{xss_score}e" env=anomaly_score
+
+SecMarker END_HEADER_TAGGING

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_55_application_defects.conf

@@ -0,0 +1,190 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+##############################################################################
+# -=[ Charset Checks ]=-
+#
+# http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
+##############################################################################
+
+#
+# [ Charset not set ]
+#
+# - http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms
+#
+SecRule &GLOBAL:MISSING_CHARSET "@eq 0" "phase:5,t:none,nolog,pass,id:'981219',setvar:global.missing_charset=0"
+SecRule GLOBAL:MISSING_CHARSET "@le 10" "chain,phase:5,t:none,pass,id:'981220',log,msg:'[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'APP_DEFECT/MISCONFIGURATION',tag:'http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms'"
+        SecRule RESPONSE_STATUS "@rx ^2" "chain"
+                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
+			SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);?$)" "chain"
+                        	SecRule RESPONSE_BODY "!@rx (?i:(<meta.*?(content|value)=\"text/html;\s?charset=|<\?xml.*?encoding=))" "setvar:global.missing_charset=+1,expirevar:global.missing_charset=86400"
+
+#
+# [ Charset not explicitly set to UTF-8 in HTML/XML content ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8
+# - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
+#
+SecRule &GLOBAL:CHARSET_NOT_UTF8 "@eq 0" "phase:5,t:none,nolog,pass,id:'981221',setvar:global.charset_not_utf8=0"
+SecRule GLOBAL:CHARSET_NOT_UTF8 "@le 10" "chain,phase:5,t:none,pass,id:'981222',log,msg:'[Watcher Check]  The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content\'s meta tag.',logdata:'Content-Type Response Header: %{response_content_type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8'"
+        SecRule RESPONSE_STATUS "@rx ^2" "chain"
+                SecRule RESPONSE_CONTENT_TYPE "(?i:(^text/html|^application/xml|^text/xml))" "chain"
+                        SecRule RESPONSE_CONTENT_TYPE "!@contains charset=utf-8" "chain,t:none,t:lowercase"
+                                SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
+                                        SecRule RESPONSE_BODY "!@rx (<meta.*?(content|value)=\"text/html;\s?charset=utf-8|<\?xml.*?encoding=\"utf-8\")" "t:none,t:lowercase,setvar:global.charset_not_utf8=+1,expirevar:global.charset_not_utf8=86400"
+
+#
+# [ Detect charset mismatches between HTTP header and HTML/XML bodies ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch
+# - http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
+#
+SecRule &GLOBAL:CHARSET_MISMATCH "@eq 0" "phase:5,t:none,nolog,pass,id:'981223',setvar:global.charset_mismatch=0"
+SecRule GLOBAL:CHARSET_MISMATCH "@le 10" "chain,phase:5,t:none,pass,id:'981224',log,msg:'[Watcher Check] The charset specified was not the same in the HTTP Content-Type header and in the HTML content\'s meta tag',logdata:'Content-Type Response Header Charset is: %{tx.charset_header} and HTTP Equiv Charset is: %{tx.charset_body}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-mismatch'"
+        SecRule RESPONSE_STATUS "@rx ^2" "chain"
+                SecRule RESPONSE_CONTENT_TYPE "(?i:^(text/html|text/xml|application/xml);\s?charset=([^;]*))" "chain,t:none,t:lowercase,capture,setvar:tx.charset_header=%{tx.2}"
+			SecRule RESPONSE_HEADERS:Content-Length "!@streq 0" "chain"
+                        	SecRule RESPONSE_BODY "(?i)(charset|encoding)=\"?(.*?)\"" "chain,t:none,t:lowercase,capture,setvar:tx.charset_body=%{tx.2}"
+                                        SecRule TX:CHARSET_HEADER "!@streq %{tx.charset_body}" "t:none,setvar:global.charset_mismatch=+1,expirevar:global.charset_mismatch=86400"
+
+
+##############################################################################
+# -=[ Cookie Checks ]=-
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies
+##############################################################################
+
+#
+# [ Look for cookies with loosely scoped domain restrictions ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain
+# - http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
+#
+SecRule &GLOBAL:LOOSE_DOMAIN_SCOPE "@eq 0" "phase:5,t:none,nolog,pass,id:'981237',setvar:global.loose_domain_scope=0"
+SecRule GLOBAL:LOOSE_DOMAIN_SCOPE "@le 10" "chain,phase:5,id:'981238',t:none,pass,log,auditlog,msg:'AppDefect: Loose Domain Cookie Flag Restrictions.',logdata:'Cookie: %{tx.1} and Domain: %{tx.2}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain'"
+        SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "!@rx (?i)domain=(?:(?!\d|-)[a-zA-Z0-9\-]{1,63}(?<!-)\.)([a-zA-Z0-9\-]{1,63}(?<!-)\.)(?:[a-zA-Z]{2,})" "chain,setvar:tx.set-cookie-counter=+1,setvar:tx.%{matched_var_name}_%{tx.set-cookie-counter}=%{matched_var}"
+		SecRule TX:/^RESPONSE_HEADERS:Set-Cookie2?_/ "(?i)^(.*?);.*domain=(.*?);" "capture,setvar:global.loose_domain_scope=+1,expirevar:global.loose_domain_scope=86400" 
+
+
+# 
+# [ Cookie's HttpOnly Flag Was Not Set ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag 
+# - https://www.owasp.org/index.php/HttpOnly
+# 
+SecRule &GLOBAL:MISSING_HTTPONLY "@eq 0" "phase:5,t:none,nolog,pass,id:'981235',setvar:global.missing_httponly=0"
+SecRule GLOBAL:MISSING_HTTPONLY "@le 10" "chain,phase:5,id:'981184',t:none,pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag'" 
+	SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*httponly.*)(.*$)" "capture,setvar:global.missing_httponly=+1,expirevar:global.missing_httponly=86400"
+
+#
+# [ Fix Missing "httponly" Flag ]
+#
+Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!httponly).)+)$" "$1; HttpOnly"
+
+
+#
+# [ Cookie's Secure Flag Was Not Set ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag
+# - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_.22Secure.22_Cookie_Flag
+# 
+SecRule &GLOBAL:MISSING_SECURE "@eq 0" "phase:3,t:none,nolog,pass,id:'981236',setvar:global.missing_secure=0"
+SecRule GLOBAL:MISSING_SECURE "@le 10" "chain,phase:3,id:'981185',t:none,pass,log,auditlog,msg:'AppDefect: Missing Secure Cookie Flag for %{tx.1}.',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag'" 
+    SecRule SERVER_PORT "@streq 443" "chain,t:none,setenv:secure_site" 
+	SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(.*?)=(?i)(?!.*secure.*)(.*$)" "capture,setvar:global.missing_secure=+1,expirevar:global.missing_secure=86400"
+
+#
+# [ Fix Missing "secure" Flag ]
+# 
+Header edit Set-Cookie "^((?i:(_?(COOKIE|TOKEN)|atlassian.xsrf.token|[aj]?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))=(?i:(?!secure).)+)$" "$1; secure" env=secure_site 
+
+
+##############################################################################
+# -=[ HTTP Header Checks ]=-
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#header
+##############################################################################
+
+#
+# [ Check that the cache-control HTTP header is set to 'no-store' ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store
+#
+SecRule &GLOBAL:CHECK_CACHE_CONTROL "@eq 0" "phase:5,t:none,nolog,pass,id:'981239',setvar:global.check_cache_control=0"
+SecRule GLOBAL:CHECK_CACHE_CONTROL "@le 10" "chain,phase:5,id:'981240',t:none,pass,log,auditlog,msg:'AppDefect: Cache-Control Response Header Missing \'no-store\' flag.',logdata:'Cache-Control: %{response_headers.cache-control}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store'"
+	SecRule RESPONSE_HEADERS:Cache-Control "!@contains no-store" "t:none,t:lowercase,setvar:global.check_cache_control=+1,expirevar:global.check_cache_control=86400"
+
+
+#
+# [ Check that a Content-Type header is included in the HTTP response ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing
+#
+SecRule &GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@eq 0" "phase:5,t:none,nolog,pass,id:'981400',setvar:global.content_type_header_exists=0"
+SecRule GLOBAL:CONTENT_TYPE_HEADER_EXISTS "@le 10" "chain,phase:5,id:'981401',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing or Empty.',logdata:'Content-Type: %{response_headers.content-type}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-content-type-header-missing'"
+	SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "t:none,setvar:global.content_type_header_exists=+1,expirevar:global.content_type_header_exists=86400"
+
+
+#
+# [ Check that IE's XSS protection filter is not being disabled by the Web-application ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled
+#
+SecRule &GLOBAL:X_XSS_PROTECTION_DISABLED "@eq 0" "phase:5,t:none,nolog,pass,id:'981402',setvar:global.x_xss_protection_disabled=0"
+SecRule GLOBAL:X_XSS_PROTECTION_DISABLED "@le 10" "chain,phase:5,id:'981403',t:none,pass,log,auditlog,msg:'AppDefect: IE8\'s XSS protection Filter is Disabled.',logdata:'X-XSS-Protection: %{response_headers.x-xss-protection}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#internet-explorer-xss-filter-disabled'"
+        SecRule RESPONSE_HEADERS:X-XSS-Protection "@streq 0" "t:none,setvar:global.x_xss_protection_disabled=+1,expirevar:global.x_xss_protection_disabled=86400"
+
+
+#
+# [ Check that the X-FRAME-OPTIONS header is being set for Clickjacking defense ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options
+#
+SecRule &GLOBAL:X_FRAME_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981404',setvar:global.x_frame_options=0"
+SecRule GLOBAL:X_FRAME_OPTIONS "@le 10" "chain,phase:5,id:'981405',t:none,pass,log,auditlog,msg:'AppDefect: X-FRAME-OPTIONS Response Header is Missing or not set to Deny.',logdata:'X-FRAME-OPTIONS: %{response_headers.x-frame-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options'"
+        SecRule &RESPONSE_HEADERS:X-FRAME-OPTIONS|RESPONSE_HEADERS:X-FRAME-OPTIONS "^(?i:0|allow)$" "t:none,setvar:global.x_frame_options=+1,expirevar:global.x_frame_options=86400"
+
+
+#
+# [ Checks that the X-CONTENT-TYPE-OPTIONS defense against MIME-sniffing has been declared ]
+#
+# - http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options
+#
+SecRule &GLOBAL:X_CONTENT_TYPE_OPTIONS "@eq 0" "phase:5,t:none,nolog,pass,id:'981406',setvar:global.x_content_type_options=0"
+SecRule &RESPONSE_HEADERS:Content-Type|RESPONSE_HEADERS:Content-Type "^0$|^$" "chain,phase:5,id:'981407',t:none,pass,log,auditlog,msg:'AppDefect: Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to \'nosniff\'.',logdata:'X-Content-Type-Options: %{response_headers.x-content-type-options}',tag:'WASCTC/WASC-15',tag:'MISCONFIGURATION',tag:'http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-content-type-options'"
+        SecRule GLOBAL:X_CONTENT_TYPE_OPTIONS "@le 10" "chain"
+		SecRule &RESPONSE_HEADERS:X-Content-Type-Options|RESPONSE_HEADERS:X-Content-Type-Options "^0$|^[a-z]+(?<!:nosniff)" "t:none,t:lowercase,setvar:global.x_content_type_options=+1,expirevar:global.x_content_type_options=86400"
+
+
+
+# XSS Detection - Missing Output Encoding
+#
+SecAction "phase:1,nolog,pass,initcol:global=xss_list"
+
+#
+# Identifies Reflected XSS
+# If malicious input (with Meta-Characters) is echoed back in the reply non-encoded.
+#
+SecRule &ARGS "@gt 0" "chain,phase:4,id:'981179',t:none,log,auditlog,deny,status:403,id:'1',msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded.',logdata:'%{tx.inbound_meta-characters}'"
+        SecRule ARGS "([\'\"\(\)\;<>#])" "chain,t:none"
+                SecRule MATCHED_VAR "^.{15,}$" "chain,t:none,setvar:tx.inbound_meta-characters=%{matched_var}"
+                        SecRule RESPONSE_BODY "@contains %{tx.inbound_meta-characters}" "ctl:auditLogParts=+E"
+
+#
+# Check to see if TX XSS Data is already in the GLOBAL list.  If it is - expire it.
+SecRule GLOBAL:'/XSS_LIST_.*/' "@streq %{tx.inbound_meta-characters}" "phase:4,id:'981180',t:none,nolog,pass,skip:1"
+SecRule TX:INBOUND_META-CHARACTERS ".*" "phase:4,id:'981181',t:none,nolog,pass,setvar:global.xss_list_%{time_epoch}=%{matched_var}"
+
+#
+# Identifies Stored XSS
+# If malicious input (with Meta-Characters) is echoed back on any page non-encoded.
+SecRule GLOBAL:'/XSS_LIST_.*/' "@within %{response_body}" "phase:4,id:'981182',t:none,log,auditlog,pass,msg:'Potentially Malicious Meta-Characters in User Data Not Properly Output Encoded',tag:'WEB_ATTACK/XSS'"
+
+

iis/ModSecurityIIS/owasp_crs/optional_rules/modsecurity_crs_55_marketing.conf

@@ -0,0 +1,22 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+# These rules do not have a security importance, but shows other benefits of 
+# monitoring and logging HTTP transactions.
+# --
+
+SecRule REQUEST_HEADERS:User-Agent "msn(?:bot|ptc)" \
+        "phase:2,rev:'2.2.6',t:none,t:lowercase,block,msg:'MSN robot activity',id:'910008',severity:'6'"
+
+SecRule REQUEST_HEADERS:User-Agent "\byahoo(?:-(?:mmcrawler|blogs)|! slurp)\b" \
+        "phase:2,rev:'2.2.6',t:none,t:lowercase,block,msg:'Yahoo robot activity',id:'910007',severity:'6'"
+
+SecRule REQUEST_HEADERS:User-Agent "(?:(?:gsa-crawler \(enterprise; s4-e9lj2b82fjjaa; me\@mycompany\.com|adsbot-google \(\+http:\/\/www\.google\.com\/adsbot\.html)\)|\b(?:google(?:-sitemaps|bot)|mediapartners-google)\b)" \
+        "phase:2,rev:'2.2.6',t:none,t:lowercase,block,msg:'Google robot activity',id:'910006',severity:'6'"