Update core rules to 1.6.0-rc3.

rules/modsecurity_crs_21_protocol_anomalies.conf

@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5.1
+# Core ModSecurity Rule Set ver.1.6.0-rc3
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -22,33 +22,36 @@ SecDefaultAction "log,pass,phase:2,status:400"
 # Implies either an attacker or a legitimate automation client. 
 #
 # Exception for Apache SSL pinger
-SecRule REQUEST_LINE "^GET /$" "chain,skip:8,nolog,pass"
+
+SecRule REQUEST_LINE "^GET /$" "chain,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999210',severity:'5'"
 SecRule REMOTE_ADDR "^127\.0\.0\.1$"
+
 # Exception for Apache internal dummy connection
-SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,skip:5,nolog,pass"
+SecRule REQUEST_LINE "^GET / HTTP/1.0$" "chain,pass,nolog,ctl:ruleRemoveById=960019,ctl:ruleRemoveById=960008,ctl:ruleRemoveById=960015,ctl:ruleRemoveById=960009,id:'999211',severity:'5'"
 SecRule REMOTE_ADDR "^127\.0\.0\.1$" "chain"
 SecRule REQUEST_HEADERS:User-Agent "^Apache.*\(internal dummy connection\)$" "t:none"
 
+
 # Detect HTTP/0.9 Requests
 SecRule REQUEST_PROTOCOL ^http/0.9$ "t:lowercase,log,auditlog,msg:'HTTP/0.9 Request Detected',id:'960019',severity:'4'"
 
 SecRule &REQUEST_HEADERS:Host "@eq 0" \
-    "skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'"
+    "skip:1,log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
 SecRule REQUEST_HEADERS:Host "^$" \
-    "log,auditlog,msg:'Request Missing a Host Header',id:'960008',severity:'4'"    
+    "log,auditlog,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"    
 
 
 SecRule &REQUEST_HEADERS:Accept "@eq 0" \
-    "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'"
+    "chain,skip:1,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
 SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
 SecRule REQUEST_HEADERS:Accept "^$" \
-    "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015'"
+    "chain,log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',tag:'PROTOCOL_VIOLATION/MISSING_HEADER'"
 SecRule REQUEST_METHOD "!^OPTIONS$" "t:none"
 
 SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
-    "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'"
+    "skip:1,log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
 SecRule REQUEST_HEADERS:User-Agent "^$" \
-    "log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',severity:'4'"
+    "log,auditlog,msg:'Request Missing a User Agent Header',id:'960009',tag:'PROTOCOL_VIOLATION/MISSING_HEADER',severity:'4'"
 
 
 SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -58,11 +61,11 @@ SecRule REQUEST_HEADERS:Content-Length "!^0$"
 
 # Check that the host header is not an IP address 
 #
-SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017'"
+SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,log,auditlog,status:400,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST'"
 
 
 # Log a security event when the request is rejected by apache
 #
-SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,msg:'Invalid request',id:'960913',severity:'2'"
+SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,pass,msg:'Invalid request',id:'960913',severity:'2'"
 SecRule WEBSERVER_ERROR_LOG !ModSecurity