Update core rules to 1.6.0-rc3.

rules/modsecurity_crs_30_http_policy.conf

@@ -1,5 +1,5 @@
 # ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.1.5.1
+# Core ModSecurity Rule Set ver.1.6.0-rc3
 # Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
 #
 # The ModSecuirty Core Rule Set is distributed under GPL version 2
@@ -7,8 +7,8 @@
 # ---------------------------------------------------------------
 
 
-#%name 30 - HTTP policy enforcement
-#%desc The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
+# HTTP policy enforcement
+# The HTTP policy enforcement rule set sets limitations on the use of HTTP by clients.
 
 # Few applications require the breadth and depth of the HTTP protocol. On the 
 # other hand many attacks abuse valid but rare HTTP use patterns. Restricting 
@@ -30,11 +30,11 @@ SecDefaultAction "pass,log,status:400,phase:2"
 # allow request methods
 #
 # TODO Most applications only use GET, HEAD, and POST request
-#      methods, if so uncomment the line below. Otherwise you are advised 
-#      to edit the line before uncommenting it.
+#      methods. If that is not the case with your environment, you are advised 
+#      to edit the line or uncomment it.
 #
 SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
-    "phase:2,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
+    "phase:2,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'960032',tag:'POLICY/METHOD_NOT_ALLOWED'"
 
 
 # Restrict which content-types we accept.
@@ -68,7 +68,7 @@ SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
 #      UltraLite iAnywhere       application/octet-stream
 #
 SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" \
-    "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',severity:'4'"
+    "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content type is not allowed by policy',id:'960010',tag:'POLICY/ENCODING_NOT_ALLOWED',severity:'4'"
 SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
 
 # Restrict protocol versions.
@@ -82,7 +82,7 @@ SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded
 #      client to send HTTP requests in a version lower than 1.1  
 #       
 SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
-    "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034'"
+    "t:none, deny,log,auditlog,status:505,msg:'HTTP protocol version is not allowed by policy', severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED'"
 
 # Restrict file extension
 #
@@ -93,7 +93,7 @@ SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.[01])$" \
 #      comment the whole rule.       
 #
 SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|key|mdb|old)$" \
-    "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035'"
+    "t:urlDecodeUni, t:lowercase, deny,log,auditlog,status:500,msg:'URL file extension is restricted by policy', severity:'2',id:'960035',tag:'POLICY/EXT_RESTRICTED'"
 
 
 
@@ -105,7 +105,7 @@ SecRule REQUEST_BASENAME "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(
 #      Set Templates to do so, otherwise comment the whole rule.       
 #
 SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
-    "t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"
+    "t:lowercase,deny,log,auditlog,status:500,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',severity:'4'"
 
 
 # Restricted Content Encodings
@@ -117,8 +117,8 @@ SecRule REQUEST_HEADERS_NAMES "(?:lock-token|translate|if)$" \
 # Deny inbound compressed content
 SecRule REQUEST_HEADERS:Content-Encoding "!^Identity$" \
     "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support content encodings',id:'960902',severity:'3'"
-# Log outbound compressed content (once per location)
+# Log outbound compressed content (log once)
 SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
-    "phase:5,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain"
-SecRule &RESOURCE:alerted_960903_compression "@eq 0" "setvar:resource.alerted_960903_compression"
+    "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support content encodings',id:'960903',severity:'4',chain,initcol:global=global"
+SecRule &GLOBAL:alerted_960903_compression "@eq 0" "setvar:global.alerted_960903_compression"