From fe727c702122d3513de64fff240d80ea8a4e00a2 Mon Sep 17 00:00:00 2001
From: "Felipe \"Zimmerle\" Costa" <fcosta@trustwave.com>
Date: Mon, 24 Feb 2014 10:23:52 -0300
Subject: [PATCH] iis: Updated OWASP crs to version 2.2.9

---
 iis/installer.wxs                     |  18 +-
 iis/wix/modsecurity_crs_10_setup.conf | 428 --------------------------
 2 files changed, 11 insertions(+), 435 deletions(-)
 delete mode 100644 iis/wix/modsecurity_crs_10_setup.conf

diff --git a/iis/installer.wxs b/iis/installer.wxs
index 39488602..ff5e3ada 100644
--- a/iis/installer.wxs
+++ b/iis/installer.wxs
@@ -124,13 +124,15 @@
             </Directory>
             <?endif ?>
             <Directory Id="$(var.PlatformProgramFilesFolder)">
-                <Directory Id="INSTALLFOLDER" Name="ModSecurity IIS">
+		    <Directory Id="INSTALLFOLDER" Name="ModSecurity IIS">
+                        <Component Id="OWASP_CRS_V_2_2_9_SETUP" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6500">
+ 			   <File Id="MODSECURITY_CRS_10_SETUP.CONF.EXAMPLE" Name="modsecurity_crs_10_setup.conf" Source="release\owasp_crs\modsecurity_crs_10_setup.conf.example" />
+                        </Component>
                     <Directory Id="OWASP_CRS" Name="owasp_crs">
-                        <Component Id="OWASP_CRS_V_2_2_8" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6502">
+                        <Component Id="OWASP_CRS_V_2_2_9" DiskId="1" Guid="64629082-F6A2-4675-9E3E-4EA363CD6502">
                             <File Id="CHANGES" Name="CHANGES" Source="release\owasp_crs\CHANGES" />
                             <File Id="INSTALL" Name="INSTALL" Source="release\owasp_crs\INSTALL" />
                             <File Id="LICENSE" Name="LICENSE" Source="release\owasp_crs\LICENSE" />
-                            <File Id="MODSECURITY_CRS_10_SETUP.CONF.EXAMPLE" Name="modsecurity_crs_10_setup.conf.example" Source="release\owasp_crs\modsecurity_crs_10_setup.conf.example" />
                             <File Id="README.MD" Name="README.md" Source="release\owasp_crs\README.md" />
                         </Component>
                         <Directory Id="ACTIVATED_RULES" Name="activated_rules">
@@ -277,7 +279,7 @@
                                 <Directory Id="TESTS" Name="tests">
                                     <Component Id="TESTS" DiskId="1" Guid="FCCBB8FE-4327-4AF0-AB5C-3120858EBB16">
                                         <File Id="MODSECURITY_CRS_20_PROTOCOL_VIOLATIONS.TESTS" Name="modsecurity_crs_20_protocol_violations.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_20_protocol_violations.tests" />
-                                        <File Id="MODSECURITY_CRS_21_PROTOCOL_ANOMALIES.TESTS" Name="modsecurity_crs_21_protocol_anomalies.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_21_protocol_anomalies.tests" />
+					<File Id="MODSECURITY_CRS_21_PROTOCOL_ANOMALIES.TESTS" Name="modsecurity_crs_21_protocol_anomalies.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_21_protocol_anomalies.tests" />
                                         <File Id="MODSECURITY_CRS_23_REQUEST_LIMITS.TESTS" Name="modsecurity_crs_23_request_limits.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_23_request_limits.tests" />
                                         <File Id="MODSECURITY_CRS_30_HTTP_POLICY.TESTS" Name="modsecurity_crs_30_http_policy.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_30_http_policy.tests" />
                                         <File Id="MODSECURITY_CRS_35_BAD_ROBOTS.TESTS" Name="modsecurity_crs_35_bad_robots.tests" Source="release\owasp_crs\util\regression-tests\tests\modsecurity_crs_35_bad_robots.tests" />
@@ -331,7 +333,7 @@
                 <File Id="EULA.RTF" Name="EULA.rtf" Source="wix\EULA.rtf" />
                 <File Id="modsecurity.conf" Name="modsecurity.conf" Source="wix\modsecurity.conf" />
                 <File Id="modsecurity_iis.conf" Name="modsecurity_iis.conf" Source="wix\modsecurity_iis.conf" />
-                <File Id="modsecurity_crs_10_setup.conf" Name="modsecurity_crs_10_setup.conf" Source="wix\modsecurity_crs_10_setup.conf" />
+	<!-- <File Id="modsecurity_crs_10_setup.conf" Name="modsecurity_crs_10_setup.conf" Source="wix\modsecurity_crs_10_setup.conf" /> -->
                 <File Id="LIST_DEPENDENCIES.BAT" Name="list_dependencies.bat" Source="wix\list_dependencies.bat" />
                 <File Id="ModSecurity.xml" Name="ModSecurity.xml" Source="ModSecurity.xml" />
                 <!-- Modify ApplicationHost.config -->
@@ -416,8 +418,10 @@
             <ComponentRef Id="ConfigSchema64" />
             <?endif ?>
             <ComponentRef Id="StartMenuShortcuts" />
-            <Feature Id="OWASP_ModSecurity_CRS_v2.2.8" Level="1" Title="OWASP ModSecurity CRS v2.2.8" InstallDefault="local" Display="expand" AllowAdvertise="no" Description="Install OWASP CRS v2.2.8">
-                <ComponentRef Id="OWASP_CRS_V_2_2_8" />
+            <Feature Id="OWASP_ModSecurity_CRS_v2.2.9" Level="1" Title="OWASP ModSecurity CRS v2.2.9" InstallDefault="local" Display="expand" AllowAdvertise="no" Description="Install OWASP CRS v2.2.9">
+		    <ComponentRef Id="OWASP_CRS_V_2_2_9" />
+		    <ComponentRef Id="OWASP_CRS_V_2_2_9_SETUP" />
+		    
                 <ComponentRef Id="README" />
                 <ComponentRef Id="BASE_RULES" />
                 <ComponentRef Id="EXPERIMENTAL_RULES" />
diff --git a/iis/wix/modsecurity_crs_10_setup.conf b/iis/wix/modsecurity_crs_10_setup.conf
deleted file mode 100644
index a682275b..00000000
--- a/iis/wix/modsecurity_crs_10_setup.conf
+++ /dev/null
@@ -1,428 +0,0 @@
-# ---------------------------------------------------------------
-# Core ModSecurity Rule Set ver.2.2.6
-# Copyright (C) 2006-2012 Trustwave All rights reserved.
-#
-# The OWASP ModSecurity Core Rule Set is distributed under 
-# Apache Software License (ASL) version 2
-# Please see the enclosed LICENCE file for full details.
-# ---------------------------------------------------------------
-
-
-#
-# -- [[ Recommended Base Configuration ]] ------------------------------------------------- 
-#
-# The configuration directives/settings in this file are used to control
-# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
-# ModSecurity settings such as:
-# 
-# - SecRuleEngine
-# - SecRequestBodyAccess
-# - SecAuditEngine
-# - SecDebugLog
-#
-# You should use the modsecurity.conf-recommended file that comes with the
-# ModSecurity source code archive.
-#
-# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
-#
-
-
-#
-# -- [[ Rule Version ]] -------------------------------------------------------------------
-#
-# Rule version data is added to the "Producer" line of Section H of the Audit log:
-#
-# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
-#
-# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
-#
-SecComponentSignature "OWASP_CRS/2.2.6"
-
-
-#
-# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
-#
-# Each detection rule uses the "block" action which will inherit the SecDefaultAction
-# specified below.  Your settings here will determine which mode of operation you use.
-#
-# -- [[ Self-Contained Mode ]] --
-# Rules inherit the "deny" disruptive action.  The first rule that matches will block.
-#
-# -- [[ Collaborative Detection Mode ]] --
-# This is a "delayed blocking" mode of operation where each matching rule will inherit
-# the "pass" action and will only contribute to anomaly scores.  Transactional blocking
-# can be applied 
-#
-# -- [[ Alert Logging Control ]] --
-# You have three options -
-#
-# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
-# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
-# - To log *only* to the Apache error_log file use: "log,noauditlog"
-#
-# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
-# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
-#
-SecDefaultAction "phase:1,deny,log"
-
-
-#
-# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
-#
-# These are the default scoring points for each severity level.  You may
-# adjust these to you liking.  These settings will be used in macro expansion
-# in the rules to increment the anomaly scores when rules match.
-#
-# These are the default Severity ratings (with anomaly scores) of the individual rules -
-#
-#    - 2: Critical - Anomaly Score of 5.
-#         Is the highest severity level possible without correlation.  It is
-#         normally generated by the web attack rules (40 level files).
-#    - 3: Error - Anomaly Score of 4.
-#         Is generated mostly from outbound leakage rules (50 level files).
-#    - 4: Warning - Anomaly Score of 3.
-#         Is generated by malicious client rules (35 level files).
-#    - 5: Notice - Anomaly Score of 2.
-#         Is generated by the Protocol policy and anomaly files.
-#
-SecAction \
-  "id:'900001', \
-  phase:1, \
-  t:none, \
-  setvar:tx.critical_anomaly_score=5, \
-  setvar:tx.error_anomaly_score=4, \
-  setvar:tx.warning_anomaly_score=3, \
-  setvar:tx.notice_anomaly_score=2, \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
-#
-# These variables are used in macro expansion in the 49 inbound blocking and 59
-# outbound blocking files.
-#
-# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
-# operators.  If you have an earlier version, edit the 49/59 files directly to
-# set the appropriate anomaly score levels.
-#
-# You should set the score to the proper threshold you would prefer. If set to "5"
-# it will work similarly to previous Mod CRS rules and will create an event in the error_log
-# file if there are any rules that match.  If you would like to lessen the number of events
-# generated in the error_log file, you should increase the anomaly score threshold to
-# something like "20".  This would only generate an event in the error_log file if
-# there are multiple lower severity rule matches or if any 1 higher severity item matches.
-#
-SecAction \
-  "id:'900002', \
-  phase:1, \
-  t:none, \
-  setvar:tx.inbound_anomaly_score_level=5, \
-  nolog, \
-  pass"
-
-
-SecAction \
-  "id:'900003', \
-  phase:1, \
-  t:none, \
-  setvar:tx.outbound_anomaly_score_level=4, \
-  nolog, \
-  pass"
-
-
-# 
-# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
-#
-# This is a collaborative detection mode where each rule will increment an overall
-# anomaly score for the transaction. The scores are then evaluated in the following files:
-#
-# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
-# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
-#
-# If you want to use anomaly scoring mode, then uncomment this line.
-#
-#SecAction \
-  "id:'900004', \
-  phase:1, \
-  t:none, \
-  setvar:tx.anomaly_score_blocking=on, \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ GeoIP Database ]] -----------------------------------------------------------------
-#
-# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
-# 
-# You must first download the MaxMind GeoIP Lite City DB -
-#
-#       http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
-#
-# You then need to define the proper path for the SecGeoLookupDb directive
-#
-# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
-# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
-#
-#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
-
-#
-# -- [[ Regression Testing Mode ]] --------------------------------------------------------
-#
-# If you are going to run the regression testing mode, you should uncomment the
-# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
-# will enable Response Header tagging so that the client testing script can see
-# which rule IDs have matched.
-#
-# You must specify the your source IP address where you will be running the tests
-# from.
-#
-#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-  "id:'900005', \
-  phase:1, \
-  t:none, \
-  ctl:ruleEngine=DetectionOnly, \
-  setvar:tx.regression_testing=1, \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
-#
-# Set the following policy settings here and they will be propagated to the 23 rules
-# file (modsecurity_common_23_request_limits.conf) by using macro expansion.  
-# If you run into false positives, you can adjust the settings here.
-#
-# Only the max number of args is uncommented by default as there are a high rate
-# of false positives.  Uncomment the items you wish to set.
-# 
-#
-# -- Maximum number of arguments in request limited
-SecAction \
-  "id:'900006', \
-  phase:1, \
-  t:none, \
-  setvar:tx.max_num_args=255, \
-  nolog, \
-  pass"
-
-#
-# -- Limit argument name length
-#SecAction \
-  "id:'900007', \
-  phase:1, \
-  t:none, \
-  setvar:tx.arg_name_length=100, \
-  nolog, \
-  pass"
-
-#
-# -- Limit value name length
-#SecAction \
-  "id:'900008', \
-  phase:1, \
-  t:none, \
-  setvar:tx.arg_length=400, \
-  nolog, \
-  pass"
-
-#
-# -- Limit arguments total length
-#SecAction \
-  "id:'900009', \
-  phase:1, \
-  t:none, \
-  setvar:tx.total_arg_length=64000, \
-  nolog, \
-  pass"
-
-#
-# -- Individual file size is limited
-#SecAction \
-  "id:'900010', \
-  phase:1, \
-  t:none, \
-  setvar:tx.max_file_size=1048576, \
-  nolog, \
-  pass"
-
-#
-# -- Combined file size is limited
-#SecAction \
-  "id:'900011', \
-  phase:1, \
-  t:none, \
-  setvar:tx.combined_file_sizes=1048576, \
-  nolog, \
-  pass"
-
-
-#
-# Set the following policy settings here and they will be propagated to the 30 rules
-# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
-# If you run into false positves, you can adjust the settings here.
-#
-SecAction \
-  "id:'900012', \
-  phase:1, \
-  t:none, \
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \
-  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
-  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
-  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
-#
-# The purpose of these settings is to send CSP response headers to
-# Mozilla FireFox users so that you can enforce how dynamic content
-# is used. CSP usage helps to prevent XSS attacks against your users.
-#  
-# Reference Link:
-#
-#	https://developer.mozilla.org/en/Security/CSP
-#
-# Uncomment this SecAction line if you want use CSP enforcement.
-# You need to set the appropriate directives and settings for your site/domain and
-# and activate the CSP file in the experimental_rules directory.
-# 
-# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
-#
-#SecAction \
-  "id:'900013', \
-  phase:1, \
-  t:none, \
-  setvar:tx.csp_report_only=1, \
-  setvar:tx.csp_report_uri=/csp_violation_report, \
-  setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ Brute Force Protection ]] ---------------------------------------------------------
-#
-# If you are using the Brute Force Protection rule set, then uncomment the following
-# lines and set the following variables:
-# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
-# - Burst Time Slice Interval: time interval window to monitor for bursts
-# - Request Threshold: request # threshold to trigger a burst
-# - Block Period: temporary block timeout
-#
-#SecAction \
-  "id:'900014', \
-  phase:1, \
-  t:none, \
-  setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
-  setvar:'tx.brute_force_burst_time_slice=60', \
-  setvar:'tx.brute_force_counter_threshold=10', \
-  setvar:'tx.brute_force_block_timeout=300', \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ DoS Protection ]] ----------------------------------------------------------------
-#
-# If you are using the DoS Protection rule set, then uncomment the following
-# lines and set the following variables:
-# - Burst Time Slice Interval: time interval window to monitor for bursts
-# - Request Threshold: request # threshold to trigger a burst
-# - Block Period: temporary block timeout
-#
-#SecAction \
-  "id:'900015', \
-  phase:1, \
-  t:none, \
-  setvar:'tx.dos_burst_time_slice=60', \
-  setvar:'tx.dos_counter_threshold=100', \
-  setvar:'tx.dos_block_timeout=600', \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ Check UTF enconding ]] -----------------------------------------------------------
-#
-# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
-# it will result in false positives.
-#
-# Uncomment this line if your site uses UTF8 encoding
-#SecAction \
-  "id:'900016', \
-  phase:1, \
-  t:none, \
-  setvar:tx.crs_validate_utf8_encoding=1, \
-  nolog, \
-  pass"
-
-
-#
-# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
-#
-# The rules in this file will trigger the XML parser upon an XML request
-#
-# Initiate XML Processor in case of xml content-type
-#
-SecRule REQUEST_HEADERS:Content-Type "text/xml" \
-  "id:'900017', \
-  phase:1, \
-  t:none,t:lowercase, \
-  nolog, \
-  pass, \
-  chain"
-	SecRule REQBODY_PROCESSOR "!@streq XML" \
-	  "ctl:requestBodyProcessor=XML"
-
-
-#
-# -- [[ Global and IP Collections ]] -----------------------------------------------------
-#
-# Create both Global and IP collections for rules to use
-# There are some CRS rules that assume that these two collections
-# have already been initiated.
-#
-SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
-  "id:'900018', \
-  phase:1, \
-  t:none,t:sha1,t:hexEncode, \
-  setvar:tx.ua_hash=%{matched_var}, \
-  nolog, \
-  pass"
-
-
-SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
-  "id:'900019', \
-  phase:1, \
-  t:none, \
-  capture, \
-  setvar:tx.real_ip=%{tx.1}, \
-  nolog, \
-  pass"
-
-
-SecRule &TX:REAL_IP "!@eq 0" \
-  "id:'900020', \
-  phase:1, \
-  t:none, \
-  initcol:global=global, \
-  initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
-  nolog, \
-  pass"
-
-
-SecRule &TX:REAL_IP "@eq 0" \
-  "id:'900021', \
-  phase:1, \
-  t:none, \
-  initcol:global=global, \
-  initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
-  nolog, \
-  pass"