------------------------
Version 1.5 - 2007/11/23
------------------------

New Rulesets:
- 23 - Request Limits
    "Judging by appearances". This rulesets contains rules blocking based on
    the size of the request, for example, a request with too many arguments
    will be denied.

Default policy changes:
- XML protection off by default
- BLOCKING dir renamed to optional_rules
- Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
- Ruleset 21 - The exception for apache internal monitor will not log anymore

New Events:
- 960912 - Invalid request body
  Malformed content will not be parsed by modsecurity, but still there might
  be applications that will parse it, ignoring the errors.
- 960913 - Invalid Request
  Will trigger a security event when request was rejected by apache with
  code 400, without going through ModSecurity rules.

Additional rules logic:
- 950001 - New signature: delete from
- 950007 - New signature: waitfor delay

False Positives Fixes:
- 950006 - Will not be looking for /cc pattern in User-Agent header
- 950002 - "Internet Explorer" signature removed
- Double decoding bug used to cause FPs. Some of the parameters are already
  url-decoded by apache. This caused FPs when the rule performed another
  url-decoding transformation. The rules have been split so that parameters
  already decoded by apache will not be decoded by the rules anymore.
- 960911 - Expression is much more permissive now
- 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
           then you should uncomment this rule (in file 20)

--------------------------
version 1.4.3 - 2007/07/21
--------------------------

New Events:
- 950012 - HTTP Request Smuggling
  For more info on this attack:
  http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
- 960912 - Invalid request body
  Malformed content will not be parsed by modsecurity, but still there might
  be applications that will parse it, ignoring the errors.
- 960913 - Invalid Request
  Will trigger a security event when request was rejected by apache with
  code 400, without going through ModSecurity rules.

False Positives Fixes:
- 950107 - Will allow a % sign in the middle of a string as well
- 960911 - A more accurate expression based on the rfc:
            http://www.ietf.org/rfc/rfc2396.txt
- 950015 - Will not look for http/ pattern in the request headers

Additional rules logic:
- Since Apache applies scope directives only after ModSecurity phase 1
  this directives cannot be used to exclude phase 1 rules. Therefore
  we moved all inspection rules to phase 2.


--------------------------------
version 1.4 build 2 - 2007/05/17
--------------------------------

New Feature:
- Search for signatures in XML content
    XML Content will be parsed and ispected for signatures

New Events:
- 950116 - Unicode Full/Half Width Abuse Attack Attempt
    Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
    http://www.kb.cert.org/vuls/id/739224
- 960911 - Invalid HTTP request line
    Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
- 960904 - Request Missing Content-Type (when there is content)
    When a request contains content, the content-type must be specified. If not, the content will not be inspected
- 970018 - IIS installed in default location (any drive)
    Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
- 950019 - Email Injection
    Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails

Regular expressions fixes:
- Further optimization of some regular expressions (using the non-greediness operator)
    The non-greediness operator, <?>, prevents excessive backtracking

FP fixes:
- Rule 950107 - Will allow a parameter to end in a % sign from now on

------------------------
version 1.4 - 2007/05/02
------------------------

New Events:
- 970021 - WebLogic information disclosure
    Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
- 950015,950910,950911 - HTTP Response Splitting
    Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper:
    http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
- 960902 - Content-Encoding in request not supported
    Any incoming compressed request will be denied
- 960903 - Content-Encoding in response not suppoted
    An outgoing compressed response will be logged to alert, but ONLY ONCE.

False Positives Fixes:
- Removed <.exe>,<.shtml> from restricted extensions
- Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
- Excluded Referer header from SQL injection, XSS and command injection rules
- Excluded X-OS-Prefs header from command injection rule
- Will be looking for command injection signatures in
  REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
- Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type

Additional rules logic:
- Corrected match of OPTIONS method in event 960015
- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
- Moved all rules apart from method inspection from phase 1 to phase 2 -
    This will enable viewing content if such a rule triggers as well as setting
    exceptions using Apache scope tags.
- Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
- Added 1=1 signature (SQL Injection)

--------------------------------
version 1.3.2 build 4 2007/01/17
--------------------------------

Fixed apache 2.4 dummy requests exclusion
Added persistent PDF UXSS detection rule

--------------------------------
Version 1.3.2 build 3 2007/01/10
--------------------------------

Fixed regular expression in rule 960010 (file #30) to allow multipart form data
content

--------------------------
Version 1.3.2 - 2006/12/27
--------------------------

New events:
- 960037  Directory is restricted by policy
- 960038  HTTP header is restricted by policy

Regular expressions fixes:
- Regular expressions with @ at end of beginning (for example "@import)
- Regular expressions with un-escaped "."
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
- The command injection wget is not searched in the UA header as it has different meaning there.
- LDAP Fixed to reduce FPs:
  + More accurate regular expressions
  + high bit characters not accpeted between signature tokens.
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
- Removed Java from automation UA
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"

Additional rules logic:
- Checks for empty headers in addition to missing ones  (Host, Accept and User-Agent)
- OPTIONS method does not require an accept header.
- Apache keep alive request exception.
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
- Validate byte range checks by default only that no NULL char exists.
- Added CSS to allowed extensions in strict rule sets.
- Changed default action in file #50 to pass instead of deny.
- Moved IP host header from protocol violations to protocol anomalies.

Modified descriptions:
- 950107: URL Encoding Abuse Attack Attempt
- 950801: UTF8 Encoding Abuse Attack Attempt
- Added matched pattern in many events using capture and %{TX.0}
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response.

------------------------
Version 1.2 - 2006/11/19
------------------------

Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach
by prefixing all event IDs with "9".
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
the highest and 5 the lowest.

Bug fixes:
+ Removed quotes from list of mime types inspected on exit (directive
SecResponseBodyMimeType)
+ Corrected "cd .." signature. Now the periods are escaped.
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.

------------------------
Version 1.1 - 2006/10/18
------------------------

Initial version