--------------------------------
version 1.4 build 2 - 2007/05/17
--------------------------------
New Feature:
- Search for signatures in XML content

New Events:
- 950107 - Unicode Full/Half Width Abuse Attack Attempt
- 960911 - Invalid HTTP request line
- 960904 - Request Missing Content-Type (when there is content)
- 970018 - IIS installed in default location (any drive)
- 950019 - Email Injection

Regular expressions fixes:
- Further optimization of some regular expressions (using the non-greediness operator)

------------------------
version 1.4 - 2007/05/02
------------------------

New Events:
- 970021 - WebLogic information disclosure
    Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
- 950015,950910,950911 - HTTP Response Splitting
    Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent article:
    http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
- 960902 - Content-Encoding in request not supported
    Any incoming compressed request will be denied
- 960903 - Content-Encoding in response not suppoted
    An outgoing compressed response will be logged to alert, but ONLY ONCE.

False Positives Fixes:
- Removed <.exe>,<.shtml> from restricted extensions
- Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
- Excluded Referer header from SQL injection, XSS and command injection rules
- Excluded X-OS-Prefs header from command injection rule
- Will be looking for command injection signatures in
  REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
- Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type

Additional rules logic:
- Corrected match of OPTIONS method in event 960015
- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
- Moved all rules apart from method inspection from phase 1 to phase 2 -
    This will enable viewing content if such a rule triggers as well as setting
    exceptions using Apache scope tags.
- Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
- Added 1=1 signature (SQL Injection)

--------------------------------
version 1.3.2 build 4 2007/01/17
--------------------------------

Fixed apache 2.4 dummy requests exclusion
Added persistent PDF UXSS detection rule

--------------------------------
Version 1.3.2 build 3 2007/01/10
--------------------------------

Fixed regular expression in rule 960010 (file #30) to allow multipart form data 
content

--------------------------
Version 1.3.2 - 2006/12/27 
--------------------------

New events:
- 960037  Directory is restricted by policy
- 960038  HTTP header is restricted by policy

Regular expressions fixes:
- Regular expressions with @ at end of beginning (for example "@import)
- Regular expressions with un-escaped "."
- Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
- The command injection wget is not searched in the UA header as it has different meaning there.
- LDAP Fixed to reduce FPs:
	+ More accurate regular expressions
	+ high bit characters not accpeted between signature tokens.
- Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
- Removed Java from automation UA
- When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"

Additional rules logic:
- Checks for empty headers in addition to missing ones  (Host, Accept and User-Agent)
- OPTIONS method does not require an accept header.
- Apache keep alive request exception.
- PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
- Validate byte range checks by default only that no NULL char exists.
- Added CSS to allowed extensions in strict rule sets.
- Changed default action in file #50 to pass instead of deny.
- Moved IP host header from protocol violations to protocol anomalies.

Modified descriptions: 
- 950107: URL Encoding Abuse Attack Attempt
- 950801: UTF8 Encoding Abuse Attack Attempt
- Added matched pattern in many events using capture and %{TX.0}
- Added ctl:auditLogParts=+E for outbound events and attacks to collect response.

------------------------
Version 1.2 - 2006/11/19
------------------------

Changes:
+ Move all events to the range of events allocated to Thinking Stone, now Breach
by prefixing all event IDs with "9".
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is 
the highest and 5 the lowest.   

Bug fixes:
+ Removed quotes from list of mime types inspected on exit (directive 
SecResponseBodyMimeType)
+ Corrected "cd .." signature. Now the periods are escaped.
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.

------------------------
Version 1.1 - 2006/10/18
------------------------

Initial version