mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-08-14 13:56:01 +03:00
817 lines
36 KiB
Plaintext
817 lines
36 KiB
Plaintext
== OWASP ModSecurity Core Rule Set (CRS) JIRA CHANGELOG ==
|
|
* https://www.modsecurity.org/tracker/browse/CORERULES
|
|
|
|
|
|
|
|
== Version 2.2.6 - 09/14/2012 ==
|
|
|
|
Improvements:
|
|
* Started rule formatting update for better readability
|
|
* Added maturity and accuracy action data to each rule
|
|
* Updated rule revision (rev) action
|
|
* Added rule version (ver) action
|
|
* Added more regression tests (util/regression_tests/)
|
|
* Modified Rule ID 960342 to block large file attachments in phase:1
|
|
* Removed all PARANOID rule checks
|
|
* Added new Session Fixation rules
|
|
|
|
Bug Fixes:
|
|
* Fixed missing ending double-quotes in XSS rules file
|
|
* Moved SecDefaultAction setting from phase:2 to phase:1
|
|
* Fixed Session Hijacking SessionID Regex
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-79
|
|
* Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-78
|
|
|
|
== Version 2.2.5 - 06/14/2012 ==
|
|
|
|
|
|
Improvements:
|
|
* Renamed main config file to modsecurity_crs_10_setup.conf
|
|
* Updated the rule IDs to start from CRS reserved range: 900000
|
|
* Updated rule formatting for readibility
|
|
* Updated the CSRF rules to use UNIQUE_ID as the token source
|
|
* Added the zap2modsec.pl script to the /util directory which converts
|
|
OWASP ZAP Scanner XML data into ModSecurity Virtual Patches
|
|
* Updated the Directory Traversal Signatures to include more obfuscated data
|
|
* Added Arachni Scanner Integration Lua script/rules files
|
|
|
|
Bug Fixes:
|
|
* Added forceRequestBodyVariable action to rule ID 960904
|
|
* Updated the anomaly scoring value for rule ID 960000 to critical
|
|
(Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
|
|
* Updated Content-Type check to fix possible evasion with @within
|
|
(Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
|
|
|
|
|
|
== Version 2.2.4 - 03/14/2012 ==
|
|
|
|
|
|
Improvements:
|
|
* Added Location and Set-Cookie checks to Response Splitting rule ID 950910
|
|
* Added a README file to the activated_rules directory
|
|
* Consolidate a number of SQL Injection rules into optimized regexs
|
|
* Removed multiMatch and replaceComments from SQL Injection rules
|
|
* Updated the SQLi regexs for greediness
|
|
* Updated the SQLi setvar anomaly score values to use macro expansion
|
|
* Removed PARANOID mode rules
|
|
|
|
Bug Fixes:
|
|
* Fixed missing comma before severity action in rules 958291, 958230 and 958231
|
|
* Fixed duplidate rule IDs
|
|
|
|
|
|
== Version 2.2.3 - 12/19/2011 ==
|
|
|
|
|
|
Improvements:
|
|
* Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file
|
|
http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies
|
|
* Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
|
|
http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
|
|
* Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
|
|
http://websecuritytool.codeplex.com/wikipage?title=Checks#header
|
|
|
|
Bug Fixes:
|
|
* Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to
|
|
rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs).
|
|
* Updated the regex and added tags for RFI rules.
|
|
|
|
|
|
== Version 2.2.2 - 09/28/2011 ==
|
|
|
|
|
|
Improvements:
|
|
* Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points
|
|
* Added new Range header detection checks to prevent Apache DoS
|
|
* Added new Security Scanner User-Agent strings
|
|
* Added example script to the /util directory to convert Arachni DAST scanner
|
|
XML data into ModSecurity virtual patching rules.
|
|
* Updated the SQLi Character Anomaly Detection Rules
|
|
* Added Host header info to the RESOURCE collection key for AppSensor profiling rules
|
|
|
|
Bug Fixes:
|
|
* Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)
|
|
* Fixed Request Limit rules by removing & from variables
|
|
* Fixed Session Hijacking IP/UA hash captures
|
|
* Updated the SQLi regex for rule ID 981242
|
|
|
|
|
|
== Version 2.2.1 - 07/20/2011 ==
|
|
|
|
|
|
Improvements:
|
|
* Extensive SQL Injection signature updates as a result of the SQLi Challenge
|
|
http://www.modsecurity.org/demo/challenge.html
|
|
* Updated the SQL Error message detection in reponse bodies
|
|
* Updated SQL Injection signatures to include more DB functions
|
|
* Updated the WEAK SQL Injection signatures
|
|
* Added tag AppSensor/RE8 to rule ID 960018
|
|
|
|
Bug Fixes:
|
|
* Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-70
|
|
* Fixed Session Hijacking rules to properly capture IP address network hashes.
|
|
* Added the multiMatch action to the SQLi rules
|
|
* Fixed a false negative logic flaw within the advanced_filter_converter.lua script
|
|
* Fixed missing : in id action in DoS ruleset.
|
|
* Updated rule ID 971150 signature to remove ;
|
|
|
|
|
|
== Version 2.2.0 - 05/26/2011 ==
|
|
|
|
|
|
Improvements:
|
|
* Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2)
|
|
http://www.apache.org/licenses/LICENSE-2.0.txt
|
|
* Created new INSTALL file outlining quick config setup
|
|
* Added a new rule regression testing framework to the /util directory
|
|
* Added new activated_rules directory which will allow users to place symlinks pointing
|
|
to files they want to run. This allows for easier Apache Include wild-carding
|
|
* Adding in new RULE_MATURITY and RULE_ACCURACY tags
|
|
* Adding in a check for X-Forwarded-For source IP when creating IP collection
|
|
* Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset)
|
|
http://websecuritytool.codeplex.com/wikipage?title=Checks#charset
|
|
* Added new AppSensor rules to experimental_dir
|
|
https://www.owasp.org/index.php/AppSensor_DetectionPoints
|
|
* Added new Generic Malicious JS checks in outbound content
|
|
* Added experimental IP Forensic rules to gather Client hostname/whois info
|
|
http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
|
|
* Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules
|
|
http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
|
|
* Global collection in the 10 file now uses the Host Request Header as the collection key.
|
|
This allows for per-site global collections.
|
|
* Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties.
|
|
This includes both converted web rules from Emerging Threats (ET) and from SLR Team.
|
|
* Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB
|
|
* Added experimental rules for detecting Open Proxy Abuse
|
|
http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html
|
|
* Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API
|
|
http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html
|
|
* Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227)
|
|
* Added new SQLi detection rules (959070, 959071 and 959072)
|
|
* Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-64
|
|
|
|
Bug Fixes:
|
|
* Assigned IDs to all active SecRules/SecActions
|
|
* Removed rule inversion (!) from rule ID 960902
|
|
* Fixed false negative issue in Response Splitting Rule
|
|
* Fixed false negative issue with @validateByteRange check
|
|
* Updated the TARGETS lising for rule ID 950908
|
|
* Updated TX data for REQBODY processing
|
|
* Changed the pass action to block in the RFI rules in the 40 generic file
|
|
* Updated RFI regex to catch IP address usage in hostname
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-68
|
|
* Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods.
|
|
* Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions.
|
|
They will now inherit the settings from the SecDefaultAction
|
|
|
|
|
|
== Version 2.1.2 - 02/17/2011 ==
|
|
|
|
|
|
Improvements:
|
|
* Added experimental real-time application profiling ruleset.
|
|
* Added experimental Lua script for profiling the # of page scripts, iframes, etc..
|
|
which will help to identify successful XSS attacks and planting of malware links.
|
|
* Added new CSRF detection rule which will trigger if a subsequent request comes too
|
|
quickly (need to use the Ignore Static Content rules).
|
|
|
|
Bug Fixes:
|
|
* Added missing " in the skipAfter SecAction in the CC Detection rule set
|
|
|
|
|
|
== Version 2.1.1 - 12/30/2010 ==
|
|
|
|
|
|
Bug Fixes:
|
|
* Updated the 10 config conf file to add in pass action to User-Agent rule
|
|
* Updated the CSRF ruleset to conditionally do content injection - if the
|
|
csrf token was created by the session hijacking conf file
|
|
* Updated the session hijacking conf file to only enforce rules if a SessionID
|
|
Cookie was submitted
|
|
* Fixed macro expansion setvar bug in the restricted file extension rule
|
|
* Moved the comment spam data file into the optional_rules directory
|
|
|
|
|
|
== Version 2.1.0 - 12/29/2010 ==
|
|
|
|
|
|
Improvements:
|
|
* Added Experimental Lua Converter script to normalize payloads. Based on
|
|
PHPIDS Converter code and it used with the advanced filters conf file.
|
|
* Changed the name of PHPIDS converted rules to Advanced Filters
|
|
* Added Ignore Static Content (Performance enhancement) rule set
|
|
* Added XML Enabler (Web Services) rule set which will parse XML data
|
|
* Added Authorized Vulnerability Scanning (AVS) Whitelist rule set
|
|
* Added Denial of Service (DoS) Protection rule set
|
|
* Added Slow HTTP DoS (Connection Consumption) Protection rule set
|
|
* Added Brute Force Attack Protection rule set
|
|
* Added Session Hijacking Detection rule set
|
|
* Added Username Tracking rule set
|
|
* Added Authentication Tracking rule set
|
|
* Added Anti-Virus Scanning of File Attachments rule set
|
|
* Added AV Scanning program to /util directory
|
|
* Added Credit Card Usage Tracking/Leakage Prevention rule set
|
|
* Added experimental CC Track/PAN Leakage Prevention rule set
|
|
* Added an experimental_rules directory to hold new BETA rules
|
|
* Moved the local exceptions conf file back into base_rules dirctory however
|
|
it has a ".example" extension to prevent overwriting customized versions
|
|
when upgrading
|
|
* Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to
|
|
the experimental_rules directory
|
|
* Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will
|
|
help to make collections a bit more unique
|
|
|
|
|
|
|
|
== Version 2.0.10 - 11/29/2010 ==
|
|
|
|
|
|
Improvements:
|
|
* Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS
|
|
is running in traditional mode.
|
|
|
|
Bug Fixes:
|
|
* Moved all skipAfter actions in chained rules to chain starter SecRules
|
|
https://www.modsecurity.org/tracker/browse/MODSEC-159
|
|
* Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs
|
|
|
|
|
|
|
|
== Version 2.0.9 - 11/17/2010 ==
|
|
|
|
|
|
Improvements:
|
|
* Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that
|
|
it will not overwrite existing config settings. Users should rename this file to activate
|
|
it.
|
|
* Traditional detection mode is now the current default
|
|
* Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode
|
|
by editing the modsecurity_crs_10_config.conf file
|
|
* Updated the disruptive actions in most rules to use "block" action instead of "pass". This
|
|
is to allow for the toggling between traditional vs. anomaly scoring modes.
|
|
* Removed logging actions from most rules so that it can be controlled from the SecDefaultAction
|
|
setting in the modsecurity_crs_10_config.conf file
|
|
* Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match
|
|
what is used in the PHPIDS rules. These still have the same factor of severity even though
|
|
the numbers themselves are smaller.
|
|
* Updated the 49 and 59 blocking rules to include the matched logdata
|
|
* Updated the TAG data to further classify attack/vuln categories.
|
|
* Updated the SQL Injection filters to detect more boolean logic attacks
|
|
* Moved some files to optional_rules directory (phpids, Emerging Threats rules)
|
|
|
|
Bug Fixes:
|
|
* Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-63
|
|
* Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher)
|
|
https://www.modsecurity.org/tracker/browse/MODSEC-159
|
|
* Fixed restricted file extension bug with macro expansion
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-60
|
|
* Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that
|
|
it matches what is being set in the sql injection conf file
|
|
* Fixed typo in SQL Injection regexs - missing backslash for word boundary (b)
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-62
|
|
|
|
|
|
== Version 2.0.8 - 08/27/2010 ==
|
|
|
|
|
|
Improvements:
|
|
* Updated the PHPIDS filters
|
|
* Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
|
|
* Updated the SQL Injection fitlers to account for different quotes
|
|
* Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
|
|
* Added Rule ID 950109 to detect multiple URL encodings
|
|
* Added two experimental rules to detect anomalous use of special characters
|
|
|
|
Bug Fixes:
|
|
* Fixed Encoding Detection RegEx (950107 and 950108)
|
|
* Fixed rules-updater.pl script to better handle whitespace
|
|
https://www.modsecurity.org/tracker/browse/MODSEC-167
|
|
* Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-55
|
|
* Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-54
|
|
* Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-29
|
|
|
|
|
|
== Version 2.0.7 - 06/4/2010 ==
|
|
|
|
|
|
Improvements:
|
|
* Added CSRF Protection Ruleset which will use Content Injection to add javascript to
|
|
specific outbound data and then validate the csrf token on subsequent requests.
|
|
* Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie
|
|
flags
|
|
* Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied
|
|
data being echoed back to user unchanged.
|
|
* Added rules-updater.pl script and configuration file to allow users to automatically
|
|
download CRS rules from the CRS rules repository.
|
|
* Added new SQLi keyword for ciel() and reverse() functions.
|
|
* Updated the PHPIDS filters
|
|
|
|
|
|
Bug Fixes:
|
|
* Fixed false positives for Request Header Name matching in the 30 file by
|
|
adding boundary characters.
|
|
* Added missing pass actions to @pmFromFile prequalifier rules
|
|
* Added backslash to SQLi regex
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-41
|
|
* Fixed hard coded anomaly score in PHPIDS filter file
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-45
|
|
* Fixed restricted_extension false positive by adding boundary characters
|
|
|
|
|
|
== Version 2.0.6 - 02/26/2010 ==
|
|
|
|
|
|
Bug Fixes:
|
|
* Added missing transformation functions to SQLi rules.
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-32
|
|
* Fixed duplicate rule IDs.
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-33
|
|
* Fixed typo in @pmFromFile in the Comment SPAM rules
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-34
|
|
* Added macro expansion to Restricted Headers rule
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-35
|
|
* Fixed misspelled SecMarker
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-36
|
|
* Fixed missing chain action in Content-Type header check
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-37
|
|
* Update phpids filters to use pass action instead of block
|
|
|
|
|
|
== Version 2.0.5 - 02/01/2010 ==
|
|
|
|
|
|
Improvements:
|
|
* Removed previous 10 config files as they may conflict with local customized Mod configs.
|
|
* Added a new 10 config file that allows the user to globally set TX variables to turn on/off
|
|
PARANOID_MODE inspection, set anomaly score levels and http policies.
|
|
Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators.
|
|
* Added Rule Logic and Reference links to rules descriptions.
|
|
* Added Rule IDs to all rules.
|
|
* Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification
|
|
* Removed Apache limit directives from the 23 file
|
|
* Added macro expansion to 23 file checks.
|
|
* Added @pmFromFile check to 35 bad robots file
|
|
* Added malicious UA strings to 35 bad robots check
|
|
* Created an experimental rules file
|
|
* Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection
|
|
* Removed TX inspections for generic attacks and reverted to standard ARGS inspection
|
|
https://www.modsecurity.org/tracker/browse/MODSEC-120
|
|
* Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other
|
|
variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA)
|
|
* Moved converted ET Snort rules to the /optional_rules directory
|
|
* Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the
|
|
request headers.
|
|
* Updated Inbound blocking conf file to use macro expansion from the 10 config file settings
|
|
* Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking.
|
|
* Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators.
|
|
* Updated the SPAMMER RBL check rules logic to only check once per IP/Day.
|
|
* Added new outbound malware link detection rules.
|
|
* Added PHP "call_user_func" to blacklist
|
|
Identified by SOGETI ESEC R&D
|
|
|
|
Bug Fixes:
|
|
* Removed Non-numeric Rule IDs
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-28
|
|
* Updated the variable list on SQLi rules.
|
|
* Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring
|
|
and blocking
|
|
|
|
|
|
== Version 2.0.4 - 11/30/2009 ==
|
|
|
|
|
|
Improvements:
|
|
* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
|
|
* Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found
|
|
then search more generically in request_body|request_uri_raw
|
|
* Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean
|
|
exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the
|
|
anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate
|
|
alerts for any variable matches that exist.
|
|
|
|
Bug Fixes:
|
|
* Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of
|
|
phase:4 which would allow for blocking based on information leakage issues.
|
|
|
|
|
|
== Version 2.0.3 - 11/05/2009 ==
|
|
|
|
|
|
Improvements:
|
|
* Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
|
|
* Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php)
|
|
* Added new rules to identify multipart/form-data bypass attempts
|
|
* Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts
|
|
|
|
Bug Fixes:
|
|
* Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-17
|
|
* Added new variable locations to the phpids filters
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-19
|
|
* Use of transformation functions can cause false negatives - added multiMatch action to phpids rules
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-20
|
|
* Fixed multipart parsing evasion issues by adding strict parsing rules
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-21
|
|
* Fixed typo in xss rules (missing |)
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-22
|
|
* Fixed regex text in IE8 XSS filters (changed to lowercase)
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-23
|
|
|
|
|
|
== Version 2.0.2 - 09/11/2009 ==
|
|
|
|
|
|
Improvements:
|
|
* Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-13
|
|
|
|
Bug Fixes:
|
|
* Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla.
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-15
|
|
|
|
|
|
== Version 2.0.1 - 08/07/2009 ==
|
|
|
|
|
|
Improvements:
|
|
* Updated the transformation functions used in the XSS/SQLi rules to improve performance
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-10
|
|
|
|
* Updated the variable/target list in the XSS rules
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-11
|
|
|
|
* Added XSS Filters from IE8
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-12
|
|
|
|
Bug Fixes:
|
|
* Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule.
|
|
https://www.modsecurity.org/tracker/browse/CORERULES-9
|
|
|
|
|
|
== Version 2.0.0 - 07/29/2009 ==
|
|
|
|
|
|
New Rules & Features:
|
|
* Fine Grained Policy
|
|
The rules have been split to having one signature per rule instead of having
|
|
all signatures combined into one optimized regular expression.
|
|
This should allow you to modify/disable events based on specific patterns
|
|
instead of having to deal with the whole rule.
|
|
* Converted Snort Rules
|
|
Emerging Threat web attack rules have been converted.
|
|
http://www.emergingthreats.net/
|
|
* Anomaly Scoring Mode Option
|
|
The rules have been updated to include anomaly scoring variables which allow
|
|
you to evaluate the score at the end of phase:2 and phase:5 and decide on what
|
|
logging and disruptive actions to take based on the score.
|
|
* Correlated Events
|
|
There are rules in phase:5 that will provide some correlation between inbound
|
|
events and outbound events and will provide a result of successful atttack or
|
|
attempted attack.
|
|
* Updated Severity Ratings
|
|
The severity ratings in the rules have been updated to the following:
|
|
- 0: Emergency - is generated from correlation where there is an inbound attack and
|
|
an outbound leakage.
|
|
- 1: Alert - is generated from correlation where there is an inbound attack and an
|
|
outbound application level error.
|
|
- 2: Critical - is the highest severity level possible without correlation. It is
|
|
normally generated by the web attack rules (40 level files).
|
|
- 3: Error - is generated mostly from outbound leakabe rules (50 level files).
|
|
- 4: Warning - is generated by malicious client rules (35 level files).
|
|
- 5: Notice - is generated by the Protocol policy and anomaly files.
|
|
- 6: Info - is generated by the search engine clients (55 marketing file).
|
|
* Updated Comment SPAM Protections
|
|
Updated rules to include RBL lookups and client fingerprinting concepts from
|
|
Bad Behavior (www.bad-behavior.ioerror.us)
|
|
* Creation of Global Collection
|
|
Automatically create a Global collection in the *10* config file. Other rules
|
|
can then access it.
|
|
* Use of Block Action
|
|
Updated the rules to use the "block" action. This allows the Admin to globally
|
|
set the desired block action once with SecDefaultAction in the *10* config file
|
|
rather than having to edit the disruptive actions in all of the rules or for
|
|
the need to have multiple versions of the rules (blocking vs. non-blocking).
|
|
* "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
|
|
http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
|
|
* Added new generic RFI detection rules.
|
|
http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
|
|
* "Possibly malicious iframe tag in output" (Rules 981001,981002)
|
|
Planting invisible iframes in a site can be used by attackers to point users
|
|
from the victim site to their malicious site. This is actually as if the
|
|
user was visiting the attacker's site himself, causing the user's browser to
|
|
process the content in the attacker's site.
|
|
|
|
New Events:
|
|
* Rule 960019 - Expect Header Not Allowed.
|
|
* Rule 960020 - Pragma Header Requires Cache-Control Header
|
|
* Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
|
|
as it is reserved for use as a fragment identifier within the html page.
|
|
* Rule 958291 - Range: field exists and begins with 0.
|
|
* Rule 958292 - Invalid Request Header Found.
|
|
* Rule 958293 - Lowercase Via Request Header Found.
|
|
* Rule 958294 - Common SPAM Proxies found in Via Request Header.
|
|
* Rule 958295 - Multiple/Conflicting Connection Header Data Found.
|
|
* Rule 958296 - Request Indicates a SPAM client accessed the Site.
|
|
* Rule 958297 - Common SPAM/Email Harvester crawler.
|
|
* Rule 958298 - Common SPAM/Email Harvester crawler
|
|
|
|
Bug Fixes:
|
|
* Rule 950107 - Split the rule into 2 separate rules to factor in the
|
|
Content-Type when inspecting the REQUEST_BODY variable.
|
|
* Rule 960017 - Bug fix for when having port in the host header.
|
|
* Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
|
|
* Rule 950801 - Increased the logic so that the rule will only run if the web site
|
|
uses UTF-8 Encoding.
|
|
* Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
|
|
allow the IPv6 loopback address
|
|
* Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
|
|
and to identify offsite hosts by comparing the ARG URI to the Host
|
|
header. Due to this rule now being stronger, moved it from optional
|
|
tight security rule to *40* generic attacks file.
|
|
|
|
Other Fixes:
|
|
* Added more HTTP Protocol violations to *20* file.
|
|
* Set the SecDefaultAction in the *10* config file to log/pass (This was the
|
|
default setting, however this sets it explicitly.
|
|
* Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This
|
|
was added so that when running the SecRuleEngine in DetectionOnly mode, it will
|
|
not deny response bodies that go over the size restrictions.
|
|
* Changed SecServerSignature to "Apache/1.3.28"
|
|
* Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have
|
|
BEGIN and END SecMarkers for rule groups to more accurately allow moving to
|
|
proper locations.
|
|
* Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
|
|
This removes the need for some SecAction/SkipAfter rules.
|
|
* Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
|
|
rules and chained rules).
|
|
|
|
|
|
== Version 1.6.1 - 2008/04/22 ==
|
|
|
|
|
|
* Fixed a bug where phases and transformations where not specified explicitly
|
|
in rules. The issue affected a significant number of rules, and we strongly
|
|
recommend to upgrade.
|
|
|
|
|
|
== Version 1.6.0 - 2008/02/19 ==
|
|
|
|
|
|
New Rulesets & Features:
|
|
* 42 - Tight Security
|
|
This ruleset contains currently 2 rules which are considered highly prone
|
|
to FPs. They take care of Path Traversal attacks, and RFI attacks. This
|
|
ruleset is included in the optional_rulesets dir
|
|
* 42 - Comment Spam
|
|
Comment Spam is used by the spammers to increase their rating in search
|
|
engines by posting links to their site in other sites that allow posting
|
|
of comments and messages. The rules in this ruleset will work against that.
|
|
(Requires ModSecurity 2.5)
|
|
* Tags
|
|
A single type of attack is often detected by multiple rules. The new alert
|
|
classification tags solve this issue by providing an alternative alert type
|
|
indication and can serve for filtering and analysis of audit logs.
|
|
The classification tags are hierarchical with slashes separating levels.
|
|
Usually there are two levels with the top level describing the alert group
|
|
and the lower level denoting the alert type itself, for example:
|
|
WEB_ATTACK/SQL_INJECTION.
|
|
|
|
False Positives Fixes:
|
|
* Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
|
|
* Rule 950107 - Will look for invalid url decoding in variables that are not
|
|
automatically url decoded
|
|
|
|
Additional rules logic:
|
|
* Using the new "logdata" action for logging the matched signature in rules
|
|
* When logging an event once, init the collection only if the alert needs to log
|
|
* Using the new operator @pm as a qualifier before large rules to enhance
|
|
performance (Requires ModSecurity 2.5)
|
|
* SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
|
|
only 1=1. (Thanks to Marc Stern for the idea)
|
|
* New XSS signatures - iframe & flash XSS
|
|
|
|
|
|
|
|
== Version 1.5.1 - 2007/12/6 ==
|
|
|
|
|
|
False Positives Fixes:
|
|
* Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)
|
|
|
|
New Events:
|
|
* 960019 - Detect HTTP/0.9 Requests
|
|
HTTP/0.9 request are not common these days. This rule will log by default,
|
|
and block in the blocking version of file 21
|
|
|
|
Other Fixes:
|
|
* File 40, Rules 950004,950005 - Repaired the correction for the double
|
|
url decoding problem
|
|
* File 55 contained empty regular expressions. Fixed.
|
|
|
|
|
|
== Version 1.5 - 2007/11/23 ==
|
|
|
|
|
|
New Rulesets:
|
|
* 23 - Request Limits
|
|
"Judging by appearances". This rulesets contains rules blocking based on
|
|
the size of the request, for example, a request with too many arguments
|
|
will be denied.
|
|
|
|
Default policy changes:
|
|
* XML protection off by default
|
|
* BLOCKING dir renamed to optional_rules
|
|
* Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
|
|
* Ruleset 21 - The exception for apache internal monitor will not log anymore
|
|
|
|
New Events:
|
|
* 960912 - Invalid request body
|
|
Malformed content will not be parsed by modsecurity, but still there might
|
|
be applications that will parse it, ignoring the errors.
|
|
* 960913 - Invalid Request
|
|
Will trigger a security event when request was rejected by apache with
|
|
code 400, without going through ModSecurity rules.
|
|
|
|
Additional rules logic:
|
|
* 950001 - New signature: delete from
|
|
* 950007 - New signature: waitfor delay
|
|
|
|
False Positives Fixes:
|
|
* 950006 - Will not be looking for /cc pattern in User-Agent header
|
|
* 950002 - "Internet Explorer" signature removed
|
|
* Double decoding bug used to cause FPs. Some of the parameters are already
|
|
url-decoded by apache. This caused FPs when the rule performed another
|
|
url-decoding transformation. The rules have been split so that parameters
|
|
already decoded by apache will not be decoded by the rules anymore.
|
|
* 960911 - Expression is much more permissive now
|
|
* 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
|
|
then you should uncomment this rule (in file 20)
|
|
|
|
|
|
version 1.4.3 - 2007/07/21
|
|
|
|
|
|
New Events:
|
|
* 950012 - HTTP Request Smuggling
|
|
For more info on this attack:
|
|
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
|
|
* 960912 - Invalid request body
|
|
Malformed content will not be parsed by modsecurity, but still there might
|
|
be applications that will parse it, ignoring the errors.
|
|
* 960913 - Invalid Request
|
|
Will trigger a security event when request was rejected by apache with
|
|
code 400, without going through ModSecurity rules.
|
|
|
|
False Positives Fixes:
|
|
* 950107 - Will allow a % sign in the middle of a string as well
|
|
* 960911 - A more accurate expression based on the rfc:
|
|
http://www.ietf.org/rfc/rfc2396.txt
|
|
* 950015 - Will not look for http/ pattern in the request headers
|
|
|
|
Additional rules logic:
|
|
* Since Apache applies scope directives only after ModSecurity phase 1
|
|
this directives cannot be used to exclude phase 1 rules. Therefore
|
|
we moved all inspection rules to phase 2.
|
|
|
|
|
|
|
|
version 1.4 build 2 - 2007/05/17
|
|
|
|
|
|
New Feature:
|
|
* Search for signatures in XML content
|
|
XML Content will be parsed and ispected for signatures
|
|
|
|
New Events:
|
|
* 950116 - Unicode Full/Half Width Abuse Attack Attempt
|
|
Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
|
|
http://www.kb.cert.org/vuls/id/739224
|
|
* 960911 - Invalid HTTP request line
|
|
Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
|
|
* 960904 - Request Missing Content-Type (when there is content)
|
|
When a request contains content, the content-type must be specified. If not, the content will not be inspected
|
|
* 970018 - IIS installed in default location (any drive)
|
|
Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
|
|
* 950019 - Email Injection
|
|
Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails
|
|
|
|
Regular expressions fixes:
|
|
* Further optimization of some regular expressions (using the non-greediness operator)
|
|
The non-greediness operator, <?>, prevents excessive backtracking
|
|
|
|
FP fixes:
|
|
* Rule 950107 - Will allow a parameter to end in a % sign from now on
|
|
|
|
|
|
version 1.4 - 2007/05/02
|
|
|
|
|
|
New Events:
|
|
* 970021 - WebLogic information disclosure
|
|
Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
|
|
* 950015,950910,950911 - HTTP Response Splitting
|
|
Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper:
|
|
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
|
|
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
|
|
* 960902 - Content-Encoding in request not supported
|
|
Any incoming compressed request will be denied
|
|
* 960903 - Content-Encoding in response not suppoted
|
|
An outgoing compressed response will be logged to alert, but ONLY ONCE.
|
|
|
|
False Positives Fixes:
|
|
* Removed <.exe>,<.shtml> from restricted extensions
|
|
* Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
|
|
* Excluded Referer header from SQL injection, XSS and command injection rules
|
|
* Excluded X-OS-Prefs header from command injection rule
|
|
* Will be looking for command injection signatures in
|
|
REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
|
|
* Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type
|
|
|
|
Additional rules logic:
|
|
* Corrected match of OPTIONS method in event 960015
|
|
* Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
|
|
* Moved all rules apart from method inspection from phase 1 to phase 2 -
|
|
This will enable viewing content if such a rule triggers as well as setting
|
|
exceptions using Apache scope tags.
|
|
* Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
|
|
* Added 1=1 signature (SQL Injection)
|
|
|
|
|
|
version 1.3.2 build 4 2007/01/17
|
|
|
|
|
|
Fixed apache 2.4 dummy requests exclusion
|
|
Added persistent PDF UXSS detection rule
|
|
|
|
|
|
== Version 1.3.2 build 3 2007/01/10 ==
|
|
|
|
|
|
Fixed regular expression in rule 960010 (file #30) to allow multipart form data
|
|
content
|
|
|
|
|
|
== Version 1.3.2 - 2006/12/27 ==
|
|
|
|
|
|
New events:
|
|
* 960037 Directory is restricted by policy
|
|
* 960038 HTTP header is restricted by policy
|
|
|
|
Regular expressions fixes:
|
|
* Regular expressions with @ at end of beginning (for example "@import)
|
|
* Regular expressions with un-escaped "."
|
|
* Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
|
|
* The command injection wget is not searched in the UA header as it has different meaning there.
|
|
* LDAP Fixed to reduce FPs:
|
|
+ More accurate regular expressions
|
|
+ high bit characters not accpeted between signature tokens.
|
|
* Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
|
|
* Removed Java from automation UA
|
|
* When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"
|
|
|
|
Additional rules logic:
|
|
* Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
|
|
* OPTIONS method does not require an accept header.
|
|
* Apache keep alive request exception.
|
|
* PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
|
|
* Validate byte range checks by default only that no NULL char exists.
|
|
* Added CSS to allowed extensions in strict rule sets.
|
|
* Changed default action in file #50 to pass instead of deny.
|
|
* Moved IP host header from protocol violations to protocol anomalies.
|
|
|
|
Modified descriptions:
|
|
* 950107: URL Encoding Abuse Attack Attempt
|
|
* 950801: UTF8 Encoding Abuse Attack Attempt
|
|
* Added matched pattern in many events using capture and %{TX.0}
|
|
* Added ctl:auditLogParts=+E for outbound events and attacks to collect response.
|
|
|
|
|
|
== Version 1.2 - 2006/11/19 ==
|
|
|
|
|
|
Changes:
|
|
+ Move all events to the range of events allocated to Thinking Stone, now Breach
|
|
by prefixing all event IDs with "9".
|
|
+ Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
|
|
the highest and 5 the lowest.
|
|
|
|
Bug fixes:
|
|
+ Removed quotes from list of mime types inspected on exit (directive
|
|
SecResponseBodyMimeType)
|
|
+ Corrected "cd .." signature. Now the periods are escaped.
|
|
+ Too many FPs with events 950903 & 950905. Commented them out until fixed.
|
|
|
|
|
|
== Version 1.1 - 2006/10/18 ==
|
|
|
|
|
|
Initial version
|