diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf index 5c75de227..5888424ea 100644 --- a/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf @@ -21,7 +21,7 @@ # # Rule version data is added to the "Producer" line of Section H of the Audit log: # -# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0. +# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0. # # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature # diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf index 6b60a6585..3402cea3c 100644 --- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf @@ -40,6 +40,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \ tag:'OWASP_AppSensor/RE1',\ tag:'PCI/12.1',\ severity:'CRITICAL',\ + ver:'OWASP_CRS/3.1.0',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}'" diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf index e661241fb..31a1e2c3e 100644 --- a/rules/REQUEST-913-SCANNER-DETECTION.conf +++ b/rules/REQUEST-913-SCANNER-DETECTION.conf @@ -46,7 +46,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -71,7 +71,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -98,7 +98,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \ tag:'WASCTC/WASC-21',\ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -141,7 +141,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ @@ -178,7 +178,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \ tag:'OWASP_TOP_10/A7',\ tag:'PCI/6.5.10',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf index 83c42edb5..3a61f0a64 100644 --- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf @@ -57,7 +57,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+ tag:'attack-protocol',\ tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\ tag:'CAPEC-272',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\ @@ -107,7 +107,7 @@ SecRule FILES_NAMES|FILES "@rx (?" \ "msg:'PHP Injection Attack: PHP Closing Tag Found',\ phase:2,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ t:none,t:urlDecodeUni,\ ctl:auditLogParts=+E,\ block,\ diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf index 9046f2a11..74a6f01fe 100644 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf @@ -52,7 +52,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -84,7 +84,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -115,7 +115,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -145,7 +145,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -176,7 +176,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -239,7 +239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -270,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -302,7 +302,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -329,7 +329,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -356,7 +356,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -383,7 +383,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -410,7 +410,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -437,7 +437,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -464,7 +464,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -491,7 +491,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -518,7 +518,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -545,7 +545,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -572,7 +572,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -599,7 +599,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -631,7 +631,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -662,7 +662,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/IE1',\ tag:'CAPEC-242',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -699,7 +699,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \ tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -731,7 +731,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'CAPEC-242',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -816,7 +816,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -842,7 +842,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ @@ -868,7 +868,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/IE1',\ tag:'PCI/6.5.1',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\ diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf index 340f65baa..3ff295a66 100644 --- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf @@ -57,7 +57,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\ @@ -95,7 +95,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'platform-multi',\ tag:'attack-sqli',\ tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -153,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -185,7 +185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -233,7 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -313,7 +313,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -345,7 +345,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -369,7 +369,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -401,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -433,7 +433,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -476,7 +476,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_TOP_10/A1',\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -553,7 +553,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -590,7 +590,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]* tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ multiMatch,\ setvar:'tx.msg=%{rule.msg}',\ @@ -630,7 +630,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(" \ @@ -665,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -698,7 +698,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -731,7 +731,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -764,7 +764,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -797,7 +797,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -830,7 +830,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -906,7 +906,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -943,7 +943,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -977,7 +977,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1008,7 +1008,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1039,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1073,7 +1073,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1111,7 +1111,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1148,7 +1148,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1185,7 +1185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1227,7 +1227,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1275,7 +1275,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1304,7 +1304,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/2',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1348,7 +1348,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1382,7 +1382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\ @@ -1426,7 +1426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1456,7 +1456,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1490,7 +1490,7 @@ SecRule ARGS "@rx \W{4}" \ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/3',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\ setvar:'tx.msg=%{rule.msg}',\ @@ -1527,7 +1527,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ @@ -1557,7 +1557,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´ tag:'OWASP_AppSensor/CIE1',\ tag:'PCI/6.5.2',\ tag:'paranoia-level/4',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'WARNING',\ setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\ setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\ diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf index 01d083d9f..00646fbb6 100644 --- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\ @@ -67,7 +67,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \ @@ -96,7 +96,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession tag:'WASCTC/WASC-37',\ tag:'CAPEC-61',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" \ diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf index 6e4448748..448368870 100644 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf @@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?Index of.*?Inde tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -79,7 +79,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ tag:'PCI/6.5.6',\ tag:'paranoia-level/2',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\ diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf index 23ef8a797..d048ff727 100644 --- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf @@ -35,7 +35,7 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \ tag:'language-multi',\ tag:'platform-multi',\ tag:'attack-disclosure',\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ setvar:'tx.sql_error_match=1'" SecRule TX:sql_error_match "@eq 1" \ @@ -53,7 +53,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \ @@ -79,7 +79,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \ @@ -105,7 +105,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \ @@ -131,7 +131,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \ @@ -157,7 +157,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \ @@ -184,7 +184,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \ @@ -210,7 +210,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \ @@ -236,7 +236,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \ @@ -263,7 +263,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \ @@ -290,7 +290,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:Warning: ibase_|Unexpected end of command in statement)" \ @@ -316,7 +316,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \ @@ -342,7 +342,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \ @@ -368,7 +368,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \ @@ -394,7 +394,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \ @@ -420,7 +420,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \ @@ -446,7 +446,7 @@ SecRule TX:sql_error_match "@eq 1" \ tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\ tag:'CWE-209',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'CRITICAL',\ chain" SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \ diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf index 4d7424b2d..5799c0cbd 100644 --- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf index 7cd28e8f3..f6a1953ef 100644 --- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf @@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmf php-errors.data" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -99,7 +99,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \ diff --git a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf index 80d5fbffa..b70182473 100644 --- a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +++ b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf @@ -34,7 +34,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \ tag:'platform-windows',\ tag:'attack-disclosure',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score=+%{tx.error_anomaly_score}',\ @@ -57,7 +57,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -85,7 +85,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ setvar:'tx.msg=%{rule.msg}',\ setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\ @@ -111,7 +111,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \ tag:'OWASP_TOP_10/A6',\ tag:'PCI/6.5.6',\ ctl:auditLogParts=+E,\ - ver:'OWASP_CRS/3.0.0',\ + ver:'OWASP_CRS/3.1.0',\ severity:'ERROR',\ chain" SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \