From 607c0f5e4f0b0de643a3d3db2c7a9d9e496d281b Mon Sep 17 00:00:00 2001
From: Christian Folini <email_github.com@tikon.ch>
Date: Tue, 25 Jun 2019 09:54:26 +0200
Subject: [PATCH] Backports to v3.1/dev from v3.2/dev (incl. ReDoS fixes) and
 update version

* Backport regex update in regexp-942260.data
* Backport rules updates to 942260 and 942490
* Backport regex update in regexp-942490.data
* Backporting new regexp-assemble-v2.pl
* Describe ReDoS fix backports in CHANGES
* Bugfix in 943120 (backport)
* Content-Type made case insensitive in 920240, 920400 (backport)
* Fix bug in 920470 (backport)
* Allow percent encoding in 920240 (backport)
* Fix bug in 920440 (backport)
* Reduce false positives in 921110 (backport)
* Updating version to 3.1.1, copyright year and contributors file
---
 CHANGES                                       |   9 ++
 CONTRIBUTORS.md                               |   3 +
 README.md                                     |   2 +-
 crs-setup.conf.example                        |   6 +-
 ...00-EXCLUSION-RULES-BEFORE-CRS.conf.example |   4 +-
 rules/REQUEST-901-INITIALIZATION.conf         |  12 +-
 ...QUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf |   6 +-
 ...ST-903.9002-WORDPRESS-EXCLUSION-RULES.conf |   4 +-
 ...ST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf |   4 +-
 ...EST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf |   4 +-
 ...QUEST-903.9005-CPANEL-EXCLUSION-RULES.conf |   4 +-
 rules/REQUEST-905-COMMON-EXCEPTIONS.conf      |   4 +-
 rules/REQUEST-910-IP-REPUTATION.conf          |   4 +-
 rules/REQUEST-911-METHOD-ENFORCEMENT.conf     |   6 +-
 rules/REQUEST-912-DOS-PROTECTION.conf         |   4 +-
 rules/REQUEST-913-SCANNER-DETECTION.conf      |  14 +--
 rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf   | 110 +++++++++---------
 rules/REQUEST-921-PROTOCOL-ATTACK.conf        |  24 ++--
 rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf |  12 +-
 rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf |  12 +-
 rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf |  30 ++---
 rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf |  32 ++---
 rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf |  58 ++++-----
 .../REQUEST-942-APPLICATION-ATTACK-SQLI.conf  | 102 ++++++++--------
 ...3-APPLICATION-ATTACK-SESSION-FIXATION.conf |  12 +-
 .../REQUEST-944-APPLICATION-ATTACK-JAVA.conf  |  22 ++--
 rules/REQUEST-949-BLOCKING-EVALUATION.conf    |   4 +-
 rules/RESPONSE-950-DATA-LEAKAGES.conf         |   8 +-
 rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf     |  38 +++---
 rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf    |   8 +-
 rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf     |  10 +-
 rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf     |  12 +-
 rules/RESPONSE-959-BLOCKING-EVALUATION.conf   |   4 +-
 rules/RESPONSE-980-CORRELATION.conf           |   4 +-
 ...999-EXCLUSION-RULES-AFTER-CRS.conf.example |   4 +-
 util/regexp-assemble/regexp-942260.data       |   2 +-
 util/regexp-assemble/regexp-942490.data       |   2 +-
 util/regexp-assemble/regexp-assemble-v2.pl    |  29 +++++
 .../920240.yaml                               |   6 +-
 .../920440.yaml                               |  23 ++++
 .../920470.yaml                               |  16 ++-
 .../REQUEST-921-PROTOCOL-ATTACK/921110.yaml   |  23 +++-
 42 files changed, 396 insertions(+), 301 deletions(-)
 create mode 100755 util/regexp-assemble/regexp-assemble-v2.pl

diff --git a/CHANGES b/CHANGES
index 2d6f0e80b..4bb3a94b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,15 @@
   or the CRS mailinglist at
 * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
 
+== Version 3.1.1 - 2018-06-26 ==
+ * Fix CVE-2019-11387 ReDoS against CRS on ModSecurity 3 at PL 2 (Christoph Hansen, Federico G. Schwindt)
+ * Content-Type made case insensitive in 920240, 920400 (Federico G. Schwindt)
+ * Allow % encoding in 920240 (Christoph Hansen)
+ * Fix bug in 920440 (Andrea Menin)
+ * Fix bug in 920470 (Walter Hop)
+ * Reduce false positives in 921110 (Yu Yagihashi, Federico G. Schwindt)
+ * Fix bug in 943120 (XeroChen)
+
 == Version 3.1.0 - 8/7/2018 ==
  * Add Detectify scanner (theMiddle)
  * Renaming matched_var/s (Victor Hora)
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 41ad22eb4..df2c6fe32 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -12,6 +12,7 @@
 - [Franziska Bühler](https://github.com/franbuehler)
 - [Christoph Hansen](https://github.com/emphazer)
 - [Victor Hora](https://github.com/victorhora)
+- [Andrea Menin](https://github.com/theMiddleBlue)
 - [Federico G. Schwindt](https://github.com/fgsch)
 - [Manuel Spartan](https://github.com/spartantri)
 - [Felipe Zimmerle](https://github.com/zimmerle)
@@ -51,6 +52,8 @@
 - [theMiddle](https://github.com/theMiddleBlue)
 - [Ben Williams](https://github.com/benwilliams)
 - [Greg Wroblewski](https://github.com/gwroblew)
+- [XeroChen](https://github.com/XeroChen)
+- [Yu Yagihashi](https://github.com/yagihash)
 - [ygrek](https://github.com/ygrek)
 - [Zino](https://github.com/zinoe)
 - Josh Zlatin
diff --git a/README.md b/README.md
index 9f7ccafa8..d5c860088 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ We strive to make the OWASP ModSecurity CRS accessible to a wide audience of beg
 
 ## License
 
-Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 
 The OWASP ModSecurity Core Rule Set is distributed under Apache Software License (ASL) version 2. Please see the enclosed LICENSE file for full details.
 
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
index 41d6f7b79..bfc23958d 100644
--- a/crs-setup.conf.example
+++ b/crs-setup.conf.example
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -842,4 +842,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:tx.crs_setup_version=310"
+  setvar:tx.crs_setup_version=311"
diff --git a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
index 317c54d2c..bd2361632 100644
--- a/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+++ b/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
index 94629abe7..b893794da 100644
--- a/rules/REQUEST-901-INITIALIZATION.conf
+++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -21,11 +21,11 @@
 #
 # Rule version data is added to the "Producer" line of Section H of the Audit log:
 #
-# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
+# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
 #
 # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
 #
-SecComponentSignature "OWASP_CRS/3.1.0"
+SecComponentSignature "OWASP_CRS/3.1.1"
 
 #
 # -=[ Default setup values ]=-
@@ -298,7 +298,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     msg:'Enabling body inspection',\
     tag:'paranoia-level/1',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/3.1.0'"
+    ver:'OWASP_CRS/3.1.1'"
 
 # Force body processor URLENCODED
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@@ -309,7 +309,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     nolog,\
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"
diff --git a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
index f478ed7d4..1f511c383 100644
--- a/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -296,7 +296,7 @@ SecRule REQUEST_METHOD "@streq POST" \
         "chain"
         SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
             "chain"
-            SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
+	    SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
                 "chain"
                 SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
                     "ctl:requestBodyAccess=Off"
diff --git a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
index 5e3934af6..7d8fff749 100644
--- a/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
index c2c9a2a9e..f667c5f2f 100644
--- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
index 2ce28e587..dfb180f18 100644
--- a/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
index 07b3ecffc..1553364c3 100644
--- a/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
index 04ab90101..3761725f5 100644
--- a/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
+++ b/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-910-IP-REPUTATION.conf b/rules/REQUEST-910-IP-REPUTATION.conf
index 917b7ae23..eadbb24b1 100644
--- a/rules/REQUEST-910-IP-REPUTATION.conf
+++ b/rules/REQUEST-910-IP-REPUTATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
index d90f50af4..019699065 100644
--- a/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
+++ b/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -40,7 +40,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'OWASP_AppSensor/RE1',\
     tag:'PCI/12.1',\
     severity:'CRITICAL',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
diff --git a/rules/REQUEST-912-DOS-PROTECTION.conf b/rules/REQUEST-912-DOS-PROTECTION.conf
index cdbbfe4a4..4de94dec7 100644
--- a/rules/REQUEST-912-DOS-PROTECTION.conf
+++ b/rules/REQUEST-912-DOS-PROTECTION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
index a33761a56..d9868f0fa 100644
--- a/rules/REQUEST-913-SCANNER-DETECTION.conf
+++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -46,7 +46,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -71,7 +71,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -98,7 +98,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -141,7 +141,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
@@ -178,7 +178,7 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index ce56d2b97..8cf817c5c 100644
--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -57,7 +57,7 @@ SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\
@@ -107,7 +107,7 @@ SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -141,7 +141,7 @@ SecRule REQBODY_ERROR "!@eq 0" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -183,7 +183,7 @@ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -213,7 +213,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -248,7 +248,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@@ -274,7 +274,7 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@@ -306,7 +306,7 @@ SecRule REQUEST_METHOD "@rx ^POST$" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'CAPEC-272',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Length "@eq 0" \
@@ -353,7 +353,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)\-(\d+)\,"
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule TX:2 "!@ge %{tx.1}" \
@@ -386,7 +386,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
@@ -419,7 +419,7 @@ SecRule REQUEST_URI "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_URI "@validateUrlEncoding" \
@@ -427,7 +427,7 @@ SecRule REQUEST_URI "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
         setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
         setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
 
-SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded" \
     "id:920240,\
     phase:2,\
     block,\
@@ -439,12 +439,12 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
-    SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+    SecRule REQUEST_BODY "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
         "chain"
-        SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" \
+        SecRule REQUEST_BODY "@validateUrlEncoding" \
             "setvar:'tx.msg=%{rule.msg}',\
             setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
             setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
@@ -471,7 +471,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@@ -509,7 +509,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
     tag:'platform-iis',\
     tag:'platform-windows',\
     tag:'attack-protocol',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
@@ -563,7 +563,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -597,7 +597,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
@@ -616,7 +616,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
@@ -656,7 +656,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -681,7 +681,7 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -714,7 +714,7 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EMPTY_HEADER_UA',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'NOTICE',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.notice_anomaly_score}',\
@@ -750,7 +750,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'NOTICE',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -785,7 +785,7 @@ SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
@@ -817,7 +817,7 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/POLICY/SIZE_LIMIT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule &ARGS "@gt %{tx.max_num_args}" \
@@ -842,7 +842,7 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/POLICY/SIZE_LIMIT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@@ -866,7 +866,7 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/POLICY/SIZE_LIMIT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS "@gt %{tx.arg_length}" \
@@ -890,7 +890,7 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/POLICY/SIZE_LIMIT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@@ -915,10 +915,10 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/POLICY/SIZE_LIMIT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
-    SecRule REQUEST_HEADERS:Content-Type "@beginsWith multipart/form-data" \
+    SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
         "chain"
         SecRule REQUEST_HEADERS:Content-Length "@gt %{tx.max_file_size}" \
             "t:none,\
@@ -941,7 +941,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/POLICY/SIZE_LIMIT',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@@ -966,7 +966,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
 # - text/plain; charset="UTF-8"
 # - multipart/form-data; boundary=----WebKitFormBoundary12345
 #
-SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d_\-]+)?$" \
+SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|charset)\s?=\s?['\"\w\d\.\-]+)?$" \
     "id:920470,\
     phase:1,\
     block,\
@@ -982,7 +982,7 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w\d/\.\-\+]+(?:\s?;\s?(?:boundary|
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/EE2',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -1007,7 +1007,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/EE2',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     capture,\
     chain"
@@ -1038,7 +1038,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*([^;\s]+)" \
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/EE2',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     capture,\
     chain"
@@ -1068,7 +1068,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -1077,7 +1077,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
 #
 # Restrict file extension
 #
-SecRule REQUEST_BASENAME "@rx \.(.*)$" \
+SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
     "id:920440,\
     phase:2,\
     block,\
@@ -1093,7 +1093,7 @@ SecRule REQUEST_BASENAME "@rx \.(.*)$" \
     tag:'WASCTC/WASC-15',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.extension=.%{tx.1}/',\
     chain"
@@ -1147,7 +1147,7 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'WASCTC/WASC-15',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1196,7 +1196,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@@ -1221,7 +1221,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){63}" \
@@ -1243,7 +1243,7 @@ SecRule ARGS "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
@@ -1271,7 +1271,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -1298,7 +1298,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
@@ -1328,7 +1328,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'NOTICE',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.notice_anomaly_score}',\
@@ -1352,7 +1352,7 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
     tag:'CAPEC-272',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
@@ -1377,7 +1377,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -1409,7 +1409,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
@@ -1439,7 +1439,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
@@ -1464,7 +1464,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',\
@@ -1486,7 +1486,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl4=+%{tx.critical_anomaly_score}',\
@@ -1535,7 +1535,7 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?<!\Q\\\E)\Q\\\E[cdegh
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
diff --git a/rules/REQUEST-921-PROTOCOL-ATTACK.conf b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
index 015f06b9a..7fb36654e 100644
--- a/rules/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -30,7 +30,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,skipAf
 # [ References ]
 # http://projects.webappsec.org/HTTP-Request-Smuggling
 #
-SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+" \
+SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)\s+[^\s]+(?:\s+http|[\r\n])" \
     "id:921110,\
     phase:2,\
     block,\
@@ -43,7 +43,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:get|post|head|options|connect|p
     tag:'platform-multi',\
     tag:'attack-protocol',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -75,7 +75,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'attack-protocol',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -96,7 +96,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'attack-protocol',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -130,7 +130,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -155,7 +155,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -176,7 +176,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?c
     tag:'platform-multi',\
     tag:'attack-protocol',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -212,7 +212,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
@@ -256,7 +256,7 @@ SecRule ARGS_NAMES "@rx ." \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'CAPEC-460',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
 
 SecRule TX:/paramcounter_.*/ "@gt 1" \
@@ -271,7 +271,7 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'CAPEC-460',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
diff --git a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
index c5a4dade5..f88ec8f9b 100644
--- a/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
+++ b/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -39,7 +39,7 @@ SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XM
     tag:'platform-multi',\
     tag:'attack-lfi',\
     tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -62,7 +62,7 @@ SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/*
     tag:'platform-multi',\
     tag:'attack-lfi',\
     tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.msg=%{rule.msg}',\
@@ -91,7 +91,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'WASCTC/WASC-33',\
     tag:'OWASP_TOP_10/A4',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
@@ -120,7 +120,7 @@ SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
     tag:'WASCTC/WASC-33',\
     tag:'OWASP_TOP_10/A4',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
index 1137394b2..4c898ef3c 100644
--- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -47,7 +47,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
     tag:'attack-rfi',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
@@ -68,7 +68,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
     tag:'attack-rfi',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
@@ -89,7 +89,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
     tag:'attack-rfi',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
@@ -119,7 +119,7 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\
     chain"
diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
index 7f4375db0..e4a7e70cc 100644
--- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
+++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -113,7 +113,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -151,7 +151,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -250,7 +250,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -288,7 +288,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -325,7 +325,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -364,7 +364,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -412,7 +412,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -462,7 +462,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -495,7 +495,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -529,7 +529,7 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -553,7 +553,7 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -590,7 +590,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
@@ -648,7 +648,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
index 14648acd0..63d3a32a6 100644
--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -58,7 +58,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -101,7 +101,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -127,7 +127,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@pm =" \
@@ -156,7 +156,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -194,7 +194,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -263,7 +263,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -312,7 +312,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -369,7 +369,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -426,7 +426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -473,7 +473,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@pm (" \
@@ -529,7 +529,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -572,7 +572,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -617,7 +617,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
@@ -636,7 +636,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
     "msg:'PHP Injection Attack: PHP Closing Tag Found',\
     phase:2,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     t:none,t:urlDecodeUni,\
     ctl:auditLogParts=+E,\
     block,\
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index 2976f019a..c09a258fa 100644
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -52,7 +52,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -84,7 +84,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -115,7 +115,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -145,7 +145,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -176,7 +176,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -239,7 +239,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -270,7 +270,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -302,7 +302,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -329,7 +329,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -356,7 +356,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -383,7 +383,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -410,7 +410,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -437,7 +437,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -464,7 +464,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -491,7 +491,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -518,7 +518,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -545,7 +545,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -572,7 +572,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -599,7 +599,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -631,7 +631,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -662,7 +662,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -699,7 +699,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
     tag:'CAPEC-242',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -731,7 +731,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'CAPEC-242',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -816,7 +816,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/IE1',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -842,7 +842,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/IE1',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
@@ -868,7 +868,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/IE1',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
diff --git a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
index 3c154e225..3a84d8571 100644
--- a/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+++ b/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -57,7 +57,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -95,7 +95,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -121,7 +121,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'attack-sqli',\
     tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -153,7 +153,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -185,7 +185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -209,7 +209,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -233,7 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -265,7 +265,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -289,7 +289,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -313,7 +313,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -345,7 +345,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -369,7 +369,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -401,7 +401,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -433,7 +433,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -476,7 +476,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -516,7 +516,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (^\s*[\"'`;]+|[\"'`]+\s*$)" \
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
@@ -553,7 +553,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:(?:^|\W)in[+\s]*\([\s\d\"]+[^()]*\)|\
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -590,7 +590,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i:([\s'\"`\(\)]*?)([\d\w]++)([\s'\"`\(\)]*
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.msg=%{rule.msg}',\
@@ -630,7 +630,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?i)\b(?:c(?:o(?:n(?:v(?:ert(?:_tz)?)?|cat(?:_ws)?|nection_id)|(?:mpres)?s|ercibility|(?:un)?t|llation|alesce)|ur(?:rent_(?:time(?:stamp)?|date|user)|(?:dat|tim)e)|h(?:ar(?:(?:acter)?_length|set)?|r)|iel(?:ing)?|ast|r32)|s(?:u(?:b(?:str(?:ing(?:_index)?)?|(?:dat|tim)e)|m)|t(?:d(?:dev_(?:sam|po)p)?|r(?:_to_date|cmp))|e(?:c(?:_to_time|ond)|ssion_user)|ys(?:tem_user|date)|ha[12]?|oundex|chema|ig?n|leep|pace|qrt)|i(?:s(?:_(?:ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|(?:free|used)_lock)|null)|n(?:et(?:6_(?:aton|ntoa)|_(?:aton|ntoa))|s(?:ert|tr)|terval)?|f(?:null)?)|d(?:a(?:t(?:e(?:_(?:format|add|sub)|diff)?|abase)|y(?:of(?:month|week|year)|name)?)|e(?:(?:s_(?:de|en)cryp|faul)t|grees|code)|count|ump)|l(?:o(?:ca(?:l(?:timestamp)?|te)|g(?:10|2)?|ad_file|wer)|ast(?:_(?:inser_id|day))?|e(?:(?:as|f)t|ngth)|case|trim|pad|n)|u(?:n(?:compress(?:ed_length)?|ix_timestamp|hex)|tc_(?:time(?:stamp)?|date)|p(?:datexml|per)|uid(?:_short)?|case|ser)|t(?:ime(?:_(?:format|to_sec)|stamp(?:diff|add)?|diff)?|o(?:(?:second|day)s|_base64|n?char)|r(?:uncate|im)|an)|m(?:a(?:ke(?:_set|date)|ster_pos_wait|x)|i(?:(?:crosecon)?d|n(?:ute)?)|o(?:nth(?:name)?|d)|d5)|r(?:e(?:p(?:lace|eat)|lease_lock|verse)|a(?:wtohex|dians|nd)|o(?:w_count|und)|ight|trim|pad)|f(?:i(?:eld(?:_in_set)?|nd_in_set)|rom_(?:unixtime|base64|days)|o(?:und_rows|rmat)|loor)|p(?:o(?:w(?:er)?|sition)|eriod_(?:diff|add)|rocedure_analyse|assword|g_sleep|i)|a(?:s(?:cii(?:str)?|in)|es_(?:de|en)crypt|dd(?:dat|tim)e|(?:co|b)s|tan2?|vg)|b(?:i(?:t_(?:length|count|x?or|and)|n(?:_to_num)?)|enchmark)|e(?:x(?:tract(?:value)?|p(?:ort_set)?)|nc(?:rypt|ode)|lt)|g(?:r(?:oup_conca|eates)t|et_(?:format|lock))|v(?:a(?:r(?:_(?:sam|po)p|iance)|lues)|ersion)|o(?:(?:ld_passwo)?rd|ct(?:et_length)?)|we(?:ek(?:ofyear|day)?|ight_string)|n(?:o(?:t_in|w)|ame_const|ullif)|h(?:ex(?:toraw)?|our)|qu(?:arter|ote)|year(?:week)?|xmltype)\W*\(" \
@@ -665,7 +665,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -698,7 +698,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -731,7 +731,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -741,12 +741,12 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # Regexp generated from util/regexp-assemble/regexp-942260.data using Regexp::Assemble.
 # To rebuild the regexp:
 #   cd util/regexp-assemble
-#   ./regexp-assemble.pl regexp-942260.data
+#   ./regexp-assemble-v2.pl regexp-942260.data
 # Note that after assemble an outer bracket with an ignore case flag is added
 # to the Regexp::Assemble output:
-#   (?i:ASSEMBLE_OUTPUT)
+#    ASSEMBLE_OUTPUT | s/^(?:/(?i:/
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'`]\s*?(?:(?:n(?:and|ot)|(?:x?x)?or|between|\|\||and|div|&&)\s+[\s\w]+=\s*?\w+\s*?having\s+|like(?:\s+[\s\w]+=\s*?\w+\s*?having\s+|\W*?[\"'`\d])|[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w|\*\s*?\w+\W+[\"'`])|(?:union\s*?(?:distinct|[(!@]*?|all)?\s*?[([]*?\s*?select|select\s+?[\[\]()\s\w\.,\"'`-]+from)\s+|\w+\s+like\s+[\"'`]|find_in_set\s*?\(|like\s*?[\"'`]%)" \
     "id:942260,\
     phase:2,\
     block,\
@@ -764,7 +764,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -797,7 +797,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -830,7 +830,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -871,7 +871,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -906,7 +906,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -943,7 +943,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -977,7 +977,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1008,7 +1008,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1039,7 +1039,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1073,7 +1073,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1111,7 +1111,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1148,7 +1148,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1185,7 +1185,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1227,7 +1227,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
@@ -1275,7 +1275,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1304,7 +1304,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1348,7 +1348,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1364,7 +1364,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # to the Regexp::Assemble output:
 #   (?:ASSEMBLE_OUTPUT)
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]" \
     "id:942490,\
     phase:2,\
     block,\
@@ -1382,7 +1382,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -1426,7 +1426,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
@@ -1456,7 +1456,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
@@ -1490,7 +1490,7 @@ SecRule ARGS "@rx \W{4}" \
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.msg=%{rule.msg}',\
@@ -1527,7 +1527,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
@@ -1557,7 +1557,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'OWASP_AppSensor/CIE1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/4',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'WARNING',\
     setvar:'tx.anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
diff --git a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
index 31b870c5b..4451c6071 100644
--- a/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+++ b/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -43,7 +43,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'WASCTC/WASC-37',\
     tag:'CAPEC-61',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
@@ -67,7 +67,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'WASCTC/WASC-37',\
     tag:'CAPEC-61',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
@@ -80,7 +80,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
             setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
 
 
-SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
+SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
     "id:943120,\
     phase:2,\
     block,\
@@ -96,7 +96,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp.net_sessionid|phpsession
     tag:'WASCTC/WASC-37',\
     tag:'CAPEC-61',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Referer "@eq 0" \
diff --git a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
index b248d2c72..cb2dee43a 100644
--- a/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+++ b/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -35,7 +35,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -67,7 +67,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
@@ -96,7 +96,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@@ -124,7 +124,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -166,7 +166,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -191,7 +191,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -216,7 +216,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -241,7 +241,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -280,7 +280,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
index 24fc1f57b..104a6504b 100644
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
index 369cc20b1..8c7570013 100644
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -44,7 +44,7 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -79,7 +79,7 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
     tag:'PCI/6.5.6',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
diff --git a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
index ff5b043a2..20b5fa1ee 100644
--- a/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
+++ b/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -35,7 +35,7 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     setvar:'tx.sql_error_match=1'"
 
 SecRule TX:sql_error_match "@eq 1" \
@@ -53,7 +53,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@@ -79,7 +79,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
@@ -105,7 +105,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
@@ -131,7 +131,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
@@ -157,7 +157,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
@@ -184,7 +184,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
@@ -210,7 +210,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
@@ -236,7 +236,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
@@ -263,7 +263,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
@@ -290,7 +290,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
@@ -316,7 +316,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
@@ -342,7 +342,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
@@ -368,7 +368,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
@@ -394,7 +394,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
@@ -420,7 +420,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
@@ -446,7 +446,7 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
diff --git a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
index 9499ba86c..5b7b027e6 100644
--- a/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+++ b/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
diff --git a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
index f97932cbb..e223f5eba 100644
--- a/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
+++ b/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -39,7 +39,7 @@ SecRule RESPONSE_BODY "@pmf php-errors.data" \
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -68,7 +68,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -99,7 +99,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     chain"
     SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
diff --git a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
index 9539b6bbf..d7317872f 100644
--- a/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+++ b/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -34,7 +34,7 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
     tag:'platform-windows',\
     tag:'attack-disclosure',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -57,7 +57,7 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -85,7 +85,7 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
@@ -111,7 +111,7 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.0',\
+    ver:'OWASP_CRS/3.1.1',\
     severity:'ERROR',\
     chain"
     SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
index 7243931e1..93a20705d 100644
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/RESPONSE-980-CORRELATION.conf b/rules/RESPONSE-980-CORRELATION.conf
index 44bee64d2..2ea250846 100644
--- a/rules/RESPONSE-980-CORRELATION.conf
+++ b/rules/RESPONSE-980-CORRELATION.conf
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
index c4c4d0eb7..bf687d924 100644
--- a/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
+++ b/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
@@ -1,6 +1,6 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.1.1
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
diff --git a/util/regexp-assemble/regexp-942260.data b/util/regexp-assemble/regexp-942260.data
index e581550e3..93b87cdb3 100644
--- a/util/regexp-assemble/regexp-942260.data
+++ b/util/regexp-assemble/regexp-942260.data
@@ -17,6 +17,6 @@ like\s*?[\"'`]\%
 [\"'`]\s*?\|\|\s+[\s\w]+=\s*?\w+\s*?having\s+
 [\"'`]\s*?\&\&\s+[\s\w]+=\s*?\w+\s*?having\s+
 [\"'`]\s*?\*\s*?\w+\W+[\"'`]
-[\"'`]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`]*?\s*?\w+\W+\w
+[\"'`]\s*?[^?\w\s=.,;)(]++\s*?[(@\"'`]*?\s*?\w+\W+\w
 select\s+?[\[\]()\s\w\.,\"'`-]+from\s+
 find_in_set\s*?\(
diff --git a/util/regexp-assemble/regexp-942490.data b/util/regexp-assemble/regexp-942490.data
index 8e17930f9..660895981 100644
--- a/util/regexp-assemble/regexp-942490.data
+++ b/util/regexp-assemble/regexp-942490.data
@@ -1 +1 @@
-[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d]
+[\"'`][\s\d]*?[^\w\s]\W*?\d\W*?.*?[\"'`\d]
diff --git a/util/regexp-assemble/regexp-assemble-v2.pl b/util/regexp-assemble/regexp-assemble-v2.pl
new file mode 100755
index 000000000..3d903fc67
--- /dev/null
+++ b/util/regexp-assemble/regexp-assemble-v2.pl
@@ -0,0 +1,29 @@
+#!/usr/bin/env perl
+#
+# Create one regexp from a set of regexps.
+# Regexps can be submitted via standard input, one per line.
+#
+# Requires Regexp::Assemble Perl module.
+# To install: cpan install Regexp::Assemble
+#
+# See: http://blog.modsecurity.org/2007/06/optimizing-regu.html
+#
+
+use strict;
+use Regexp::Assemble;
+
+my $ra = Regexp::Assemble->new;
+while (<>)
+{
+  # Handle possessive qualifiers
+  # https://rt.cpan.org/Public/Bug/Display.html?id=50228#txn-672717
+  my $arr = $ra->lexstr($_);
+  for (my $n = 0; $n < $#$arr - 1; ++$n)
+  {
+    if ($arr->[$n] =~ /\+$/ and $arr->[$n + 1] eq '+') {
+      $arr->[$n] .= splice(@$arr, $n + 1, 1);
+    }
+  }
+  $ra->insert(@$arr);
+}
+print $ra->as_string() . "\n";
diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml
index 000f8261a..a5f5df009 100644
--- a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml
+++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920240.yaml
@@ -59,7 +59,7 @@
               no_log_contains: "id \"920240\""                   
                              
     - 
-      # Test URL Encoding Abuse Attack Attempt/XML from orig modsec regression
+      # We have a valid percentencoding here
       test_title: 920240-4
       stages: 
         - 
@@ -87,7 +87,7 @@
                 - "  </SOAP-ENV:Body>"
                 - "</SOAP-ENV:Envelope>"
             output: 
-              log_contains: "id \"920240\""
+              no_log_contains: "id \"920240\""
     - 
       # test URL Encoding Abuse Attack Attempt from old regression tests
       test_title: 920240-5
@@ -133,4 +133,4 @@
                   Content-Type: "application/x-www-form-urlencoded"
               data: "param=%7%6F%6D%65%74%65%78%74%5F%31%32%33%"
             output: 
-              log_contains: "id \"920240\""                
\ No newline at end of file
+              log_contains: "id \"920240\""
diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
index da79346f0..ca4ed958f 100644
--- a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
+++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920440.yaml
@@ -75,3 +75,26 @@
           version: HTTP/1.1
         output:
           log_contains: id "920440"
+  -
+    test_title: 920440-4
+    desc: URL file extension is restricted by policy (920440) - GH issue 1296
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+            Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
+            Accept-Encoding: gzip,deflate
+            Accept-Language: en-us,en;q=0.5
+            Host: localhost
+            Keep-Alive: '300'
+            Proxy-Connection: keep-alive
+            User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv
+          method: GET
+          port: 80
+          uri: /foo.bar.sql
+          version: HTTP/1.1
+        output:
+          log_contains: id "920440"
diff --git a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
index c1d9373bf..e1ee95d8b 100644
--- a/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
+++ b/util/regression-tests/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920470.yaml
@@ -112,4 +112,18 @@
                   Content-Type: 'application/json'
                   Content-Length: 0
             output:
-              no_log_contains: "id \"920470\""
\ No newline at end of file
+              no_log_contains: "id \"920470\""
+    - test_title: 920470-9
+      stages:
+        - stage:
+            input:
+              dest_addr: 127.0.0.1
+              port: 80
+              method: POST
+              headers:
+                  User-Agent: "ModSecurity CRS 3 Tests"
+                  Host: "localhost"
+                  Content-Type: 'multipart/form-data; boundary=----formdata-polyfill-0.40616634299_704013'
+                  Content-Length: 0
+            output:
+              no_log_contains: "id \"920470\""
diff --git a/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml b/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
index 76c48478c..59236a65f 100644
--- a/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
+++ b/util/regression-tests/tests/REQUEST-921-PROTOCOL-ATTACK/921110.yaml
@@ -5,11 +5,11 @@
     enabled: true
     name: 921110.yaml
   tests:
-  - 
+  -
     test_title: 921110-1
     desc: "HTTP Response Splitting"
     stages:
-    - 
+    -
       stage:
         input:
           dest_addr: 127.0.0.1
@@ -18,7 +18,24 @@
             Cache-Control: "no-cache, no-store, must-revalidate"
           method: POST
           port: 80
-          data: "var=%0aPOST /"
+          data: "var=%0aPOST / HTTP/1.0"
           version: HTTP/1.0
         output:
           log_contains: id "921110"
+  -
+    test_title: 921110-2
+    desc: "HTTP Response Splitting (is test 921110-5 in v3.2/dev)"
+    stages:
+    -
+      stage:
+        input:
+          dest_addr: 127.0.0.1
+          headers:
+            Host: "localhost"
+            Cache-Control: "no-cache, no-store, must-revalidate"
+          method: POST
+          port: 80
+          data: "var=aaa%0d%0aGet+foo+bar"
+          version: HTTP/1.0
+        output:
+          no_log_contains: id "921110"