Merge pull request #619 from csanders-git/fix_whitespace

Fixing trailing whitespace in various rules

.gitignore

@@ -5,3 +5,11 @@ crs-setup.conf
 # The MaxMind GeoIP database can be downloaded or upgraded by running:
 # util/upgrade.py geoip
 util/geo-location/GeoIP.dat
+
+# Unit test caches
+.cache
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class

CHANGES

@@ -19,6 +19,7 @@
  * Updated list of malicious webscanners
  * Include script in util/join-multiline-rules to work around
    Apache 2.4 < 2.4.11 bug with long lines (Walter Hop)
+ * Add support for Travis CI
 
 
 == Changes from 2.2.9 to 3.0.0-RC1 ==

rules/REQUEST-910-IP-REPUTATION.conf

@@ -23,7 +23,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:910012,nolog,pass,skipAfter:END-RE
 #
 # The first check we do is to see if the client IP address has already
 # been blacklisted by rules from previous requests.
-# 
+#
 # If the rule matches, it will do a skipAfter and pick up processing
 # at the end of the request phase for actual blocking.
 #
@@ -83,8 +83,8 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
 #
 # -=[ IP Reputation Checks ]=-
 #
-# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert 
-# Ref: http://www.modsecurity.org/projects/commercial/rules/ 
+# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert
+# Ref: http://www.modsecurity.org/projects/commercial/rules/
 #
 # This rule checks the client IP address against a list of recent IPs captured
 # from the SpiderLabs web honeypot systems (last 48 hours).
@@ -133,7 +133,7 @@ SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
 # "Project Honey Pot HTTP Blacklist" in crs-setup.conf.
 #
 # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
-# 
+#
 
 # Skip HttpBL checks if user has not defined one of the TX:block_* variables.
 # This prevents error "Operator error: RBL httpBl called but no key defined: set SecHttpBlKey"

rules/REQUEST-911-METHOD-ENFORCEMENT.conf

@@ -46,7 +46,7 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
   logdata:'%{matched_var}',\
   setvar:'tx.msg=%{rule.msg}',\
   setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-  setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}" 
+  setvar:tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"
 
 
 

rules/REQUEST-912-DOS-PROTECTION.conf

@@ -52,7 +52,7 @@
 #  - TX:DOS_BLOCK_TIMEOUT
 #  - TX:DOS_COUNTER_THRESHOLD
 #  - TX:DOS_BURST_TIME_SLICE
-# 
+#
 # And make sure, that TX:STATIC_RESOURCES as also set.
 #
 

rules/REQUEST-913-SCANNER-DETECTION.conf

@@ -22,7 +22,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:913012,nolog,pass,skipAfter:END-RE
 #
 # -=[ Vulnerability Scanner Checks ]=-
 #
-# These rules inspect the default User-Agent and Header values sent by 
+# These rules inspect the default User-Agent and Header values sent by
 # various commercial and open source vuln scanners.
 #
 # The following rules contain User-Agent lists:

rules/REQUEST-921-PROTOCOL-ATTACK.conf

@@ -25,7 +25,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-RE
 # [ Rule Logic ]
 # This rule looks for a comma character in either the Content-Length or Transfer-Encoding
 # request headers.  This character would indicate that there were more than one request header
-# with this same name.  In these instances, Apache treats the data in a similar manner as 
+# with this same name.  In these instances, Apache treats the data in a similar manner as
 # multiple cookie values.
 #
 # [ References ]
@@ -98,9 +98,9 @@ SecRule ARGS_NAMES|ARGS|XML:/* "(?:\n|\r)+(?:get|post|head|options|connect|put|d
 # [ Rule Logic ]
 # These rules look for Carriage Return (CR) %0d and Linefeed (LF) %0a characters.
 # These characters may cause problems if the data is returned in a respones header and
-# may be interpreted by an intermediary proxy server and treated as two separate 
+# may be interpreted by an intermediary proxy server and treated as two separate
 # responses.
-# 
+#
 # [ References ]
 # http://projects.webappsec.org/HTTP-Response-Splitting
 #

rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf

@@ -49,7 +49,7 @@ SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Ref
 	setvar:tx.lfi_score=+%{tx.critical_anomaly_score},\
 	setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{matched_var_name}=%{matched_var}'"
 
-# 
+#
 # [ Decoded /../ Payloads ]
 #
 SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm ..\ ../" \

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -22,7 +22,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:933012,nolog,pass,skipAfter:END-RE
 #
 # -=[ PHP Injection Attacks ]=-
 #
-# [ References ] 
+# [ References ]
 # http://rips-scanner.sourceforge.net/
 # https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Executionh
 #
@@ -526,7 +526,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 3" "phase:2,id:933016,nolog,pass,skipAfter:END-RE
 # Because this list is not expected to change and it is limited in size we use a
 # regex in this case to look for these values whereas in its sibling rule we use
 # @pmf for flexibility and performance.
-# 
+#
 # To rebuild the regexp:
 #   cd util/regexp-assemble
 #   ./regexp-assemble.pl < regexp-933131.data

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -195,10 +195,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 #
 # -=[ XSS Filters - Category 5 ]=-
 # HTML attribues - src, style and href
-# 
+#
 # These are only checked/enforced if the Admin has set -
 # setvar:tx.allow_html=0
-# 
+#
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?:s(?:tyle|rc)|href)\b[\s\S]*?=" \
 	"msg:'XSS Filter - Category 5: Disallowed HTML Attributes',\
 	id:941150,\
@@ -233,7 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 
 #
 # -=[ NoScript XSS Filters ]=-
-# Ref: http://noscript.net/ 
+# Ref: http://noscript.net/
 #
 # [NoScript InjectionChecker] HTML injection
 #
@@ -302,7 +302,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 
 #
 # [Blacklist Keywords from Node-Validator]
-# https://raw.github.com/chriso/node-validator/master/validator.js 
+# https://raw.github.com/chriso/node-validator/master/validator.js
 #
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
 	"msg:'Node-Validator Blacklist Keywords',\
@@ -338,7 +338,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # -=[ XSS Filters from IE ]=-
 # Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
 # Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
-# 
+#
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
 	"phase:request,\
 	rev:'3',\
@@ -699,7 +699,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 
 #
 # https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
-# US-ASCII encoding bypass listed on XSS filter evasion 
+# US-ASCII encoding bypass listed on XSS filter evasion
 # Reported by Mazin Ahmed
 #
 

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

@@ -21,7 +21,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:942012,nolog,pass,skipAfter:END-RE
 
 #
 # References:
-# 
+#
 # SQL Injection Knowledgebase (via @LightOS) -
 # http://websec.ca/kb/sql_injection
 #
@@ -103,7 +103,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #
 # -=[ PHPIDS - Converted SQLI Filters ]=-
 #
-# https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml 
+# https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml
 #
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(sleep\((\s*?)(\d*?)(\s*?)\)|benchmark\((.*?)\,(.*?)\)))" \
 	"phase:request,\

rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

@@ -21,7 +21,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:943012,nolog,pass,skipAfter:END-RE
 
 #
 # Session fixation
-# 
+#
 # -=[ References ]=-
 # http://projects.webappsec.org/Session-Fixation
 # http://projects.webappsec.org/w/page/13246960/Session%20Fixation
@@ -78,12 +78,12 @@ SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|p
 	chain"
 		SecRule REQUEST_HEADERS:Referer	"^(?:ht|f)tps?://(.*?)\/" \
 			"capture,\
-			chain" 
+			chain"
         			SecRule TX:1 "!@endsWith %{request_headers.host}" \
 					"setvar:'tx.msg=%{rule.msg}',\
 					setvar:tx.session_fixation_score=+%{tx.critical_anomaly_score},\
 					setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-					setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}" 
+					setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{matched_var_name}=%{tx.0}"
 
 
 SecRule ARGS_NAMES "@rx ^(jsessionid|aspsessionid|asp.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \

rules/REQUEST-949-BLOCKING-EVALUATION.conf

@@ -16,7 +16,7 @@ SecMarker BEGIN_REQUEST_BLOCKING_EVAL
 # These rules use the anomaly score settings specified in the 10 config file.
 # You should also set the desired disruptive action (deny, redirect, etc...).
 #
-# -=[ IP Reputation Checks ]=- 
+# -=[ IP Reputation Checks ]=-
 #
 # Block based on variable IP.REPUT_BLOCK_FLAG and TX.DO_REPUT_BLOCK
 #

rules/RESPONSE-950-DATA-LEAKAGES.conf

@@ -24,7 +24,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:950021,nolog,pass,skipAfter:END-RE
 # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
 #
 
-# 
+#
 # -=[ Directory Listing ]=-
 #
 SecRule RESPONSE_BODY "(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)" \
@@ -62,7 +62,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:4,id:950014,nolog,pass,skipAfter:END-RE
 # -= Paranoia Level 2 =- (apply only when tx.paranoia_level is sufficiently high: 2 or higher)
 #
 
-# 
+#
 # -=[ The application is not available - 5xx level status code ]=-
 #
 SecRule RESPONSE_STATUS "^5\d{2}$" \

rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

@@ -21,7 +21,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:951012,nolog,pass,skipAfter:END-RE
 
 #
 # -=[ SQL Error Leakages ]=-
-# 
+#
 # Ref: https://raw.github.com/sqlmapproject/sqlmap/master/xml/errors.xml
 # Ref: https://github.com/Arachni/arachni/tree/master/modules/audit/sqli/patterns
 #

rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

@@ -19,7 +19,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:4,id:953012,nolog,pass,skipAfter:END-RE
 # -= Paranoia Level 1 (default) =- (apply only when tx.paranoia_level is sufficiently high: 1 or higher)
 #
 
-# 
+#
 # -=[ PHP Error Message Leakage ]=-
 #
 SecRule RESPONSE_BODY "@pmf php-errors.data" \
@@ -48,7 +48,7 @@ SecRule RESPONSE_BODY "@pmf php-errors.data" \
 	setvar:tx.outbound_anomaly_score=+%{tx.error_anomaly_score},\
 	setvar:tx.anomaly_score=+%{tx.error_anomaly_score},setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
 
-# 
+#
 # -=[ PHP source code leakage ]=-
 #
 SecRule RESPONSE_BODY "(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \

rules/RESPONSE-980-CORRELATION.conf

@@ -18,7 +18,7 @@
 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
 #
 
-# 
+#
 # -=[ Correlated Successful Attack ]=-
 #
 SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
@@ -35,7 +35,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
 		SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
 
 
-# 
+#
 # -=[ Correlated Attack Attempt ]=-
 #
 SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \

util/honeypot-sensor/modsecurity_crs_10_honeypot.conf

@@ -1,8 +1,8 @@
 #
-# Add in honeypot ports.  
+# Add in honeypot ports.
 # - These are common proxy ports used by attackers
 # - All traffic accepted on these ports are suspicious.
-# 
+#
 Listen 8000
 Listen 8080
 Listen 8888
@@ -12,15 +12,15 @@ Listen 8888
 # to the official ModSecurity Project honeypot logging host.
 #
 # - You should adjust the Document root location to an empty directory on your server
-# - Also adjust the path to your local ModSecurity mlogc program and for the 
+# - Also adjust the path to your local ModSecurity mlogc program and for the
 #   mlogc-honeypot-sensor.conf file.
 # - Make sure you main SecAuditLogType is set to concurrent mode.
 #
 <VirtualHost *:8000 *:8080 *:8888>
 ServerName www.example1.com
 DocumentRoot "/usr/local/apache/honeypot-htdocs"
 <Directory "/usr/local/apache/honeypot-htdocs">
-    Options none 
+    Options none
     AllowOverride None
     Order allow,deny
     Allow from all