Extending CHANGES file

[dune73]

No description provided.

[csanders-git]

I'm being picky but perhaps just add malicious webscanners

[dune73]

Yes, that's more precise. Thanks.

[csanders-git]

Other than my comment it's good except we didn't talk about the fix for Apache 2.2

[dune73]

But we did fix the Apache 2.2 issue, did not we?

[lifeforms]

@dune73 Yes, that's fixed. Just not the Apache < 2.4.11 issue. But as @emphazer said, my cont.py script from #610 can be used to join multiline rules into one rules, so we could put that in util and mention it in the known bugs.

[dune73]

Good plan @lifeforms. Would you mind describing it for KNOWN_BUGS? Either here or in a separate PR.

[lifeforms]

@dune73 I'm tied up at the moment, but I'll add it to your PR #612 tonight.

[emphazer]

@lifeforms i said: theoretical ;-)

[lifeforms]

@emphazer Ow :( Did you actually try it though? I have no old Apaches here so it would take me a lot of time to set it up, but it would be kind of neat if we could officially publish a workaround.

[dune73]

I've got a 2.4.7 laying around in my lab. I could fire it up tonight.

[emphazer]

@lifeforms no, i didnt test it. it was more like a joke because i know that you guys dont like it if someone modifies the ruleset.

the call is still open https://bugzilla.redhat.com/show_bug.cgi?id=1378946

[dune73]

Yeah. The problem with this bug is you have to modify it - or upgrade apache and if that was an option, they would certainly do so.

[emphazer]

well, found the following working solution

# run 1x this for spaces and tabulators 
sed -i 's@^[\t ]\+@@g' rules/*.conf

# and 2-3x this:
sed -i '{s/[\t ]*$//;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;N;s/,\\\n/,/g;}'  rules/*.conf

it make this rule for example:

SecRule ARGS_NAMES "." \
"phase:request,\
id:921170,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
pass,\
nolog,\
tag:'application-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/3',\
tag:'CAPEC-460',\
setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

looks like that

SecRule ARGS_NAMES "." \
"phase:request,id:921170,rev:'2',ver:'OWASP_CRS/3.0.0',pass,nolog,tag:'application-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/3',tag:'CAPEC-460',setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

i tested it with apache 2.4.6

[dune73]

I see this working, but adding it to the KNOWN_BUGS makes the workaround look quirky. I'd say we leave it as is.

[lifeforms]

Added some more stuffs.

[dune73]

So we're done here as well. I'm merging.