Category:OWASP ModSecurity Core Rule Set Project

= Home =

{| width="100%" ! width="33%" | ! width="33%" | ! width="33%" |
 * - valign="top"

Let's talk here
ModSecurity Communities

Further development of ModSecurity and the Core Rule Set occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, please [mailto:ryan.barnett@owasp.org contact us].


 * CRS mailing list (this is the main list)
 * ModSecurity mailing list



Want to help?
CRS Development

The CRS project is always on the lookout for volunteers who are interested in contributing. We need help in the following areas:


 * Documentation of the CRS
 * New Detection Methods
 * Updates to existing rules



Related resources
OWASP Resources


 * [OWASP Securing WebGoat using ModSecurity Project]
 * [OWASP AppSensor Project]
 * [OWASP Blacklist Regex Repository]


 * }

= Download =

GitHub Repository is here:

https://github.com/SpiderLabs/owasp-modsecurity-crs

Download TAR/GZ Archive: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Download ZIP Archive: https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/master

= Bug Tracker =

GitHub Issues:

https://github.com/SpiderLabs/owasp-modsecurity-crs/issues

= Demo =

ModSecurity CRS Demonstration/Smoketest page:

http://www.modsecurity.org/demo/

= Contributors and Users =

Project Leader
Ryan Barnett

Project Contributors
Josh Zlatin Brian Rectanus Roberto Salgado

Project Users
WASC Distributed Web Honeypot Project uses the Core Rule Set - http://projects.webappsec.org/Distributed-Web-Honeypots

Akamai's WAF Service is based on a previous version of the Core Rule Set - http://www.akamai.com/html/about/press/releases/2009/press_121409.html

Varnish Web Cache/Accelerator uses a converted version of the CRS - https://github.com/comotion/security.vcl

= Installation =

Quick Start

Core Rule Set Quick Setup
To activate the rules for your web server installation:

1) The modsecurity_crs_10_config.conf includes management rules and directives    that can control important CRS functions. Pay attention to     the SecRuleEngine setting (On by default) and that the SecDefaultAction     directive is set to "pass".  The 49 inbound blocking and 59 outbound blocking     rules files use the "block" action which     inherits this setting.  The effectively means that you can toggle the     SecDefaultAction setting to decide if you would like to deny on an     anomaly scoring/correlation match.

Update the PARANOID_MODE variable setting if you want to become more aggressive in your detection. Caution - this will cause more false positives.

Should also update the appropriate anomaly scoring levels that will be propagated to the inbound/outbound blocking files.

Update the TX policy settings for allowed Request Methods, File Extensions, etc...

2) Add the following line to your httpd.conf (assuming you've placed the rule files into conf/modsecurity_crs/):

 Include conf/modsecurity_crs/*.conf Include conf/modsecurity_crs/base_rules/*.conf 

3) Restart web server.

4) Make sure your web sites are still running fine.

5) Simulate an attack against the web server. Then check    the attack was correctly logged in the Apache error log,     ModSecurity debug log (if you enabled it) and ModSecurity     audit log (if you enabled it).

= Documentation =

ModSecurity Blog Posts
http://blog.spiderlabs.com/modsecurity/

http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
 * ModSecurity Advanced Topic of the Week: Traditional vs. Anomaly Scoring Detection Modes

http://blog.spiderlabs.com/2011/08/modsecurity-advanced-topic-of-the-week-exception-handling.html
 * ModSecurity Advanced Topic of the Week: Exception Handling

Rule Documentation Template
Each ModSecurity Rule in the CRS has an individual rule description page based on the following template file:

http://www.owasp.org/index.php/ModSecurity_CRS_Rule_Description_Template


 * Project participants are encouraged to copy this template and create landing pages for each CRS rule
 * Use this template and create a new page using the following format - http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-XXXXX (where XXXXX is the CRS ruleID)

Example:

http://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960911

ModSecurity Core Rule Set (CRS)
The ModSecurity Core Rule Set is provided to you under the terms and conditions of GPL version 2

This directory contains the files for Core ModSecurity Rule Set The rules are compatible with ModSecurity 2.5 (as of version 1.4.3)

Overview
Using ModSecurity requires rules. In order to enable users to take full advantage of ModSecurity immediately, Trustwave is providing a free Core rule set. Unlike intrusion detection and prevention systems which rely on signature specific to known vulnerabilities, the Core Rule Set provides generic protection from unknown vulnerabilities often found in web application that are in most cases custom coded. This is what we call "Attack Payload Detection."

Keep in mind that a predefined rule set is only part of the work required to protect your web site. We strongly urge you to consult Ivan Ristic's book, "ModSecurity Handbook" http://store.feistyduck.com/products/modsecurity-handbook and the ModSecurity Reference Manual - http://www.modsecurity.org/documentation/. The CRS is heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.

For more information refer to the OWASP Core Rule Set Project page at http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Core Rules Mail-list - Suscribe here: https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set Archive: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/

CRS < 2.0 - Self-Contained Rules
Older (<2.0) CRS used individual, “self-contained” actions in rules - If a rule triggered, it would either deny or pass and log - No intelligence was shared between rules Not optimal from a rules management perspective (handling false positives/exceptions) - Editing the regex could blow it up - Typical method was to copy/paste rules into custom rules files and then edit rule logic and disable core rule ID. - Heavily customized rules were less likely to be updated by the user Not optimal from a security perspective - Not every site had the same risk tolerance - Lower severity alerts were largely ignored - Individual low severity alerts are not important but several low severity events in the same transaction are.

Rules - Detection and Management
Rules logic has changed by decoupling the inspection/detection from the blocking functionality - Rules log.pass and set transactional variables (tx) to track anomaly scores and to   store meta-data about the rule match - This TX rule match data can be used by other 3rd party rules (converter Emerging Threats  Snort web attack rules) to more accurately correlate identified attacks with their attack vector locations. - TX data of previous strong rule matches can also be used to conditionally apply weaker signatures that normally would have a high fasle positive rate. - Rules also increase anomaly scores for both the attack category and global score which allows users to set a threshold that is appropriate for them. - This also allows several low severity events to trigger alerts while individual ones are suppressed. - Exceptions may be handled by either increasing the overall anomaly score threshold, or  by adding rules to a local custom exceptions file where TX data of previous rule matches may be inspected and anomaly scores re-adjusted based on the false positive criteria.

User can now globally update which variables to inspect and the anomaly score settings in the modsecurity_crs_10_config.conf file. - PARANOID_MODE setting which will apply rules to locations that have a higher false positive rate - INBOUND_ANOMALY_SCORE setting will be populated in the inbound blocking file and if a transaction score at the end of phase:2 is equal to or greater than this number, it will be denied. - OUTBOUND_ANOMALY_SCORE setting will be populated in the outbound blocking file and it a transaction score at the end of phase:4 is equal to or greater than this number, it will be denied.

Inbound/Outbound Blocking
The CRS rules themselves are configured with the pass action, which allows all the rules to be processed and for the proposed anomaly scoring/collaborative detection concept to work. The inbound/outbound anomaly score levels may be set in the modsecurity_crs_10_config.conf file. These scores will be evaluated in the modsecurity_crs_49_inbound_blocking.conf and modsecurity_crs_59_outbound_blocking.conf files.

Alert Management - Correlated Event Creation
One of the top feedback items we have heard is that the CRS events in the Apache error_log file were very chatty. This was due to each rule triggering its own error_log entry. What most people wanted was for 1 correlated event to be generated that would give the user a higher level determination as to what the event category was.

To that end- each CRS rule will generate an audit log event Message entry but they will not log to the error_log on their own. These rules are now considered basic or reference events and may be reviewed in the audit log if the user wants to see what individual events contributed to the overall anomaly score and event designation.

Inbound/Outbound Correlation
After the transaction has completed (in the logging phase), the rules in the base_rules/modsecurity_crs_60_correlation.conf file will conduct further post-processing by analyzing any inbound events with any outbound events in order to provide a more intelligent/priority correlated event.

- Was there an inbound attack? - Was there an HTTP Status Code Error (4xx/5xx level)? - Was there an application information leak?

If an inbound attack was detected and either an outbound application status code error or infolead was detected, then the overall event severity is raised -

- 0: Emergency - is generated from correlation where there is an inbound attack and an outbound leakage. - 1: Alert - is generated from correlation where there is an inbound attack and an  outbound application level error.

Core Rule Set Content
In order to provide generic web applications protection, the Core Rule Set uses the following techniques:

HTTP Protocol Validation and Protection
Detecting violations of the HTTP protocol and a locally defined usage policy. This first line of protection ensures that all abnormal HTTP requests are detected. This line of defense eliminates a large number of automated and non targeted attacks as well as protects the web server itself.

base_rules/modsecurity_crs_20_protocol_violations.conf
Protocol vulnerabilities such as Response Splitting, Request Smuggling, Premature URL ending - Content length only for non GET/HEAD methods - Non ASCII characters or encoding in headers - Valid use of headers (for example, content length is numerical) - Proxy Access

base_rules/modsecurity_crs_21_protocol_anomalies.conf
Attack requests are different due to automation - Missing headers such as Host, Accept, User-Agent - Host is an IP address (common worm propagation method)

base_rules/modsecurity_crs_23_request_limits.conf
Policy is usually application specific - Some restrictions can usually be applied generically - White lists can be build for specific environments Limitations on Sizes - Request size, Upload size - # of parameters, length of parameter

base_rules/modsecurity_crs_30_http_policy.conf
Items that can be allowed or restricted - Methods - Allow or restrict WebDAV, block abused methods such as CONNECT, TRACE or DEBUG - File extensions – backup files, database files, ini files - Content-Types (and to some extent other headers)

Automation Detection
Automated clients are both a security risk and a commercial risk. Automated crawlers collect information from your site, consume bandwidth and might also search for vulnerabilities on the web site. Automation detection is especially useful for generic detection of comments spam.

Detecting bots, crawlers, scanners and other surface malicious activity. Not aimed against targeted attacks, but against general malicious internet activity - Offloads a lot of cyberspace junk & noise - Effective against comment spam - Reduce event count

base_rules/modsecurity_crs_35_bad_robots.conf
Detection of Malicious Robots - Unique request attributes: User-Agent header, URL, Headers - RBL Check of IP addresses - Detection of security scanners - Blocking can confuse security testing software (WAFW00f)

optional_rules/modsecurity_crs_42_comment_spam.conf
This rules file is only relevant if you are concerned about comment SPAM attacks. The rules file will run an RBL check against the source IP address at SPAMHAUS and will cache the response for 1 day. If the client sends subsequent requests, it will be denied without having to re-run an RBL check.

This file will also look for comment SPAM posting attacks which submit URL links.

Common Web Attacks Protection
Common Web Attacks Protection Rules on the second level address the common web application security attack methods. These are the issues that can appear in any web application. Some of the issues addressed are:

- SQL Injection - Cross-Site Scripting (XSS) - OS Command execution - Remote code inclusion - LDAP Injection - SSI Injection - Information leak - Buffer overflows - File disclosure

base_rules/modsecurity_crs_40_generic_attacks.conf
- OS command injection and remote command access - Remote file inclusion - Session Fixation

optional_rules/modsecurity_crs_40_experimental.conf
The rules in this file are considered BETA quality as they have not been rigorously tested. They attempt to address advanced attacks such as HTTP Parameter Pollution or use new rule features or techniques.

base_rules/modsecurity_crs_42_tight_security.conf
This rules file attempts to identify all directory traversal variations. It is prone to a high level of false positives so set PARANOID_MODE if you want to run these rules.

base_rules/modsecurity_crs_41_sql_injection.conf
- SQL injection and blind SQL injection

base_rules/modsecurity_crs_41_xss.conf
- Cross site scripting (XSS)

Trojan Protection
ModSecurity Core Rule Set detects access to back doors installed on a web server. This feature is very important in a hosting environment when some of this backdoors may be uploaded in a legitimate way and used maliciously. In addition the Core Rule Set includes a hook for adding an Anti-Virus program such as ClamAV for checking file uploads.

base_rules/modsecurity_crs_45_trojans.conf
- Check uploading of http backdoor page - Access detection - Known signatures (x_key header) - Generic file management output (gid, uid, drwx, c:\)

InfoLeakages
If all fails, the Core Rule Set will detect errors sent by the web server. Detecting and blocking errors prevents attackers from collecting reconnaissance information about the web application and also server as a last line of defense in case an attack was not detected eariler.

base_rules/modsecurity_crs_50_outbound.conf
- HTTP Error Response Status Codes - SQL Information Leakage - Stack Dumps - Source Code Leakage

Request Header Tagging
This concept is similar to anti-SPAM SMTP apps that will add additional mime headers to emails providing the SPAM detection analysis information. The CRS is attempting to mimic this concept at the HTTP layer by adding additional request headers that provide insight into any ModSecurity events that may have triggered during processing. The advantage of this approach is that it allows a WAF to be in a detection-only mode while still providing attack data to the destination application server. The recieving app server may then inspect the WAF request headers and make a determination whether or not to process the transaction. This concept is valuable in distributed web environments and hosting architectures where a determination to block may only be appropriate at the destination app server.

optional_rules/modsecurity_crs_49_header_tagging.conf
This rules file will take all of the TX attack variable data and populate Apache ENV variables that Apache can then use to add X-WAF-Event request header data to the request.

Example showing the consolidated X-WAF-Events and X-WAF-Score data -

GET /path/to/foo.php?test=1%27%20or%20%272%27=%272%27;-- HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 X-WAF-Events: TX: / 999935-Detects common comment types-WEB_ATTACK/INJECTION-ARGS:test, TX:999923-Detects JavaScript location/document property access and window access obfuscation-WEB_ATTACK/INJECTION-REQUEST_URI_RAW, TX:950001- WEB_ATTACK/SQL_INJECTION-ARGS:test X-WAF-Score: Total=48; sqli=2; xss= Connection: Keep-Alive

= Presentations and Whitepapers =

Current CRS v2 [] presented at AppSec DC 2010.

Ryan Barnett Presenting on the OWASP CRS v2 at AppSec DC 2010 - http://player.vimeo.com/play_redirect?quality=sd&codecs=h264&clip_id=20166971&time=1348856471&sig=6c81604ac26dec6f6e1ae034af18c817&type=html5_desktop_local

= Related Projects =

ModSecurity-Open Source Web Application Firewall OWASP Securing WebGoat using ModSecurity OWASP AppSensor Project

= Release History =

OWASP ModSecurity Core Rule Set (CRS) JIRA CHANGELOG

 * https://www.modsecurity.org/tracker/browse/CORERULES

Version 2.2.6 - 09/14/2012
Improvements:
 * Started rule formatting update for better readability
 * Added maturity and accuracy action data to each rule
 * Updated rule revision (rev) action
 * Added rule version (ver) action
 * Added more regression tests (util/regression_tests/)
 * Modified Rule ID 960342 to block large file attachments in phase:1
 * Removed all PARANOID rule checks
 * Added new Session Fixation rules

Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-79 https://www.modsecurity.org/tracker/browse/CORERULES-78
 * Fixed missing ending double-quotes in XSS rules file
 * Moved SecDefaultAction setting from phase:2 to phase:1
 * Fixed Session Hijacking SessionID Regex
 * Changed the variable listing for many generic attack rules to exclude REQUEST_FILENAME

Version 2.2.5 - 06/14/2012
Improvements: OWASP ZAP Scanner XML data into ModSecurity Virtual Patches
 * Renamed main config file to modsecurity_crs_10_setup.conf
 * Updated the rule IDs to start from CRS reserved range: 900000
 * Updated rule formatting for readibility
 * Updated the CSRF rules to use UNIQUE_ID as the token source
 * Added the zap2modsec.pl script to the /util directory which converts
 * Updated the Directory Traversal Signatures to include more obfuscated data
 * Added Arachni Scanner Integration Lua script/rules files

Bug Fixes: (Identified by Qualys Vulnerability & Malware Research Labs (VMRL)) (Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
 * Added forceRequestBodyVariable action to rule ID 960904
 * Updated the anomaly scoring value for rule ID 960000 to critical
 * Updated Content-Type check to fix possible evasion with @within

Version 2.2.4 - 03/14/2012
Improvements:
 * Added Location and Set-Cookie checks to Response Splitting rule ID 950910
 * Added a README file to the activated_rules directory
 * Consolidate a number of SQL Injection rules into optimized regexs
 * Removed multiMatch and replaceComments from SQL Injection rules
 * Updated the SQLi regexs for greediness
 * Updated the SQLi setvar anomaly score values to use macro expansion
 * Removed PARANOID mode rules

Bug Fixes:
 * Fixed missing comma before severity action in rules 958291, 958230 and 958231
 * Fixed duplidate rule IDs

Version 2.2.3 - 12/19/2011
Improvements: http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies http://websecuritytool.codeplex.com/wikipage?title=Checks#charset http://websecuritytool.codeplex.com/wikipage?title=Checks#header
 * Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file
 * Added Watcher Charset Checks to optional_rules/modsecurity_crs_55_application_defects.conf file
 * Added Watcher Header Checks to optional_rules/modsecurity_crs_55_application_defects.conf file

Bug Fixes: rule ID 960010. (Identified by Andrew Wilson of Trustwave SpiderLabs).
 * Fixed Content-Type evasion issue by adding ctl:forceRequestBodyVariable action to
 * Updated the regex and added tags for RFI rules.

Version 2.2.2 - 09/28/2011
Improvements: XML data into ModSecurity virtual patching rules.
 * Updated the AppSensor Profiling (to use Lua scripts) for Request Exceptions Detection Points
 * Added new Range header detection checks to prevent Apache DoS
 * Added new Security Scanner User-Agent strings
 * Added example script to the /util directory to convert Arachni DAST scanner
 * Updated the SQLi Character Anomaly Detection Rules
 * Added Host header info to the RESOURCE collection key for AppSensor profiling rules

Bug Fixes:
 * Fixed action list for XSS rules (replaced pass,nolog,auditlog with block)
 * Fixed Request Limit rules by removing & from variables
 * Fixed Session Hijacking IP/UA hash captures
 * Updated the SQLi regex for rule ID 981242

Version 2.2.1 - 07/20/2011
Improvements: http://www.modsecurity.org/demo/challenge.html
 * Extensive SQL Injection signature updates as a result of the SQLi Challenge
 * Updated the SQL Error message detection in reponse bodies
 * Updated SQL Injection signatures to include more DB functions
 * Updated the WEAK SQL Injection signatures
 * Added tag AppSensor/RE8 to rule ID 960018

Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-70
 * Fixed Bad Robot logic for rule ID 990012 to further qualify User-Agent matches
 * Fixed Session Hijacking rules to properly capture IP address network hashes.
 * Added the multiMatch action to the SQLi rules
 * Fixed a false negative logic flaw within the advanced_filter_converter.lua script
 * Fixed missing : in id action in DoS ruleset.
 * Updated rule ID 971150 signature to remove ;

Version 2.2.0 - 05/26/2011
Improvements: http://www.apache.org/licenses/LICENSE-2.0.txt to files they want to run. This allows for easier Apache Include wild-carding http://websecuritytool.codeplex.com/wikipage?title=Checks#charset https://www.owasp.org/index.php/AppSensor_DetectionPoints http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html This allows for per-site global collections. This includes both converted web rules from Emerging Threats (ET) and from SLR Team. http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html https://www.modsecurity.org/tracker/browse/CORERULES-64
 * Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2)
 * Created new INSTALL file outlining quick config setup
 * Added a new rule regression testing framework to the /util directory
 * Added new activated_rules directory which will allow users to place symlinks pointing
 * Adding in new RULE_MATURITY and RULE_ACCURACY tags
 * Adding in a check for X-Forwarded-For source IP when creating IP collection
 * Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset)
 * Added new AppSensor rules to experimental_dir
 * Added new Generic Malicious JS checks in outbound content
 * Added experimental IP Forensic rules to gather Client hostname/whois info
 * Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules
 * Global collection in the 10 file now uses the Host Request Header as the collection key.
 * Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties.
 * Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB
 * Added experimental rules for detecting Open Proxy Abuse
 * Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API
 * Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227)
 * Added new SQLi detection rules (959070, 959071 and 959072)
 * Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data

Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-68 They will now inherit the settings from the SecDefaultAction
 * Assigned IDs to all active SecRules/SecActions
 * Removed rule inversion (!) from rule ID 960902
 * Fixed false negative issue in Response Splitting Rule
 * Fixed false negative issue with @validateByteRange check
 * Updated the TARGETS lising for rule ID 950908
 * Updated TX data for REQBODY processing
 * Changed the pass action to block in the RFI rules in the 40 generic file
 * Updated RFI regex to catch IP address usage in hostname
 * Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods.
 * Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions.

Version 2.1.2 - 02/17/2011
Improvements: which will help to identify successful XSS attacks and planting of malware links. quickly (need to use the Ignore Static Content rules).
 * Added experimental real-time application profiling ruleset.
 * Added experimental Lua script for profiling the # of page scripts, iframes, etc..
 * Added new CSRF detection rule which will trigger if a subsequent request comes too

Bug Fixes:
 * Added missing " in the skipAfter SecAction in the CC Detection rule set

Version 2.1.1 - 12/30/2010
Bug Fixes: csrf token was created by the session hijacking conf file Cookie was submitted
 * Updated the 10 config conf file to add in pass action to User-Agent rule
 * Updated the CSRF ruleset to conditionally do content injection - if the
 * Updated the session hijacking conf file to only enforce rules if a SessionID
 * Fixed macro expansion setvar bug in the restricted file extension rule
 * Moved the comment spam data file into the optional_rules directory

Version 2.1.0 - 12/29/2010
Improvements: PHPIDS Converter code and it used with the advanced filters conf file. it has a ".example" extension to prevent overwriting customized versions when upgrading the experimental_rules directory help to make collections a bit more unique
 * Added Experimental Lua Converter script to normalize payloads. Based on
 * Changed the name of PHPIDS converted rules to Advanced Filters
 * Added Ignore Static Content (Performance enhancement) rule set
 * Added XML Enabler (Web Services) rule set which will parse XML data
 * Added Authorized Vulnerability Scanning (AVS) Whitelist rule set
 * Added Denial of Service (DoS) Protection rule set
 * Added Slow HTTP DoS (Connection Consumption) Protection rule set
 * Added Brute Force Attack Protection rule set
 * Added Session Hijacking Detection rule set
 * Added Username Tracking rule set
 * Added Authentication Tracking rule set
 * Added Anti-Virus Scanning of File Attachments rule set
 * Added AV Scanning program to /util directory
 * Added Credit Card Usage Tracking/Leakage Prevention rule set
 * Added experimental CC Track/PAN Leakage Prevention rule set
 * Added an experimental_rules directory to hold new BETA rules
 * Moved the local exceptions conf file back into base_rules dirctory however
 * Separated out HTTP Parameter Pollution and Restricted Character Anomaly Detection rules to
 * Adding the REQUEST_HEADERS:User-Agent macro data to the initcol in 10 config file, which will

Version 2.0.10 - 11/29/2010
Improvements: is running in traditional mode.
 * Commented out the Anomaly Scoring Blocking Mode TX variable since, by default, the CRS

Bug Fixes: https://www.modsecurity.org/tracker/browse/MODSEC-159
 * Moved all skipAfter actions in chained rules to chain starter SecRules
 * Changed phases on several rules in the 20 protocol anomaly rules file to phase:1 to avoid FNs

Version 2.0.9 - 11/17/2010
Improvements: it will not overwrite existing config settings. Users should rename this file to activate it. by editing the modsecurity_crs_10_config.conf file is to allow for the toggling between traditional vs. anomaly scoring modes. setting in the modsecurity_crs_10_config.conf file what is used in the PHPIDS rules. These still have the same factor of severity even though the numbers themselves are smaller. Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-63 https://www.modsecurity.org/tracker/browse/MODSEC-159 https://www.modsecurity.org/tracker/browse/CORERULES-60 it matches what is being set in the sql injection conf file https://www.modsecurity.org/tracker/browse/CORERULES-62
 * Changed the name of the main config file to modsecurity_crs_10_config.conf.example so that
 * Traditional detection mode is now the current default
 * Users can now more easily toggle between traditional/standard mode vs. anomaly scoring mode
 * Updated the disruptive actions in most rules to use "block" action instead of "pass". This
 * Removed logging actions from most rules so that it can be controlled from the SecDefaultAction
 * Updated the anomaly scores in the modsecurity_crs_10_config.conf file to more closely match
 * Updated the 49 and 59 blocking rules to include the matched logdata
 * Updated the TAG data to further classify attack/vuln categories.
 * Updated the SQL Injection filters to detect more boolean logic attacks
 * Moved some files to optional_rules directory (phpids, Emerging Threats rules)
 * Fixed Rule ID 960023 in optional_rules/modsecurity_crs_40_experimental.conf is missing 1 single quote
 * Moved all skipAfter actions in chained rules to the rule starter line (must have ModSec v2.5.13 or higher)
 * Fixed restricted file extension bug with macro expansion
 * Updated the SQLI TX variable macro expansion data in the 49 and 60 files so that
 * Fixed typo in SQL Injection regexs - missing backslash for word boundary (b)

Version 2.0.8 - 08/27/2010
Improvements:
 * Updated the PHPIDS filters
 * Updated the SQL Injection filters to detect boolean attacks (1<2, foo == bar, etc..)
 * Updated the SQL Injection fitlers to account for different quotes
 * Added UTF-8 encoding validation support to the modsecurity_crs_10_config.conf file
 * Added Rule ID 950109 to detect multiple URL encodings
 * Added two experimental rules to detect anomalous use of special characters

Bug Fixes: https://www.modsecurity.org/tracker/browse/MODSEC-167 https://www.modsecurity.org/tracker/browse/CORERULES-55 https://www.modsecurity.org/tracker/browse/CORERULES-54 https://www.modsecurity.org/tracker/browse/CORERULES-29
 * Fixed Encoding Detection RegEx (950107 and 950108)
 * Fixed rules-updater.pl script to better handle whitespace
 * Fixed missing pass action bug in modsecurity_crs_21_protocol_anomalies.conf
 * Fixed the anomaly scoring in the modsecurity_crs_41_phpids_filters.conf file
 * Updated XSS rule id 958001 to improve the .cookie regex to reduce false postives

Version 2.0.7 - 06/4/2010
Improvements: specific outbound data and then validate the csrf token on subsequent requests. flags data being echoed back to user unchanged. download CRS rules from the CRS rules repository.
 * Added CSRF Protection Ruleset which will use Content Injection to add javascript to
 * Added new Application Defect Ruleset which will identify/fix missing HTTPOnly cookie
 * Added Experimental XSS/Missing Output Escaping Ruleset which looks for user supplied
 * Added rules-updater.pl script and configuration file to allow users to automatically
 * Added new SQLi keyword for ciel and reverse functions.
 * Updated the PHPIDS filters

Bug Fixes: adding boundary characters. https://www.modsecurity.org/tracker/browse/CORERULES-41 https://www.modsecurity.org/tracker/browse/CORERULES-45
 * Fixed false positives for Request Header Name matching in the 30 file by
 * Added missing pass actions to @pmFromFile prequalifier rules
 * Added backslash to SQLi regex
 * Fixed hard coded anomaly score in PHPIDS filter file
 * Fixed restricted_extension false positive by adding boundary characters

Version 2.0.6 - 02/26/2010
Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-32 https://www.modsecurity.org/tracker/browse/CORERULES-33 https://www.modsecurity.org/tracker/browse/CORERULES-34 https://www.modsecurity.org/tracker/browse/CORERULES-35 https://www.modsecurity.org/tracker/browse/CORERULES-36 https://www.modsecurity.org/tracker/browse/CORERULES-37
 * Added missing transformation functions to SQLi rules.
 * Fixed duplicate rule IDs.
 * Fixed typo in @pmFromFile in the Comment SPAM rules
 * Added macro expansion to Restricted Headers rule
 * Fixed misspelled SecMarker
 * Fixed missing chain action in Content-Type header check
 * Update phpids filters to use pass action instead of block

Version 2.0.5 - 02/01/2010
Improvements: PARANOID_MODE inspection, set anomaly score levels and http policies. Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators. https://www.modsecurity.org/tracker/browse/MODSEC-120 variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|TX:HPP_DATA) request headers. Identified by SOGETI ESEC R&D Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-28 and blocking
 * Removed previous 10 config files as they may conflict with local customized Mod configs.
 * Added a new 10 config file that allows the user to globally set TX variables to turn on/off
 * Added Rule Logic and Reference links to rules descriptions.
 * Added Rule IDs to all rules.
 * Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat Classification
 * Removed Apache limit directives from the 23 file
 * Added macro expansion to 23 file checks.
 * Added @pmFromFile check to 35 bad robots file
 * Added malicious UA strings to 35 bad robots check
 * Created an experimental rules file
 * Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for inspection
 * Removed TX inspections for generic attacks and reverted to standard ARGS inspection
 * Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved the other
 * Moved converted ET Snort rules to the /optional_rules directory
 * Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to the
 * Updated Inbound blocking conf file to use macro expansion from the 10 config file settings
 * Added separate anomaly scores for inbound, outbound and total to be evaluated for blocking.
 * Updated the regex logic in the (1=1) rule to factor in quotes and other logical operators.
 * Updated the SPAMMER RBL check rules logic to only check once per IP/Day.
 * Added new outbound malware link detection rules.
 * Added PHP "call_user_func" to blacklist
 * Removed Non-numeric Rule IDs
 * Updated the variable list on SQLi rules.
 * Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly scoring

Version 2.0.4 - 11/30/2009
Improvements: then search more generically in request_body|request_uri_raw exceptions in the 48 file which can then expire/delete false positive TX matches and adjust the anomaly scores. These rules will then inspect for any TX variables in phase:5 and create appropriate alerts for any variable matches that exist.
 * Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
 * Updated PHPIDS rules logic to first search for payloads in ARGS and then if there is no match found
 * Updated PHPIDS rules logic to only set TX variables and to not log. This allows for more clean

Bug Fixes: phase:4 which would allow for blocking based on information leakage issues.
 * Added Anomaly Score check to the 60 correlation file to recheck the anomaly score at the end of

Version 2.0.3 - 11/05/2009
Improvements:
 * Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
 * Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php)
 * Added new rules to identify multipart/form-data bypass attempts
 * Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts

Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-17 https://www.modsecurity.org/tracker/browse/CORERULES-19 https://www.modsecurity.org/tracker/browse/CORERULES-20 https://www.modsecurity.org/tracker/browse/CORERULES-21 https://www.modsecurity.org/tracker/browse/CORERULES-22 https://www.modsecurity.org/tracker/browse/CORERULES-23
 * Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives
 * Added new variable locations to the phpids filters
 * Use of transformation functions can cause false negatives - added multiMatch action to phpids rules
 * Fixed multipart parsing evasion issues by adding strict parsing rules
 * Fixed typo in xss rules (missing |)
 * Fixed regex text in IE8 XSS filters (changed to lowercase)

Version 2.0.2 - 09/11/2009
Improvements: https://www.modsecurity.org/tracker/browse/CORERULES-13
 * Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)

Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-15
 * Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla.

Version 2.0.1 - 08/07/2009
Improvements: https://www.modsecurity.org/tracker/browse/CORERULES-10
 * Updated the transformation functions used in the XSS/SQLi rules to improve performance

https://www.modsecurity.org/tracker/browse/CORERULES-11
 * Updated the variable/target list in the XSS rules

https://www.modsecurity.org/tracker/browse/CORERULES-12 Bug Fixes: https://www.modsecurity.org/tracker/browse/CORERULES-9
 * Added XSS Filters from IE8
 * Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule.

Version 2.0.0 - 07/29/2009
New Rules & Features: The rules have been split to having one signature per rule instead of having all signatures combined into one optimized regular expression. This should allow you to modify/disable events based on specific patterns instead of having to deal with the whole rule. Emerging Threat web attack rules have been converted. http://www.emergingthreats.net/ The rules have been updated to include anomaly scoring variables which allow you to evaluate the score at the end of phase:2 and phase:5 and decide on what logging and disruptive actions to take based on the score. There are rules in phase:5 that will provide some correlation between inbound events and outbound events and will provide a result of successful atttack or   attempted attack. The severity ratings in the rules have been updated to the following: - 0: Emergency - is generated from correlation where there is an inbound attack and an outbound leakage. - 1: Alert - is generated from correlation where there is an inbound attack and an        outbound application level error. - 2: Critical - is the highest severity level possible without correlation. It is        normally generated by the web attack rules (40 level files). - 3: Error - is generated mostly from outbound leakabe rules (50 level files). - 4: Warning - is generated by malicious client rules (35 level files). - 5: Notice - is generated by the Protocol policy and anomaly files. - 6: Info - is generated by the search engine clients (55 marketing file). Updated rules to include RBL lookups and client fingerprinting concepts from Bad Behavior (www.bad-behavior.ioerror.us) Automatically create a Global collection in the *10* config file. Other rules can then access it. Updated the rules to use the "block" action. This allows the Admin to globally set the desired block action once with SecDefaultAction in the *10* config file rather than having to edit the disruptive actions in all of the rules or for the need to have multiple versions of the rules (blocking vs. non-blocking). http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html Planting invisible iframes in a site can be used by attackers to point users from the victim site to their malicious site. This is actually as if the user was visiting the attacker's site himself, causing the user's browser to   process the content in the attacker's site. New Events: as it is reserved for use as a fragment identifier within the html page.
 * Fine Grained Policy
 * Converted Snort Rules
 * Anomaly Scoring Mode Option
 * Correlated Events
 * Updated Severity Ratings
 * Updated Comment SPAM Protections
 * Creation of Global Collection
 * Use of Block Action
 * "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
 * Added new generic RFI detection rules.
 * "Possibly malicious iframe tag in output" (Rules 981001,981002)
 * Rule 960019 - Expect Header Not Allowed.
 * Rule 960020 - Pragma Header Requires Cache-Control Header
 * Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
 * Rule 958291 - Range: field exists and begins with 0.
 * Rule 958292 - Invalid Request Header Found.
 * Rule 958293 - Lowercase Via Request Header Found.
 * Rule 958294 - Common SPAM Proxies found in Via Request Header.
 * Rule 958295 - Multiple/Conflicting Connection Header Data Found.
 * Rule 958296 - Request Indicates a SPAM client accessed the Site.
 * Rule 958297 - Common SPAM/Email Harvester crawler.
 * Rule 958298 - Common SPAM/Email Harvester crawler

Bug Fixes: Content-Type when inspecting the REQUEST_BODY variable. uses UTF-8 Encoding. allow the IPv6 loopback address and to identify offsite hosts by comparing the ARG URI to the Host header. Due to this rule now being stronger, moved it from optional tight security rule to *40* generic attacks file.
 * Rule 950107 - Split the rule into 2 separate rules to factor in the
 * Rule 960017 - Bug fix for when having port in the host header.
 * Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
 * Rule 950801 - Increased the logic so that the rule will only run if the web site
 * Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
 * Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG

Other Fixes: default setting, however this sets it explicitly. was added so that when running the SecRuleEngine in DetectionOnly mode, it will not deny response bodies that go over the size restrictions. BEGIN and END SecMarkers for rule groups to more accurately allow moving to  proper locations. This removes the need for some SecAction/SkipAfter rules. rules and chained rules).
 * Added more HTTP Protocol violations to *20* file.
 * Set the SecDefaultAction in the *10* config file to log/pass (This was the
 * Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This
 * Changed SecServerSignature to "Apache/1.3.28"
 * Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have
 * Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
 * Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier

Version 1.6.1 - 2008/04/22
in rules. The issue affected a significant number of rules, and we strongly recommend to upgrade.
 * Fixed a bug where phases and transformations where not specified explicitly

Version 1.6.0 - 2008/02/19
New Rulesets & Features: This ruleset contains currently 2 rules which are considered highly prone to FPs. They take care of Path Traversal attacks, and RFI attacks. This ruleset is included in the optional_rulesets dir Comment Spam is used by the spammers to increase their rating in search engines by posting links to their site in other sites that allow posting of comments and messages. The rules in this ruleset will work against that. (Requires ModSecurity 2.5) A single type of attack is often detected by multiple rules. The new alert classification tags solve this issue by providing an alternative alert type indication and can serve for filtering and analysis of audit logs. The classification tags are hierarchical with slashes separating levels. Usually there are two levels with the top level describing the alert group and the lower level denoting the alert type itself, for example: WEB_ATTACK/SQL_INJECTION.
 * 42 - Tight Security
 * 42 - Comment Spam
 * Tags

False Positives Fixes: automatically url decoded
 * Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
 * Rule 950107 - Will look for invalid url decoding in variables that are not

Additional rules logic: performance (Requires ModSecurity 2.5) only 1=1. (Thanks to Marc Stern for the idea)
 * Using the new "logdata" action for logging the matched signature in rules
 * When logging an event once, init the collection only if the alert needs to log
 * Using the new operator @pm as a qualifier before large rules to enhance
 * SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
 * New XSS signatures - iframe & flash XSS

Version 1.5.1 - 2007/12/6
False Positives Fixes:
 * Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)

New Events: HTTP/0.9 request are not common these days. This rule will log by default, and block in the blocking version of file 21 Other Fixes: url decoding problem
 * 960019 - Detect HTTP/0.9 Requests
 * File 40, Rules 950004,950005 - Repaired the correction for the double
 * File 55 contained empty regular expressions. Fixed.

Version 1.5 - 2007/11/23
New Rulesets: "Judging by appearances". This rulesets contains rules blocking based on   the size of the request, for example, a request with too many arguments will be denied.
 * 23 - Request Limits

Default policy changes:
 * XML protection off by default
 * BLOCKING dir renamed to optional_rules
 * Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
 * Ruleset 21 - The exception for apache internal monitor will not log anymore

New Events: Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules.
 * 960912 - Invalid request body
 * 960913 - Invalid Request

Additional rules logic:
 * 950001 - New signature: delete from
 * 950007 - New signature: waitfor delay

False Positives Fixes: url-decoded by apache. This caused FPs when the rule performed another url-decoding transformation. The rules have been split so that parameters already decoded by apache will not be decoded by the rules anymore. then you should uncomment this rule (in file 20)
 * 950006 - Will not be looking for /cc pattern in User-Agent header
 * 950002 - "Internet Explorer" signature removed
 * Double decoding bug used to cause FPs. Some of the parameters are already
 * 960911 - Expression is much more permissive now
 * 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,

version 1.4.3 - 2007/07/21

New Events: For more info on this attack: http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules.
 * 950012 - HTTP Request Smuggling
 * 960912 - Invalid request body
 * 960913 - Invalid Request

False Positives Fixes: http://www.ietf.org/rfc/rfc2396.txt
 * 950107 - Will allow a % sign in the middle of a string as well
 * 960911 - A more accurate expression based on the rfc:
 * 950015 - Will not look for http/ pattern in the request headers

Additional rules logic: this directives cannot be used to exclude phase 1 rules. Therefore we moved all inspection rules to phase 2.
 * Since Apache applies scope directives only after ModSecurity phase 1

version 1.4 build 2 - 2007/05/17

New Feature: XML Content will be parsed and ispected for signatures
 * Search for signatures in XML content

New Events: Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden http://www.kb.cert.org/vuls/id/739224 Enforce request line to be valid, i.e.:   When a request contains content, the content-type must be specified. If not, the content will not be inspected Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)   Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails
 * 950116 - Unicode Full/Half Width Abuse Attack Attempt
 * 960911 - Invalid HTTP request line
 * 960904 - Request Missing Content-Type (when there is content)
 * 970018 - IIS installed in default location (any drive)
 * 950019 - Email Injection

Regular expressions fixes: The non-greediness operator, <?>, prevents excessive backtracking
 * Further optimization of some regular expressions (using the non-greediness operator)

FP fixes:
 * Rule 950107 - Will allow a parameter to end in a % sign from now on

version 1.4 - 2007/05/02

New Events: Matching of " JSP compile error " in the response body, will trigger this rule, with severity 4 (Warning) Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: Any incoming compressed request will be denied An outgoing compressed response will be logged to alert, but ONLY ONCE.
 * 970021 - WebLogic information disclosure
 * 950015,950910,950911 - HTTP Response Splitting
 * 960902 - Content-Encoding in request not supported
 * 960903 - Content-Encoding in response not suppoted

False Positives Fixes: REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
 * Removed <.exe>,<.shtml> from restricted extensions
 * Will not be looking for SQL Injection signatures , in the Via request header
 * Excluded Referer header from SQL injection, XSS and command injection rules
 * Excluded X-OS-Prefs header from command injection rule
 * Will be looking for command injection signatures in
 * Allowing charset specification in the  Content-Type

Additional rules logic: This will enable viewing content if such a rule triggers as well as setting exceptions using Apache scope tags.
 * Corrected match of OPTIONS method in event 960015
 * Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
 * Moved all rules apart from method inspection from phase 1 to phase 2 -
 * Added match for double quote in addition to single quote for signature (SQL Injection)
 * Added 1=1 signature (SQL Injection)

version 1.3.2 build 4 2007/01/17

Fixed apache 2.4 dummy requests exclusion Added persistent PDF UXSS detection rule

Version 1.3.2 build 3 2007/01/10
Fixed regular expression in rule 960010 (file #30) to allow multipart form data content

Version 1.3.2 - 2006/12/27
New events:
 * 960037 Directory is restricted by policy
 * 960038 HTTP header is restricted by policy

Regular expressions fixes: + More accurate regular expressions + high bit characters not accpeted between signature tokens.
 * Regular expressions with @ at end of beginning (for example "@import)
 * Regular expressions with un-escaped "."
 * Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
 * The command injection wget is not searched in the UA header as it has different meaning there.
 * LDAP Fixed to reduce FPs:
 * Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
 * Removed Java from automation UA
 * When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"

Additional rules logic:
 * Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
 * OPTIONS method does not require an accept header.
 * Apache keep alive request exception.
 * PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
 * Validate byte range checks by default only that no NULL char exists.
 * Added CSS to allowed extensions in strict rule sets.
 * Changed default action in file #50 to pass instead of deny.
 * Moved IP host header from protocol violations to protocol anomalies.

Modified descriptions:
 * 950107: URL Encoding Abuse Attack Attempt
 * 950801: UTF8 Encoding Abuse Attack Attempt
 * Added matched pattern in many events using capture and %{TX.0}
 * Added ctl:auditLogParts=+E for outbound events and attacks to collect response.

Version 1.2 - 2006/11/19
Changes: + Move all events to the range of events allocated to Thinking Stone, now Breach by prefixing all event IDs with "9". + Reverse severities to follow the Syslog format used by ModSecurity, now 1 is the highest and 5 the lowest.

Bug fixes: + Removed quotes from list of mime types inspected on exit (directive SecResponseBodyMimeType) + Corrected "cd .." signature. Now the periods are escaped. + Too many FPs with events 950903 & 950905. Commented them out until fixed.

Version 1.1 - 2006/10/18
Initial version

= Roadmap =

Roadmap Items
The OWASP ModSecurity Core Rule Set (CRS) Project provides a base set of attack detection rules for the popular open source web application firewall (http://www.modsecurity.org/).

Create "Sniffer-Mode" ModSecurity
Brief explanation:

The ModSecurity code includes a "standalone" version that wraps a light weight Apache/APR around the ModSecurity code. This is used as the basis for the ports to the IIS/Nginx web server platforms. The goal for this project task is to extend this standalone version so that it can accept a data feed of network traffic (e.g. libpcap) data as input and apply the ModSecurity CRS rules. One possible solution would be create a ModSecurity "plugin" for the Snort IDS.

Expected results:

This new sniffer mode would allow organizations to run ModSecurity/OWASP ModSecurity CRS in an out of line mode as they do IDS systems.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

ModSecurity for Java
Brief explanation:

The goal is to have a ModSecurity version that can be used within Java servers (e.g. Tomcat). There may be methods to use JNI to call the standalone code from a filter in Tomcat.

Expected results:

This new version allow organizations to run ModSecurity/OWASP ModSecurity CRS in Java web servers.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Implement libinjection Code
Brief explanation: https://www.modsecurity.org/tracker/browse/MODSEC-327

libinjection (https://github.com/client9/libinjection) is a C library that detects SQLi attacks in user input. It is designed to be embedded in existing or new applications:


 * Fast > 100k inspections per second
 * No memory allocation
 * No threads
 * Stable memory usage (approximately 500 bytes on stack)
 * 500 lines of C code (plus a few kiobytes of data)

It is based on lexical analysis of SQL and SQLi attempts and does not use regular expressions.

Expected results:

The new C code in ModSecurity will allow us to add new SQL Injection detection methods to the OWASP ModSecurity CRS.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Implement DoS Prevention Code
Brief explanation: https://www.modsecurity.org/tracker/browse/MODSEC-265

Implement a request velocity learning engine to identify dynamic DoS thresholds for both the site and for the particular URL.

Expected results:

The new C code in ModSecurity will allow us to add new DoS Protection methods to the OWASP ModSecurity CRS.

Knowledge Prerequisite:

C programming and ModSecurity Development Guidelines - http://www.modsecurity.org/developers/.

Update the Lua port of the PHPIDS Converter Module
Brief explanation:

PHPIDS has an advanced normalization code section called Converter.php which applies counter-evasion methods to obscured attack payloads. We have an initial Lua script that mimics this functionality. We need to have it updated and tested.

Expected results:

The new Lua script will normalize all payloads in the same manner as the PHPIDS Converter.php code does. It will also employ the Centrifuge generic attack detection logic.

Knowledge Prerequisite:

Lua scripting (http://www.lua.org/) and PHP.

Update the Lua Implementation of AppSensor Detection Points
Brief explanation:

We want to update the existing Lua scripts that implement the various AppSensor Detection Points - http://blog.spiderlabs.com/2011/08/implementing-appsensor-detection-points-in-modsecurity.html.

Expected results:

The new Lua script will implement more detection points to detect abnormal request attributes.

Knowledge Prerequisite:

Lua scripting (http://www.lua.org/).

Lua Script to Detect Application Flow Anomalies
Brief explanation:

Need a Lua script that can track normal application flow paths (click-flows) for business logic transactions - such as transferring money from accounts. After profiling normal application path flows, we want to then be able to alert to anomalies. This type of logic can help to prevent Banking Trojan attacks.

Expected results:

The new Lua script will be able to alert on anomalous application flows.

Knowledge Prerequisite:

Lua scripting (http://www.lua.org/).

Lua Script(s) to Identify User/System Trend Anomalies
Brief explanation:

Need Lua scripts to be able to track normal request velocities of user for resources and identify when they are abnormal. The goal of these scripts will be to identify brute force, DoS and CSRF worm propagations.

Expected results:

The new Lua scripts will monitor normal request usage ranges and alert on anomlies.

Knowledge Prerequisite:

Lua scripting (http://www.lua.org/).

Mentor: Ryan Barnett - OWASP ModSecurity CRS Project Leader

v3.0
This page documents the goals/ideas for the next major version of the CRS.

Goals
These are not listed in any particular order.
 * 1) Add New Detection Logic
 * 2) Fraud Detection (Session Hijacking/CSRF/Banking Trojans)
 * 3) User Profiling (GeoIP/Browser Fingerprinting)
 * 4) HoneyTraps
 * 5) Increase Rule Accuracy
 * 6) Reduce False Positives - many users complain about the number of false positives and the negative impacts (breaking functionality) when in blocking mode
 * 7) Reduce False Negatives - we need to constantly improve detection so that we don't miss attacks (http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons-learned.html)
 * 8) Increase Performance/Reduce Latency
 * 9) Utilize set-based pattern matching (@pm/@pmf) for pre-qualification of regular expression checks
 * 10) Optimize individual @rx SecRules into less optimized versions
 * 11) Review all regular expression rules for performance (non-capturing/greediness).
 * 12) Improve Rule Management
 * 13) Make it easier for user to enable/disable the desired rules for their platform
 * 14) Update rule formatting for easier readability
 * 15) Reorder/Regroup rule into new file names

Detection Logic/Flow Concepts
This section outlines the processing flow and associated points of detection and actions taken.
 * 1) IP Reputation
 * 2) Data inspected: REMOTE_ADDR
 * 3) Use @rbl to check against remote RBLs
 * 4) Use @pmf to check a local file if bad IPs
 * 5) Use GeoIP Data to assign fraud scores
 * 6) Actions
 * 7) Deny
 * 8) Increase TX anomaly score
 * 9) Tag client as "suspicious" in IP collection
 * 10) Request Method Analysis
 * 11) Data inspected: REQUEST_METHOD
 * 12) Compare the REQUEST_METHOD specified against:
 * 13) Allowed global methods set by the admin in the modsecurity_crs_10_setup.conf file
 * 14) Request methods allowed per-resource (GET vs. POST)
 * 15) Actions
 * 16) Deny
 * 17) Increase TX anomaly score
 * 18) Tag client as "suspicious" in IP collection
 * 19) Request Header Analysis
 * 20) Data inspected: REQUESTE_HEADERS
 * 21) Check for existence of malicious headers (User-Agent of scanners, etc..)
 * 22) Check for the absence of required headers (Host, User-Agent, Accept)
 * 23) Request Header Ordering Anomalies detects non-browsers/bots
 * 24) Actions
 * 25) Deny
 * 26) Increase TX anomaly score
 * 27) Tag client as "suspicious" in IP collection

Project About
''The CRS is an open source rule set licensed under ASLv2. ModSecurity Core Rule Set works with ModSecurity 2.5 and above.''