Merge pull request SpiderLabs#7 from SpiderLabs/v3.3/dev

Syncing to upstream

INSTALL

@@ -29,25 +29,21 @@ Installing From a Package Manager
 
     modsecurity-crs  - Debian
     mod_security_crs - Fedora
-    modsecurity-crs  - Gentoo 
+    modsecurity-crs  - Gentoo
 
     Packages of CRS 2.x are incompatible with CRS 3.x.
 
-Installing From Git
-===================
+Installing
+==========
 
-    Github is the preferred way to download and install CRS. Doing so
-    insures that you have the most recent version of the rules. We
-    encourage you to create scripts that will automatically download
-    updates at regular intervals so that you may be protected against
-    the latest threats that CRS adds protection for.
+    You can download a copy of the CRS from the following URL:
+    https://coreruleset.org/installation/
 
-    The script util/upgrade.py is an example for script. You can use
-    it as follows:
+    Our release zip/tar.gz files are the preferred way to install CRS.
 
-    ```
-    ./util/upgrade.py --crs
-    ```
+    However, if you want to follow rule development closely and get
+    the newest protections quickly, you can also clone our GitHub
+    repository to get the current work-in-progress for the next release.
 
 Prerequisites
 -------------
@@ -85,20 +81,19 @@ Installing on Apache
     to create a new folder underneath the Apache directory (typically
     /usr/local/apache/, /etc/httpd/, or /etc/apache2). Often this folder
     is called 'modsecurity.d'. Create this folder and cd into it.
-    4. Clone the repository into the modsecurity.d folder using:
-    ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs .```
-    This will create a new owasp-modsecurity-crs folder.
+    4. Download our release from https://coreruleset.org/installation/
+    and unpack it into a new owasp-modsecurity-crs folder.
     5. Move the crs-setup.conf.example file to crs-setup.conf.
     Please take the time to go through this file and customize the settings
-    for your local environment. Failure to do so may result in false 
-    negatives and false positives. See the section entitled OWASP CRS 
+    for your local environment. Failure to do so may result in false
+    negatives and false positives. See the section entitled OWASP CRS
     Configuration for more detail.
     6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
     rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the
     '.example' extension. This will allow you to add exclusions without updates
     overwriting them in the future.
-    7. Add the following line to your httpd.conf/apache2.conf (the following 
-    assumes you've cloned CRS into modsecurity.d/owasp-modsecurity-crs). You 
+    7. Add the following line to your httpd.conf/apache2.conf (the following
+    assumes you've put CRS into modsecurity.d/owasp-modsecurity-crs). You
     can alternatively place these in any config file included by Apache:
     ```
 	<IfModule security2_module>
@@ -121,8 +116,8 @@ Installing on Nginx
     to create a new folder underneath the Nginx directory (typically
     /usr/local/nginx/conf/). Often this folder
     is called 'owasp-modsecurity-crs'. Create this folder and cd into it.
-    4. Clone the repository into the current folder using:
-    ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs .```
+    4. Download our release from https://coreruleset.org/installation/
+    and unpack it into a new owasp-modsecurity-crs folder.
     5. Move the crs-setup.conf.example file to crs-setup.conf.
     Please take this time to go through this
     file and customize the settings for your local environment. Failure to
@@ -147,6 +142,12 @@ Installing on Nginx
     include owasp-modsecurity-crs/crs-setup.conf
     include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
     include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
     include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
     include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
     include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -158,9 +159,11 @@ Installing on Nginx
     include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
     include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
     include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+    include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
     include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
     include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
     include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+    include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-JAVA.conf
     include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
     include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
     include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -181,8 +184,8 @@ Installing on IIS
     To upgrade or install this after the fact follow the following
     steps.
     1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\"
-    2. Clone the repository into the current folder using:
-    ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs```
+    2. Download our release from https://coreruleset.org/installation/
+    and unpack it into the current folder.
     3. Move the crs-setup.conf.example file to crs-setup.conf.
     Please take this time to go through this
     file and customize the settings for your local environment. Failure to
@@ -290,16 +293,7 @@ OWASP CRS Configuration
     Make sure your GeoIP and Project Honeypot settings are specified
     if you are using them.
     The GeoIP database is no longer included with the CRS. Instead
-    you are advised to download it regularly. The script
-    util/upgrade.py brings this functionality.  You can use it as
-    follows in cron:
-
-    ```
-    0 2 * * *  util/upgrade.py --geoip --cron
-
-    ```
-    The use of the option --cron guarantees that the GeoIP
-    download server is not hammered.
+    you are advised to download it regularly.
 
     The use of Project Honeypot requires a
     free API key. These require an account but can be obtained at

README.md

@@ -1,4 +1,6 @@
-![Travis build v3.2/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.2/dev&label=CRS%20v3.2/dev)![Travis build v3.1/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.1/dev&label=CRS%20v3.1/dev)![Travis build v3.0/dev](https://badges.herokuapp.com/travis/SpiderLabs/owasp-modsecurity-crs?branch=v3.0/dev&label=CRS%20v3.0/dev)
+![Travis build v3.3/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.3/dev?label=v3.3%2Fdev)
+![Travis build v3.2/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.2/dev?label=v3.2%2Fdev)
+![Travis build v3.1/dev](https://img.shields.io/travis/spiderlabs/owasp-modsecurity-crs/v3.1/dev?label=v3.1%2Fdev)
 [![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-38a047.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1390/badge)](https://bestpractices.coreinfrastructure.org/projects/1390)
 

rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf

@@ -189,7 +189,6 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
     t:none,\
     nolog,\
     ctl:ruleRemoveById=200003,\
-    ctl:ruleRemoveById=920150,\
     ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\
     ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
     ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -487,7 +487,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:replaceComments,t:compressWhiteSpace,\
+    t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
     msg:'PHP Injection Attack: Variable Function Call Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf

@@ -64,7 +64,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     multiMatch,\
-    setvar:'tx.rce_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -883,7 +883,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -911,7 +911,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -964,7 +964,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

@@ -1379,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
@@ -1646,7 +1646,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"

util/docker/docker-compose.yaml

@@ -74,7 +74,7 @@ services:
       - ./RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 
     #######################################################
-    # Add TLS server certificate and key 
+    # Add TLS server certificate and key
     # (only available if SETPROXY was enabled during the
     # parent ModSecurity image)
     #######################################################

util/regression-tests/tests/REQUEST-911-METHOD-ENFORCEMENT/911100.yaml

@@ -1,56 +1,56 @@
 ---
-  meta: 
+  meta:
     author: "csanders-git"
     enabled: true
     name: "911100.yaml"
     description: "Description"
-  tests: 
-    - 
+  tests:
+    -
       test_title: 911100-1
-      stages: 
-        - 
-          stage: 
+      stages:
+        -
+          stage:
             input:
               dest_addr: "127.0.0.1"
               port: 80
               headers:
                   User-Agent: "ModSecurity CRS 3 Tests"
                   Host: "localhost"
-            output: 
+            output:
               no_log_contains: "id \"911100\""
-    - 
+    -
       test_title: 911100-2
-      stages: 
-        - 
-          stage: 
+      stages:
+        -
+          stage:
             input:
               dest_addr: "127.0.0.1"
               port: 80
               method: "OPTIONS"
               headers:
                   User-Agent: "ModSecurity CRS 3 Tests"
                   Host: "localhost"
-            output: 
+            output:
               no_log_contains: "id \"911100\""
-    - 
+    -
       test_title: 911100-3
-      stages: 
-        - 
-          stage: 
+      stages:
+        -
+          stage:
             input:
               dest_addr: "127.0.0.1"
               method: "HEAD"
               port: 80
               headers:
                   User-Agent: "ModSecurity CRS 3 Tests"
                   Host: "localhost"
-            output: 
-              no_log_contains: "id \"911100\""                                          
-    - 
+            output:
+              no_log_contains: "id \"911100\""
+    -
       test_title: 911100-4
-      stages: 
-        - 
-          stage: 
+      stages:
+        -
+          stage:
             input:
               dest_addr: "127.0.0.1"
               method: "POST"
@@ -60,27 +60,27 @@
                   Host: "localhost"
                   Content-Type: "application/x-www-form-urlencoded"
               data: "test=value"
-            output: 
-              no_log_contains: "id \"911100\""  
-    - 
+            output:
+              no_log_contains: "id \"911100\""
+    -
       test_title: 911100-5
-      stages: 
-        - 
-          stage: 
+      stages:
+        -
+          stage:
             input:
               dest_addr: "127.0.0.1"
               method: "TEST"
               port: 80
               headers:
                   User-Agent: "ModSecurity CRS 3 Tests"
                   Host: "localhost"
-            output: 
-              log_contains: "id \"911100\""                
-    - 
+            output:
+              log_contains: "id \"911100\""
+    -
       test_title: 911100-6
       desc: Method is not allowed by policy (911100) from old modsec regressions
       stages:
-      - 
+      -
         stage:
           input:
             dest_addr: 127.0.0.1
@@ -100,11 +100,11 @@
           output:
             log_contains: id "911100"
 
-    - 
+    -
       test_title: 911100-7
       desc: Method is not allowed by policy (911100) from old modsec regressions
       stages:
-      - 
+      -
         stage:
           input:
             dest_addr: 127.0.0.1
@@ -124,11 +124,11 @@
           output:
             log_contains: id "911100"
 
-    - 
+    -
       test_title: 911100-8
       desc: Method is not allowed by policy (911100) from old modsec regressions
       stages:
-      - 
+      -
         stage:
           input:
             dest_addr: 127.0.0.1
@@ -146,4 +146,4 @@
             uri: /
             version: HTTP/1.0
           output:
-            log_contains: id "911100"              
+            log_contains: id "911100"