-------------------------- ModSecurity JIRA CHANGELOG -------------------------- https://www.modsecurity.org/tracker/browse/CORERULES?report=com.atlassian.jira.plugin.system.project:changelog-panel -------------------------- Version 2.0.3 - 11/05/2009 -------------------------- Improvements: - Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) - Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php) - Added new rules to identify multipart/form-data bypass attempts - Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts Bug Fixes: - Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives https://www.modsecurity.org/tracker/browse/CORERULES-17 - Added new variable locations to the phpids filters https://www.modsecurity.org/tracker/browse/CORERULES-19 - Use of transformation functions can cause false negatives - added multiMatch action to phpids rules https://www.modsecurity.org/tracker/browse/CORERULES-20 - Fixed multipart parsing evasion issues by adding strict parsing rules https://www.modsecurity.org/tracker/browse/CORERULES-21 - Fixed typo in xss rules (missing |) https://www.modsecurity.org/tracker/browse/CORERULES-22 - Fixed regex text in IE8 XSS filters (changed to lowercase) https://www.modsecurity.org/tracker/browse/CORERULES-23 -------------------------- Version 2.0.2 - 09/11/2009 -------------------------- Improvements: - Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml) https://www.modsecurity.org/tracker/browse/CORERULES-13 Bug Fixes: - Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla. https://www.modsecurity.org/tracker/browse/CORERULES-15 -------------------------- Version 2.0.1 - 08/07/2009 -------------------------- Improvements: - Updated the transformation functions used in the XSS/SQLi rules to improve performance https://www.modsecurity.org/tracker/browse/CORERULES-10 - Updated the variable/target list in the XSS rules https://www.modsecurity.org/tracker/browse/CORERULES-11 - Added XSS Filters from IE8 https://www.modsecurity.org/tracker/browse/CORERULES-12 Bug Fixes: - Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule. https://www.modsecurity.org/tracker/browse/CORERULES-9 -------------------------- Version 2.0.0 - 07/29/2009 -------------------------- New Rules & Features: - Fine Grained Policy The rules have been split to having one signature per rule instead of having all signatures combined into one optimized regular expression. This should allow you to modify/disable events based on specific patterns instead of having to deal with the whole rule. - Converted Snort Rules Emerging Threat web attack rules have been converted. http://www.emergingthreats.net/ - Anomaly Scoring Mode Option The rules have been updated to include anomaly scoring variables which allow you to evaluate the score at the end of phase:2 and phase:5 and decide on what logging and disruptive actions to take based on the score. - Correlated Events There are rules in phase:5 that will provide some correlation between inbound events and outbound events and will provide a result of successful atttack or attempted attack. - Updated Severity Ratings The severity ratings in the rules have been updated to the following: - 0: Emergency - is generated from correlation where there is an inbound attack and an outbound leakage. - 1: Alert - is generated from correlation where there is an inbound attack and an outbound application level error. - 2: Critical - is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files). - 3: Error - is generated mostly from outbound leakabe rules (50 level files). - 4: Warning - is generated by malicious client rules (35 level files). - 5: Notice - is generated by the Protocol policy and anomaly files. - 6: Info - is generated by the search engine clients (55 marketing file). - Updated Comment SPAM Protections Updated rules to include RBL lookups and client fingerprinting concepts from Bad Behavior (www.bad-behavior.ioerror.us) - Creation of Global Collection Automatically create a Global collection in the *10* config file. Other rules can then access it. - Use of Block Action Updated the rules to use the "block" action. This allows the Admin to globally set the desired block action once with SecDefaultAction in the *10* config file rather than having to edit the disruptive actions in all of the rules or for the need to have multiple versions of the rules (blocking vs. non-blocking). - "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name." http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html - Added new generic RFI detection rules. http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html - "Possibly malicious iframe tag in output" (Rules 981001,981002) Planting invisible iframes in a site can be used by attackers to point users from the victim site to their malicious site. This is actually as if the user was visiting the attacker's site himself, causing the user's browser to process the content in the attacker's site. New Events: - Rule 960019 - Expect Header Not Allowed. - Rule 960020 - Pragma Header Requires Cache-Control Header - Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character as it is reserved for use as a fragment identifier within the html page. - Rule 958291 - Range: field exists and begins with 0. - Rule 958292 - Invalid Request Header Found. - Rule 958293 - Lowercase Via Request Header Found. - Rule 958294 - Common SPAM Proxies found in Via Request Header. - Rule 958295 - Multiple/Conflicting Connection Header Data Found. - Rule 958296 - Request Indicates a SPAM client accessed the Site. - Rule 958297 - Common SPAM/Email Harvester crawler. - Rule 958298 - Common SPAM/Email Harvester crawler Bug Fixes: - Rule 950107 - Split the rule into 2 separate rules to factor in the Content-Type when inspecting the REQUEST_BODY variable. - Rule 960017 - Bug fix for when having port in the host header. - Rule 960014 - Bug fix to correlate the SERVER_NAME variable. - Rule 950801 - Increased the logic so that the rule will only run if the web site uses UTF-8 Encoding. - Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and allow the IPv6 loopback address - Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG and to identify offsite hosts by comparing the ARG URI to the Host header. Due to this rule now being stronger, moved it from optional tight security rule to *40* generic attacks file. Other Fixes: - Added more HTTP Protocol violations to *20* file. - Set the SecDefaultAction in the *10* config file to log/pass (This was the default setting, however this sets it explicitly. - Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This was added so that when running the SecRuleEngine in DetectionOnly mode, it will not deny response bodies that go over the size restrictions. - Changed SecServerSignature to "Apache/1.3.28" - Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have BEGIN and END SecMarkers for rule groups to more accurately allow moving to proper locations. - Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion. This removes the need for some SecAction/SkipAfter rules. - Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier rules and chained rules). -------------------------- Version 1.6.1 - 2008/04/22 -------------------------- - Fixed a bug where phases and transformations where not specified explicitly in rules. The issue affected a significant number of rules, and we strongly recommend to upgrade. -------------------------- Version 1.6.0 - 2008/02/19 -------------------------- New Rulesets & Features: - 42 - Tight Security This ruleset contains currently 2 rules which are considered highly prone to FPs. They take care of Path Traversal attacks, and RFI attacks. This ruleset is included in the optional_rulesets dir - 42 - Comment Spam Comment Spam is used by the spammers to increase their rating in search engines by posting links to their site in other sites that allow posting of comments and messages. The rules in this ruleset will work against that. (Requires ModSecurity 2.5) - Tags A single type of attack is often detected by multiple rules. The new alert classification tags solve this issue by providing an alternative alert type indication and can serve for filtering and analysis of audit logs. The classification tags are hierarchical with slashes separating levels. Usually there are two levels with the top level describing the alert group and the lower level denoting the alert type itself, for example: WEB_ATTACK/SQL_INJECTION. False Positives Fixes: - Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs - Rule 950107 - Will look for invalid url decoding in variables that are not automatically url decoded Additional rules logic: - Using the new "logdata" action for logging the matched signature in rules - When logging an event once, init the collection only if the alert needs to log - Using the new operator @pm as a qualifier before large rules to enhance performance (Requires ModSecurity 2.5) - SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not only 1=1. (Thanks to Marc Stern for the idea) - New XSS signatures - iframe & flash XSS ------------------------- Version 1.5.1 - 2007/12/6 ------------------------- False Positives Fixes: - Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /) New Events: - 960019 - Detect HTTP/0.9 Requests HTTP/0.9 request are not common these days. This rule will log by default, and block in the blocking version of file 21 Other Fixes: - File 40, Rules 950004,950005 - Repaired the correction for the double url decoding problem - File 55 contained empty regular expressions. Fixed. ------------------------ Version 1.5 - 2007/11/23 ------------------------ New Rulesets: - 23 - Request Limits "Judging by appearances". This rulesets contains rules blocking based on the size of the request, for example, a request with too many arguments will be denied. Default policy changes: - XML protection off by default - BLOCKING dir renamed to optional_rules - Ruleset 55 (marketing) is now optional (added to the optional_rules dir) - Ruleset 21 - The exception for apache internal monitor will not log anymore New Events: - 960912 - Invalid request body Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. - 960913 - Invalid Request Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules. Additional rules logic: - 950001 - New signature: delete from - 950007 - New signature: waitfor delay False Positives Fixes: - 950006 - Will not be looking for /cc pattern in User-Agent header - 950002 - "Internet Explorer" signature removed - Double decoding bug used to cause FPs. Some of the parameters are already url-decoded by apache. This caused FPs when the rule performed another url-decoding transformation. The rules have been split so that parameters already decoded by apache will not be decoded by the rules anymore. - 960911 - Expression is much more permissive now - 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding, then you should uncomment this rule (in file 20) -------------------------- version 1.4.3 - 2007/07/21 -------------------------- New Events: - 950012 - HTTP Request Smuggling For more info on this attack: http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf - 960912 - Invalid request body Malformed content will not be parsed by modsecurity, but still there might be applications that will parse it, ignoring the errors. - 960913 - Invalid Request Will trigger a security event when request was rejected by apache with code 400, without going through ModSecurity rules. False Positives Fixes: - 950107 - Will allow a % sign in the middle of a string as well - 960911 - A more accurate expression based on the rfc: http://www.ietf.org/rfc/rfc2396.txt - 950015 - Will not look for http/ pattern in the request headers Additional rules logic: - Since Apache applies scope directives only after ModSecurity phase 1 this directives cannot be used to exclude phase 1 rules. Therefore we moved all inspection rules to phase 2. -------------------------------- version 1.4 build 2 - 2007/05/17 -------------------------------- New Feature: - Search for signatures in XML content XML Content will be parsed and ispected for signatures New Events: - 950116 - Unicode Full/Half Width Abuse Attack Attempt Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden http://www.kb.cert.org/vuls/id/739224 - 960911 - Invalid HTTP request line Enforce request line to be valid, i.e.: - 960904 - Request Missing Content-Type (when there is content) When a request contains content, the content-type must be specified. If not, the content will not be inspected - 970018 - IIS installed in default location (any drive) Log once if IIS in installed in the /Inetpub directory (on any drive, not only C) - 950019 - Email Injection Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails Regular expressions fixes: - Further optimization of some regular expressions (using the non-greediness operator) The non-greediness operator, , prevents excessive backtracking FP fixes: - Rule 950107 - Will allow a parameter to end in a % sign from now on ------------------------ version 1.4 - 2007/05/02 ------------------------ New Events: - 970021 - WebLogic information disclosure Matching of "JSP compile error" in the response body, will trigger this rule, with severity 4 (Warning) - 950015,950910,950911 - HTTP Response Splitting Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper: http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf ModSecurity does not support compressed content at the moment. Thus, the following rules have been added: - 960902 - Content-Encoding in request not supported Any incoming compressed request will be denied - 960903 - Content-Encoding in response not suppoted An outgoing compressed response will be logged to alert, but ONLY ONCE. False Positives Fixes: - Removed <.exe>,<.shtml> from restricted extensions - Will not be looking for SQL Injection signatures , in the Via request header - Excluded Referer header from SQL injection, XSS and command injection rules - Excluded X-OS-Prefs header from command injection rule - Will be looking for command injection signatures in REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie. - Allowing charset specification in the Content-Type Additional rules logic: - Corrected match of OPTIONS method in event 960015 - Changed location for event 960014 (proxy access) to REQUEST_URI_RAW - Moved all rules apart from method inspection from phase 1 to phase 2 - This will enable viewing content if such a rule triggers as well as setting exceptions using Apache scope tags. - Added match for double quote in addition to single quote for signature (SQL Injection) - Added 1=1 signature (SQL Injection) -------------------------------- version 1.3.2 build 4 2007/01/17 -------------------------------- Fixed apache 2.4 dummy requests exclusion Added persistent PDF UXSS detection rule -------------------------------- Version 1.3.2 build 3 2007/01/10 -------------------------------- Fixed regular expression in rule 960010 (file #30) to allow multipart form data content -------------------------- Version 1.3.2 - 2006/12/27 -------------------------- New events: - 960037 Directory is restricted by policy - 960038 HTTP header is restricted by policy Regular expressions fixes: - Regular expressions with @ at end of beginning (for example "@import) - Regular expressions with un-escaped "." - Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail) - The command injection wget is not searched in the UA header as it has different meaning there. - LDAP Fixed to reduce FPs: + More accurate regular expressions + high bit characters not accpeted between signature tokens. - Do not detect