1 --------------------------
2 ModSecurity JIRA CHANGELOG
3 --------------------------
4 https://www.modsecurity.org/tracker/browse/CORERULES?report=com.atlassian.jira.plugin.system.project:changelog-panel
6 --------------------------
7 Version 2.0.3 - 11/05/2009
8 --------------------------
11 - Updated converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
12 - Create a new PHPIDS Converter rules file (https://svn.php-ids.org/svn/trunk/lib/IDS/Converter.php)
13 - Added new rules to identify multipart/form-data bypass attempts
14 - Increased anomaly scoring (+100) for REQBODY_PROCESSOR_ERROR alerts
17 - Added t:urlDecodeUni transformation function to phpids rules to fix both false positives/negatives
18 https://www.modsecurity.org/tracker/browse/CORERULES-17
19 - Added new variable locations to the phpids filters
20 https://www.modsecurity.org/tracker/browse/CORERULES-19
21 - Use of transformation functions can cause false negatives - added multiMatch action to phpids rules
22 https://www.modsecurity.org/tracker/browse/CORERULES-20
23 - Fixed multipart parsing evasion issues by adding strict parsing rules
24 https://www.modsecurity.org/tracker/browse/CORERULES-21
25 - Fixed typo in xss rules (missing |)
26 https://www.modsecurity.org/tracker/browse/CORERULES-22
27 - Fixed regex text in IE8 XSS filters (changed to lowercase)
28 https://www.modsecurity.org/tracker/browse/CORERULES-23
30 --------------------------
31 Version 2.0.2 - 09/11/2009
32 --------------------------
35 - Added converted PHPIDS signatures (https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml)
36 https://www.modsecurity.org/tracker/browse/CORERULES-13
39 - Rule 958297 - Fixed Comment SPAM UA false positive that triggered only on mozilla.
40 https://www.modsecurity.org/tracker/browse/CORERULES-15
42 --------------------------
43 Version 2.0.1 - 08/07/2009
44 --------------------------
47 - Updated the transformation functions used in the XSS/SQLi rules to improve performance
48 https://www.modsecurity.org/tracker/browse/CORERULES-10
50 - Updated the variable/target list in the XSS rules
51 https://www.modsecurity.org/tracker/browse/CORERULES-11
53 - Added XSS Filters from IE8
54 https://www.modsecurity.org/tracker/browse/CORERULES-12
57 - Rule 958297 - Fixed unescaped double-quote issue in Comment SPAM UA rule.
58 https://www.modsecurity.org/tracker/browse/CORERULES-9
60 --------------------------
61 Version 2.0.0 - 07/29/2009
62 --------------------------
66 The rules have been split to having one signature per rule instead of having
67 all signatures combined into one optimized regular expression.
68 This should allow you to modify/disable events based on specific patterns
69 instead of having to deal with the whole rule.
70 - Converted Snort Rules
71 Emerging Threat web attack rules have been converted.
72 http://www.emergingthreats.net/
73 - Anomaly Scoring Mode Option
74 The rules have been updated to include anomaly scoring variables which allow
75 you to evaluate the score at the end of phase:2 and phase:5 and decide on what
76 logging and disruptive actions to take based on the score.
78 There are rules in phase:5 that will provide some correlation between inbound
79 events and outbound events and will provide a result of successful atttack or
81 - Updated Severity Ratings
82 The severity ratings in the rules have been updated to the following:
83 - 0: Emergency - is generated from correlation where there is an inbound attack and
85 - 1: Alert - is generated from correlation where there is an inbound attack and an
86 outbound application level error.
87 - 2: Critical - is the highest severity level possible without correlation. It is
88 normally generated by the web attack rules (40 level files).
89 - 3: Error - is generated mostly from outbound leakabe rules (50 level files).
90 - 4: Warning - is generated by malicious client rules (35 level files).
91 - 5: Notice - is generated by the Protocol policy and anomaly files.
92 - 6: Info - is generated by the search engine clients (55 marketing file).
93 - Updated Comment SPAM Protections
94 Updated rules to include RBL lookups and client fingerprinting concepts from
95 Bad Behavior (www.bad-behavior.ioerror.us)
96 - Creation of Global Collection
97 Automatically create a Global collection in the *10* config file. Other rules
100 Updated the rules to use the "block" action. This allows the Admin to globally
101 set the desired block action once with SecDefaultAction in the *10* config file
102 rather than having to edit the disruptive actions in all of the rules or for
103 the need to have multiple versions of the rules (blocking vs. non-blocking).
104 - "Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name."
105 http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
106 - Added new generic RFI detection rules.
107 http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
108 - "Possibly malicious iframe tag in output" (Rules 981001,981002)
109 Planting invisible iframes in a site can be used by attackers to point users
110 from the victim site to their malicious site. This is actually as if the
111 user was visiting the attacker's site himself, causing the user's browser to
112 process the content in the attacker's site.
115 - Rule 960019 - Expect Header Not Allowed.
116 - Rule 960020 - Pragma Header Requires Cache-Control Header
117 - Rule 958290 - Invalid Character in Request - Browsers should not send the (#) character
118 as it is reserved for use as a fragment identifier within the html page.
119 - Rule 958291 - Range: field exists and begins with 0.
120 - Rule 958292 - Invalid Request Header Found.
121 - Rule 958293 - Lowercase Via Request Header Found.
122 - Rule 958294 - Common SPAM Proxies found in Via Request Header.
123 - Rule 958295 - Multiple/Conflicting Connection Header Data Found.
124 - Rule 958296 - Request Indicates a SPAM client accessed the Site.
125 - Rule 958297 - Common SPAM/Email Harvester crawler.
126 - Rule 958298 - Common SPAM/Email Harvester crawler
129 - Rule 950107 - Split the rule into 2 separate rules to factor in the
130 Content-Type when inspecting the REQUEST_BODY variable.
131 - Rule 960017 - Bug fix for when having port in the host header.
132 - Rule 960014 - Bug fix to correlate the SERVER_NAME variable.
133 - Rule 950801 - Increased the logic so that the rule will only run if the web site
135 - Rules 999210,999211 - Bug fix to move ctl actions to last rule, add OPTIONS and
136 allow the IPv6 loopback address
137 - Rule 950117 - Updated the RFI logic to factor in both a trailing "?" in the ARG
138 and to identify offsite hosts by comparing the ARG URI to the Host
139 header. Due to this rule now being stronger, moved it from optional
140 tight security rule to *40* generic attacks file.
143 - Added more HTTP Protocol violations to *20* file.
144 - Set the SecDefaultAction in the *10* config file to log/pass (This was the
145 default setting, however this sets it explicitly.
146 - Added SecResponseBodyLimitAction ProcessPartial to the *10* config file. This
147 was added so that when running the SecRuleEngine in DetectionOnly mode, it will
148 not deny response bodies that go over the size restrictions.
149 - Changed SecServerSignature to "Apache/1.3.28"
150 - Fixed the use of SkipAfter and SecMarkers to make it consistent. Now have
151 BEGIN and END SecMarkers for rule groups to more accurately allow moving to
153 - Fixed the @pm/@pmFromFile pre-qualifier logic to allow for operator inversion.
154 This removes the need for some SecAction/SkipAfter rules.
155 - Updated rule formatting to easily show rule containers (SecMarkers, pre-qualifier
156 rules and chained rules).
158 --------------------------
159 Version 1.6.1 - 2008/04/22
160 --------------------------
162 - Fixed a bug where phases and transformations where not specified explicitly
163 in rules. The issue affected a significant number of rules, and we strongly
164 recommend to upgrade.
166 --------------------------
167 Version 1.6.0 - 2008/02/19
168 --------------------------
170 New Rulesets & Features:
171 - 42 - Tight Security
172 This ruleset contains currently 2 rules which are considered highly prone
173 to FPs. They take care of Path Traversal attacks, and RFI attacks. This
174 ruleset is included in the optional_rulesets dir
176 Comment Spam is used by the spammers to increase their rating in search
177 engines by posting links to their site in other sites that allow posting
178 of comments and messages. The rules in this ruleset will work against that.
179 (Requires ModSecurity 2.5)
181 A single type of attack is often detected by multiple rules. The new alert
182 classification tags solve this issue by providing an alternative alert type
183 indication and can serve for filtering and analysis of audit logs.
184 The classification tags are hierarchical with slashes separating levels.
185 Usually there are two levels with the top level describing the alert group
186 and the lower level denoting the alert type itself, for example:
187 WEB_ATTACK/SQL_INJECTION.
189 False Positives Fixes:
190 - Rule 960903 - Moved to phase 4 instead of 5 to avoid FPs
191 - Rule 950107 - Will look for invalid url decoding in variables that are not
192 automatically url decoded
194 Additional rules logic:
195 - Using the new "logdata" action for logging the matched signature in rules
196 - When logging an event once, init the collection only if the alert needs to log
197 - Using the new operator @pm as a qualifier before large rules to enhance
198 performance (Requires ModSecurity 2.5)
199 - SQL injection - A smarter regexp is used to detect 1=1,2=2,etc.. and not
200 only 1=1. (Thanks to Marc Stern for the idea)
201 - New XSS signatures - iframe & flash XSS
204 -------------------------
205 Version 1.5.1 - 2007/12/6
206 -------------------------
208 False Positives Fixes:
209 - Protocol Anomalies (file 21) - exception for Apache SSL pinger (Request: GET /)
212 - 960019 - Detect HTTP/0.9 Requests
213 HTTP/0.9 request are not common these days. This rule will log by default,
214 and block in the blocking version of file 21
217 - File 40, Rules 950004,950005 - Repaired the correction for the double
219 - File 55 contained empty regular expressions. Fixed.
221 ------------------------
222 Version 1.5 - 2007/11/23
223 ------------------------
226 - 23 - Request Limits
227 "Judging by appearances". This rulesets contains rules blocking based on
228 the size of the request, for example, a request with too many arguments
231 Default policy changes:
232 - XML protection off by default
233 - BLOCKING dir renamed to optional_rules
234 - Ruleset 55 (marketing) is now optional (added to the optional_rules dir)
235 - Ruleset 21 - The exception for apache internal monitor will not log anymore
238 - 960912 - Invalid request body
239 Malformed content will not be parsed by modsecurity, but still there might
240 be applications that will parse it, ignoring the errors.
241 - 960913 - Invalid Request
242 Will trigger a security event when request was rejected by apache with
243 code 400, without going through ModSecurity rules.
245 Additional rules logic:
246 - 950001 - New signature: delete from
247 - 950007 - New signature: waitfor delay
249 False Positives Fixes:
250 - 950006 - Will not be looking for /cc pattern in User-Agent header
251 - 950002 - "Internet Explorer" signature removed
252 - Double decoding bug used to cause FPs. Some of the parameters are already
253 url-decoded by apache. This caused FPs when the rule performed another
254 url-decoding transformation. The rules have been split so that parameters
255 already decoded by apache will not be decoded by the rules anymore.
256 - 960911 - Expression is much more permissive now
257 - 950801 - Commented out entirely. NOTE: If your system uses UTF8 encoding,
258 then you should uncomment this rule (in file 20)
260 --------------------------
261 version 1.4.3 - 2007/07/21
262 --------------------------
265 - 950012 - HTTP Request Smuggling
266 For more info on this attack:
267 http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
268 - 960912 - Invalid request body
269 Malformed content will not be parsed by modsecurity, but still there might
270 be applications that will parse it, ignoring the errors.
271 - 960913 - Invalid Request
272 Will trigger a security event when request was rejected by apache with
273 code 400, without going through ModSecurity rules.
275 False Positives Fixes:
276 - 950107 - Will allow a % sign in the middle of a string as well
277 - 960911 - A more accurate expression based on the rfc:
278 http://www.ietf.org/rfc/rfc2396.txt
279 - 950015 - Will not look for http/ pattern in the request headers
281 Additional rules logic:
282 - Since Apache applies scope directives only after ModSecurity phase 1
283 this directives cannot be used to exclude phase 1 rules. Therefore
284 we moved all inspection rules to phase 2.
287 --------------------------------
288 version 1.4 build 2 - 2007/05/17
289 --------------------------------
292 - Search for signatures in XML content
293 XML Content will be parsed and ispected for signatures
296 - 950116 - Unicode Full/Half Width Abuse Attack Attempt
297 Full-width unicode can by used to bypass content inspection. Such encoding will be forbidden
298 http://www.kb.cert.org/vuls/id/739224
299 - 960911 - Invalid HTTP request line
300 Enforce request line to be valid, i.e.: <METHOD> <path> <HTTP version>
301 - 960904 - Request Missing Content-Type (when there is content)
302 When a request contains content, the content-type must be specified. If not, the content will not be inspected
303 - 970018 - IIS installed in default location (any drive)
304 Log once if IIS in installed in the /Inetpub directory (on any drive, not only C)
305 - 950019 - Email Injection
306 Web forms used for sending mail (such as "tell a friend") are often manipulated by spammers for sending anonymous emails
308 Regular expressions fixes:
309 - Further optimization of some regular expressions (using the non-greediness operator)
310 The non-greediness operator, <?>, prevents excessive backtracking
313 - Rule 950107 - Will allow a parameter to end in a % sign from now on
315 ------------------------
316 version 1.4 - 2007/05/02
317 ------------------------
320 - 970021 - WebLogic information disclosure
321 Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
322 - 950015,950910,950911 - HTTP Response Splitting
323 Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent white paper:
324 http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
325 ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
326 - 960902 - Content-Encoding in request not supported
327 Any incoming compressed request will be denied
328 - 960903 - Content-Encoding in response not suppoted
329 An outgoing compressed response will be logged to alert, but ONLY ONCE.
331 False Positives Fixes:
332 - Removed <.exe>,<.shtml> from restricted extensions
333 - Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
334 - Excluded Referer header from SQL injection, XSS and command injection rules
335 - Excluded X-OS-Prefs header from command injection rule
336 - Will be looking for command injection signatures in
337 REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
338 - Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type
340 Additional rules logic:
341 - Corrected match of OPTIONS method in event 960015
342 - Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
343 - Moved all rules apart from method inspection from phase 1 to phase 2 -
344 This will enable viewing content if such a rule triggers as well as setting
345 exceptions using Apache scope tags.
346 - Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
347 - Added 1=1 signature (SQL Injection)
349 --------------------------------
350 version 1.3.2 build 4 2007/01/17
351 --------------------------------
353 Fixed apache 2.4 dummy requests exclusion
354 Added persistent PDF UXSS detection rule
356 --------------------------------
357 Version 1.3.2 build 3 2007/01/10
358 --------------------------------
360 Fixed regular expression in rule 960010 (file #30) to allow multipart form data
363 --------------------------
364 Version 1.3.2 - 2006/12/27
365 --------------------------
368 - 960037 Directory is restricted by policy
369 - 960038 HTTP header is restricted by policy
371 Regular expressions fixes:
372 - Regular expressions with @ at end of beginning (for example "@import)
373 - Regular expressions with un-escaped "."
374 - Command Injections now always require certain characters both before and after the command. Important since many are common English words (finger, mail)
375 - The command injection wget is not searched in the UA header as it has different meaning there.
376 - LDAP Fixed to reduce FPs:
377 + More accurate regular expressions
378 + high bit characters not accpeted between signature tokens.
379 - Do not detect <?xml as a PHP tag in both PHP injection and PHP source leakage
380 - Removed Java from automation UA
381 - When validating encoding, added regexp based chained rule that accepts both %xx and %uxxxxx encoding bypassing a limitation of "@validateUrlEncoding"
383 Additional rules logic:
384 - Checks for empty headers in addition to missing ones (Host, Accept and User-Agent)
385 - OPTIONS method does not require an accept header.
386 - Apache keep alive request exception.
387 - PROPFIND and OPTIONS can be used without content-encoding (like HEAD and GET)
388 - Validate byte range checks by default only that no NULL char exists.
389 - Added CSS to allowed extensions in strict rule sets.
390 - Changed default action in file #50 to pass instead of deny.
391 - Moved IP host header from protocol violations to protocol anomalies.
393 Modified descriptions:
394 - 950107: URL Encoding Abuse Attack Attempt
395 - 950801: UTF8 Encoding Abuse Attack Attempt
396 - Added matched pattern in many events using capture and %{TX.0}
397 - Added ctl:auditLogParts=+E for outbound events and attacks to collect response.
399 ------------------------
400 Version 1.2 - 2006/11/19
401 ------------------------
404 + Move all events to the range of events allocated to Thinking Stone, now Breach
405 by prefixing all event IDs with "9".
406 + Reverse severities to follow the Syslog format used by ModSecurity, now 1 is
407 the highest and 5 the lowest.
410 + Removed quotes from list of mime types inspected on exit (directive
411 SecResponseBodyMimeType)
412 + Corrected "cd .." signature. Now the periods are escaped.
413 + Too many FPs with events 950903 & 950905. Commented them out until fixed.
415 ------------------------
416 Version 1.1 - 2006/10/18
417 ------------------------