Merge pull request #41 from SpiderLabs/master

Moving v3.0.0 updates to TRUNK branch

CHANGELOG → CHANGES

@@ -1,9 +1,25 @@
-== OWASP ModSecurity Core Rule Set (CRS) JIRA CHANGELOG ==
-* https://www.modsecurity.org/tracker/browse/CORERULES
+== OWASP ModSecurity Core Rule Set (CRS) CHANGES ==
+
+== Report Bugs/Issues to GitHub Issues Tracker ==
+* https://github.com/SpiderLabs/owasp-modsecurity-crs/issues
+
+
+== Version 3.0.0 - 06/03/2013 ==
+
+Security Fixes:
+
+Improvements:
+* Added new IP Reputation Checks.
+* Updated "phase" actions to use request/response/logging aliases.
+* Updated "severity" action to use words (CRITICAL, WARNING, etc...) vs. numbers (5, 4, etc..) 
+
+Bug Fixes:
 
 
 == Version 2.2.7 - 12/19/2012 ==
 
+Security Fixes:
+
 Improvements:
 * Added JS Overrides file to identify successfull XSS probes 
 * Added new XSS Detection Rules from Ashar Javed (http://twitter.com/soaj1664ashar)
@@ -19,6 +35,8 @@ Bug Fixes:
 
 == Version 2.2.6 - 09/14/2012 ==
 
+Security Fixes:
+
 Improvements:
 * Started rule formatting update for better readability
 * Added maturity and accuracy action data to each rule
@@ -40,6 +58,14 @@ Bug Fixes:
 
 == Version 2.2.5 - 06/14/2012 ==
 
+Security Fixes:
+* Updated the anomaly scoring value for rule ID 960000 to critical
+  (Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
+  (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses)
+* Updated Content-Type check to fix possible evasion with @within
+  (Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
+  (https://community.qualys.com/blogs/securitylabs/2012/06/15/modsecurity-and-modsecurity-core-rule-set-multipart-bypasses)
+
 Improvements:
 * Renamed main config file to modsecurity_crs_10_setup.conf
 * Updated the rule IDs to start from CRS reserved range: 900000
@@ -52,15 +78,10 @@ Improvements:
 
 Bug Fixes:
 * Added forceRequestBodyVariable action to rule ID 960904
-* Updated the anomaly scoring value for rule ID 960000 to critical
-  (Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
-* Updated Content-Type check to fix possible evasion with @within
-  (Identified by Qualys Vulnerability & Malware Research Labs (VMRL))
 
 
 == Version 2.2.4 - 03/14/2012 ==
 
-
 Improvements:
 * Added Location and Set-Cookie checks to Response Splitting rule ID 950910
 * Added a README file to the activated_rules directory
@@ -77,7 +98,6 @@ Bug Fixes:
 
 == Version 2.2.3 - 12/19/2011 ==
 
-
 Improvements:
 * Added Watcher Cookie Checks to optional_rules/modsecurity_crs_55_appication_defects.conf file
   http://websecuritytool.codeplex.com/wikipage?title=Checks#cookies 

README.md

@@ -3,7 +3,7 @@
 ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave's SpiderLabs is sponsoring and maintaining a free certified rule set for the community. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the OWASP ModSecurity Core Rule Set provides generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™.
 
 ## Licensing
-(c) 2006-2012 Trustwave 
+(c) 2006-2013 Trustwave 
 
 The ModSecurity Core Rule Set is provided to you under the terms and 
 conditions of Apache Software License Version 2 (ASLv2)

base_rules/10-REQUEST-IP-REPUTATION.conf

@@ -0,0 +1,115 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.3.0.0
+# Copyright (C) 2006-2013 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+#
+# -=[ GeoIP Checks ]=-
+#
+# This rule requires that have activated the SecGeoLookupDb directive
+# in the modsecurity_crs_10_setup.conf file and specified HIGH Risk
+# country codes.
+#
+# This rule does a GeoIP resolution o
+SecRule REMOTE_ADDR "@geoLookup" \
+ "msg:'Client IP is from a HIGH Risk Country Location.',\
+  severity:'WARNING',\
+  id:'900050',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS'\
+  chain"
+  SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}" \
+   "setvar:'tx.msg=%{rule.msg}',\
+    setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+    setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+#
+# -=[ IP Reputation Checks ]=-
+#
+# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert 
+# Ref: https://www.trustwave.com/modsecurity-rules-support.php
+#
+# This rule checks the client IP address against a list of recent IPs captured
+# from the SpiderLabs web honeypot systems (last 48 hours).
+#
+#SecRule REMOTE_ADDR "@ipMatchFromFile ip_blacklist.txt" \
+  "msg:'Client IP in Trustwave SpiderLabs Blacklist.',\
+  severity:'CRITICAL',\
+  id:'900051',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+
+#
+# First check if we have already run an @rbl check for this IP by checking in IP collection.
+# If we have, then skip doing another check.
+#
+SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
+  "id:'900051',\
+  phase:request,\
+  nolog,\
+  pass,\
+  t:none,\ 
+  skipAfter:END_RBL_LOOKUP"
+
+#
+# Check Client IP against ProjectHoneypot's HTTP Blacklist
+# Ref: http://www.projecthoneypot.org/httpbl_api.php
+#
+# Must register for an HttpBL API Key and configure SecHttpBlKey directive
+# in the modsecurity_crs_10_setup.conf file.
+# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
+# 
+#SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" \
+  "msg:'HTTP Blacklist match for client IP.',\
+  severity:'CRITICAL',\
+  id:'981138',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
+  setvar:ip.malicious_client=1,\
+  expirevar:ip.malicious_client=86400,\
+  setvar:ip.previous_rbl_check=1,\
+  expirevar:ip.previous_rbl_check=86400,\
+  skipAfter:END_RBL_CHECK"
+
+SecAction \
+  "id:'981139',\
+  phase:request,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:ip.previous_rbl_check=1,\
+  expirevar:ip.previous_rbl_check=86400"
+
+SecMarker END_RBL_LOOKUP
+
+SecRule IP:MALICIOUS_CLIENT "@eq 1" \
+  "msg:'Request from Known Malicious Client (Previous RBL Match).',\
+  severity:'CRITICAL',\
+  id:'981140',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_RBL_CHECK
+

base_rules/modsecurity_crs_41_sql_injection_attacks.conf

@@ -220,7 +220,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:merge.*?using\s*?\()|(execute\s*?immediate\s*?[\"'`´’‘])|(?:\W+\d*?\s*?having\s*?[^\s\-])|(?:match\s*?[\w(),+-]+\s*?against\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects MATCH AGAINST, MERGE, EXECUTE IMMEDIATE and HAVING injections',id:'981256',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s*?[\[\]()\s\w\.,\"'`´’‘-]+from)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:union\s*?(?:all|distinct|[(!@]*?)?\s*?[([]*?\s*?select\s+)|(?:\w+\s+like\s+[\"'`´’‘])|(?:like\s*?[\"'`´’‘]\%)|(?:[\"'`´’‘]\s*?like\W*?[\"'`´’‘\d])|(?:[\"'`´’‘]\s*?(?:n?and|x?x?or|div|like|between|and|not |\|\||\&\&)\s+[\s\w]+=\s*?\w+\s*?having\s+)|(?:[\"'`´’‘]\s*?\*\s*?\w+\W+[\"'`´’‘])|(?:[\"'`´’‘]\s*?[^?\w\s=.,;)(]+\s*?[(@\"'`´’‘]*?\s*?\w+\W+\w)|(?:select\s+?[\[\]()\s\w\.,\"'`´’‘-]+from\s+)|(?:find_in_set\s*?\())" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Detects basic SQL authentication bypass attempts 2/3',id:'981245',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:(union(.*?)select(.*?)from)))" "phase:2,capture,t:none,t:urlDecodeUni,block,msg:'Looking for basic sql injection. Common attack string for mysql, oracle and others.',id:'981276',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',severity:'2',setvar:'tx.msg=%{rule.id}-%{rule.msg}',setvar:tx.sql_injection_score=+1,setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:'tx.%{tx.msg}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
 

experimental_rules/modsecurity_crs_16_scanner_integration.conf

@@ -20,14 +20,14 @@
 #
 # Update the remote IP address for your Arachni RPC host
 #
-SecRule REMOTE_ADDR "@ipMatch 192.168.168.128" "chain,phase:1,t:none,nolog,pass"
-       SecRule REQUEST_HEADERS:User-Agent "@beginsWith Arachni/" "ctl:ruleEngine=Off"
+#SecRule REMOTE_ADDR "@ipMatch 192.168.168.128" "chain,id:'900030',phase:1,t:none,nolog,pass"
+#       SecRule REQUEST_HEADERS:User-Agent "@beginsWith Arachni/" "ctl:ruleEngine=Off"
 
 #
 # -=[ Initiate Arachni Scan on 1st URL Access ]=-
 # 
 # Update the path to the arachni_integration.lua script
 #
-SecRule &RESOURCE:ARACHNI_SCAN_COMPLETED "@eq 0" "chain,phase:5,t:none,log,pass"
-       SecRule &ARGS "@gt 0" "exec:/etc/apache2/modsecurity-crs/lua/arachni_integration.lua"
+#SecRule &RESOURCE:ARACHNI_SCAN_COMPLETED "@eq 0" "chain,id:'900031',phase:5,t:none,log,pass"
+#       SecRule &ARGS "@gt 0" "exec:/etc/apache2/modsecurity-crs/lua/arachni_integration.lua"
 

experimental_rules/modsecurity_crs_40_http_parameter_pollution.conf

@@ -33,10 +33,10 @@
 # http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
 #  
 
-SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'960022',rev:'2.2.7',setvar:tx.%{matched_var_name}=+1"
-        SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none"
-                SecRule MATCHED_VAR_NAME "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}"
-			SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'"
-        			SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}"
-                			SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"
+SecRule ARGS "^" "chain,phase:2,t:none,nolog,pass,capture,id:'900032',rev:'2.2.7',setvar:tx.%{matched_var_name}=+1"
+  SecRule TX:/^ARGS:/ "@gt 1" "chain,t:none"
+    SecRule MATCHED_VARS_NAMES "TX:(ARGS:.*)" "chain,capture,t:none,setvar:tx.hpp_names=%{tx.1}"
+      SecRule ARGS ".*" "chain,t:none,capture,setvar:tx.arg_counter=+1,setvar:'tx.hppnamedata_%{tx.arg_counter}=%{matched_var_name}=%{tx.0}'"
+        SecRule TX:/HPPNAMEDATA_/ "@contains %{tx.hpp_names}" "chain,setvar:tx.hpp_counter=+1,setvar:tx.hpp_counter_%{tx.hpp_counter}=%{matched_var}"
+          SecRule TX:/HPP_COUNTER_/ "ARGS:(.*)?=(.*)" "capture,setvar:'tx.hpp_data=%{tx.hpp_data},%{tx.2}'"