Updates for CRS v3.0.0

CHANGES

@@ -3,6 +3,19 @@
 == Report Bugs/Issues to GitHub Issues Tracker ==
 * https://github.com/SpiderLabs/owasp-modsecurity-crs/issues
 
+
+== Version 3.0.0 - 06/03/2013 ==
+
+Security Fixes:
+
+Improvements:
+* Added new IP Reputation Checks.
+* Updated "phase" actions to use request/response/logging aliases.
+* Updated "severity" action to use words (CRITICAL, WARNING, etc...) vs. numbers (5, 4, etc..) 
+
+Bug Fixes:
+
+
 == Version 2.2.7 - 12/19/2012 ==
 
 Security Fixes:

README.md

@@ -3,7 +3,7 @@
 ModSecurity™ is a web application firewall engine that provides very little protection on its own. In order to become useful, ModSecurity™ must be configured with rules. In order to enable users to take full advantage of ModSecurity™ out of the box, Trustwave's SpiderLabs is sponsoring and maintaining a free certified rule set for the community. Unlike intrusion detection and prevention systems, which rely on signatures specific to known vulnerabilities, the OWASP ModSecurity Core Rule Set provides generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity™.
 
 ## Licensing
-(c) 2006-2012 Trustwave 
+(c) 2006-2013 Trustwave 
 
 The ModSecurity Core Rule Set is provided to you under the terms and 
 conditions of Apache Software License Version 2 (ASLv2)

base_rules/10-REQUEST-IP-REPUTATION.conf

@@ -0,0 +1,115 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.3.0.0
+# Copyright (C) 2006-2013 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under 
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+#
+# -=[ GeoIP Checks ]=-
+#
+# This rule requires that have activated the SecGeoLookupDb directive
+# in the modsecurity_crs_10_setup.conf file and specified HIGH Risk
+# country codes.
+#
+# This rule does a GeoIP resolution o
+SecRule REMOTE_ADDR "@geoLookup" \
+ "msg:'Client IP is from a HIGH Risk Country Location.',\
+  severity:'WARNING',\
+  id:'900050',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS'\
+  chain"
+  SecRule GEO:COUNTRY_CODE "@pm %{tx.high_risk_country_codes}" \
+   "setvar:'tx.msg=%{rule.msg}',\
+    setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+    setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+#
+# -=[ IP Reputation Checks ]=-
+#
+# ModSecurity Rules from Trustwave SpiderLabs: IP Blacklist Alert 
+# Ref: https://www.trustwave.com/modsecurity-rules-support.php
+#
+# This rule checks the client IP address against a list of recent IPs captured
+# from the SpiderLabs web honeypot systems (last 48 hours).
+#
+#SecRule REMOTE_ADDR "@ipMatchFromFile ip_blacklist.txt" \
+  "msg:'Client IP in Trustwave SpiderLabs Blacklist.',\
+  severity:'CRITICAL',\
+  id:'900051',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+
+#
+# First check if we have already run an @rbl check for this IP by checking in IP collection.
+# If we have, then skip doing another check.
+#
+SecRule IP:PREVIOUS_RBL_CHECK "@eq 1" \
+  "id:'900051',\
+  phase:request,\
+  nolog,\
+  pass,\
+  t:none,\ 
+  skipAfter:END_RBL_LOOKUP"
+
+#
+# Check Client IP against ProjectHoneypot's HTTP Blacklist
+# Ref: http://www.projecthoneypot.org/httpbl_api.php
+#
+# Must register for an HttpBL API Key and configure SecHttpBlKey directive
+# in the modsecurity_crs_10_setup.conf file.
+# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey
+# 
+#SecRule REMOTE_ADDR "@rbl dnsbl.httpbl.org" \
+  "msg:'HTTP Blacklist match for client IP.',\
+  severity:'CRITICAL',\
+  id:'981138',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
+  setvar:ip.malicious_client=1,\
+  expirevar:ip.malicious_client=86400,\
+  setvar:ip.previous_rbl_check=1,\
+  expirevar:ip.previous_rbl_check=86400,\
+  skipAfter:END_RBL_CHECK"
+
+SecAction \
+  "id:'981139',\
+  phase:request,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:ip.previous_rbl_check=1,\
+  expirevar:ip.previous_rbl_check=86400"
+
+SecMarker END_RBL_LOOKUP
+
+SecRule IP:MALICIOUS_CLIENT "@eq 1" \
+  "msg:'Request from Known Malicious Client (Previous RBL Match).',\
+  severity:'CRITICAL',\
+  id:'981140',\
+  phase:request,\
+  block,\
+  t:none,\
+  tag:'AUTOMATION/MALICIOUS',\
+  setvar:'tx.msg=%{rule.msg}',\
+  setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
+  setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+
+SecMarker END_RBL_CHECK
+