custom http/server confs and better modsec customization

Dockerfile

@@ -15,7 +15,7 @@ RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl &
     mkdir /www && \
     adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
 
-VOLUME /www /confs
+VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs
 
 EXPOSE 80/tcp 443/tcp
 

confs/modsecurity-rules.conf

@@ -54,6 +54,10 @@ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 SecAuditLogType Serial
 SecAuditLog /var/log/modsec_audit.log
 
+# include custom rules
+%MODSECURITY_INCLUDE_CUSTOM_RULES%
+
 # include OWASP CRS rules
-include /etc/nginx/owasp-crs.conf
-include /etc/nginx/owasp-crs/*.conf
+%MODSECURITY_INCLUDE_CRS%
+%MODSECURITY_INCLUDE_CUSTOM_CRS%
+%MODSECURITY_INCLUDE_CRS_RULES%

confs/nginx.conf

@@ -75,4 +75,7 @@ http {
 
 	# enable/disable ModSecurity
 	%USE_MODSECURITY%
+
+	# custom http confs
+	include /http-confs/*.conf;
 }

confs/owasp-crs.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -354,11 +354,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  nolog,\
 #  pass,\
 #  t:none,\
+#  setvar:tx.crs_exclusions_cpanel=1,\
 #  setvar:tx.crs_exclusions_drupal=1,\
-#  setvar:tx.crs_exclusions_wordpress=1,\
-#  setvar:tx.crs_exclusions_nextcloud=1,\
 #  setvar:tx.crs_exclusions_dokuwiki=1,\
-#  setvar:tx.crs_exclusions_cpanel=1"
+#  setvar:tx.crs_exclusions_nextcloud=1,\
+#  setvar:tx.crs_exclusions_wordpress=1,\
+#  setvar:tx.crs_exclusions_xenforo=1"
 
 #
 # -- [[ HTTP Policy Settings ]] ------------------------------------------------
@@ -389,7 +390,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # Content-Types that a client is allowed to send in a request.
 # Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
 # application/xml|application/soap+xml|application/x-amf|application/json|\
-# application/octet-stream|text/plain
+# application/octet-stream|application/csp-report|\
+# application/xss-auditor-report|text/plain
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900220,\
@@ -397,20 +399,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
-
-# Content-Types charsets that a client is allowed to send in a request.
-# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
-# Uncomment this rule to change the default.
-# Use "|" to separate multiple charsets like in the rule defining
-# tx.allowed_request_content_type.
-#SecAction \
-# "id:900270,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
+#  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
 
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
@@ -428,8 +417,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
-# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
+# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
+# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900240,\
@@ -437,7 +426,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 
 # Forbidden request headers.
 # Header names should be lowercase, enclosed by /slashes/ as delimiters.
@@ -465,6 +454,18 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  t:none,\
 #  setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
 
+# Content-Types charsets that a client is allowed to send in a request.
+# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
+# Uncomment this rule to change the default.
+# Use "|" to separate multiple charsets like in the rule defining
+# tx.allowed_request_content_type.
+#SecAction \
+# "id:900280,\
+#  phase:1,\
+#  nolog,\
+#  pass,\
+#  t:none,\
+#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
 
 #
 # -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
@@ -779,52 +780,6 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 SecCollectionTimeout 600
 
 
-#
-# -- [[ Debug Mode ]] ----------------------------------------------------------
-#
-# To enable rule development and debugging, CRS has an optional debug mode
-# that does not block a request, but instead sends detection information
-# back to the HTTP client.
-#
-# This functionality is currently only supported with the Apache web server.
-# The Apache mod_headers module is required.
-#
-# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
-# response headers whenever a debug client makes a request. Example:
-#
-#   # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
-#   X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
-#                TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
-#                TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
-#   X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
-#
-# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
-# This file resides in a separate folder, as it is not compatible with
-# nginx and IIS.
-#
-# You must specify the source IP address/network where you will be running the
-# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
-# response headers as specified above. Be careful to only list your private
-# IP addresses/networks here.
-#
-# Tip: for regression testing of CRS or your own ModSecurity rules, you may
-# be interested in using the OWASP CRS regression testing suite instead.
-# View the file util/regression-tests/README for more information.
-#
-# Uncomment these rules, filling in your CRS path and the source IP address,
-# to enable debug mode:
-#
-#Include /path/to/crs/util/debug/RESPONSE-981-DEBUG.conf
-#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-# "id:900980,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  ctl:ruleEngine=DetectionOnly,\
-#  setvar:tx.crs_debug_mode=1"
-
-
 #
 # -- [[ End of setup ]] --------------------------------------------------------
 #
@@ -842,4 +797,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:tx.crs_setup_version=311"
+  setvar:tx.crs_setup_version=320"

confs/owasp-crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -141,7 +141,7 @@
 #     phase:2,\
 #     pass,\
 #     nolog,\
-#     ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
+#     ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
 
 #
 # Example Exclusion Rule: Removing a range of rules

confs/owasp-crs/REQUEST-901-INITIALIZATION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -21,11 +21,11 @@
 #
 # Rule version data is added to the "Producer" line of Section H of the Audit log:
 #
-# - Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.1.1.
+# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
 #
 # Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
 #
-SecComponentSignature "OWASP_CRS/3.1.1"
+SecComponentSignature "OWASP_CRS/3.2.0"
 
 #
 # -=[ Default setup values ]=-
@@ -168,7 +168,7 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
     phase:1,\
     pass,\
     nolog,\
-    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
+    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain'"
 
 # Default HTTP policy: allowed_request_content_type_charset (rule 900270)
 SecRule &TX:allowed_request_content_type_charset "@eq 0" \
@@ -192,7 +192,7 @@ SecRule &TX:restricted_extensions "@eq 0" \
     phase:1,\
     pass,\
     nolog,\
-    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
 
 # Default HTTP policy: restricted_headers (rule 900250)
 SecRule &TX:restricted_headers "@eq 0" \
@@ -218,7 +218,6 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
     nolog,\
     setvar:'tx.enforce_bodyproc_urlencoded=0'"
 
-
 #
 # -=[ Initialize internal variables ]=-
 #
@@ -298,7 +297,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     msg:'Enabling body inspection',\
     tag:'paranoia-level/1',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/3.1.1'"
+    ver:'OWASP_CRS/3.2.0'"
 
 # Force body processor URLENCODED
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@@ -309,7 +308,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     nolog,\
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"

confs/owasp-crs/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -117,8 +117,8 @@ SecRule REQUEST_FILENAME "@endsWith /core/install.php" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass1],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:account[pass][pass2]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass1],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:account[pass][pass2]"
 
 SecRule REQUEST_FILENAME "@endsWith /user/login" \
     "id:9001112,\
@@ -126,24 +126,24 @@ SecRule REQUEST_FILENAME "@endsWith /user/login" \
     pass,\
     t:none,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:pass"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass"
 
 SecRule REQUEST_FILENAME "@endsWith /admin/people/create" \
     "id:9001114,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2]"
 
 SecRule REQUEST_FILENAME "@rx /user/[0-9]+/edit$" \
     "id:9001116,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:current_pass,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass1],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:pass[pass2]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:current_pass,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass1],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass[pass2]"
 
 
 #
@@ -171,14 +171,14 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/people/accounts" \
     nolog,\
     ctl:ruleRemoveById=920271,\
     ctl:ruleRemoveById=942440,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_cancel_confirm_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_password_reset_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_admin_created_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_no_approval_required_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_register_pending_approval_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_activated_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_blocked_body,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:user_mail_status_canceled_body"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_cancel_confirm_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_password_reset_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_admin_created_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_no_approval_required_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_register_pending_approval_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_activated_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_blocked_body,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:user_mail_status_canceled_body"
 
 SecRule REQUEST_FILENAME "@endsWith /admin/config/development/configuration/single/import" \
     "id:9001126,\
@@ -242,8 +242,8 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:editor[settings][toolbar][button_groups],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:filters[filter_html][settings][allowed_html]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:editor[settings][toolbar][button_groups],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filters[filter_html][settings][allowed_html]"
 
 
 #
@@ -296,7 +296,7 @@ SecRule REQUEST_METHOD "@streq POST" \
         "chain"
         SecRule REQUEST_HEADERS:Content-Length "@gt 31486341" \
             "chain"
-	    SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
+            SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
                 "chain"
                 SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
                     "ctl:requestBodyAccess=Off"
@@ -316,7 +316,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/article" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
     ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
 
 SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
@@ -324,7 +324,7 @@ SecRule REQUEST_FILENAME "@endsWith /node/add/page" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
     ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id]"
 
 SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
@@ -332,7 +332,7 @@ SecRule REQUEST_FILENAME "@rx /node/[0-9]+/edit$" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value],\
     ctl:ruleRemoveTargetById=942410;ARGS:uid[0][target_id],\
     ctl:ruleRemoveTargetById=932110;ARGS:destination"
 
@@ -341,42 +341,42 @@ SecRule REQUEST_FILENAME "@endsWith /block/add" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:body[0][value]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:body[0][value]"
 
 SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/basic" \
     "id:9001208,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:description"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:description"
 
 SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
     "id:9001210,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:value"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:value"
 
 SecRule REQUEST_FILENAME "@rx /user/[0-9]+/contact$" \
     "id:9001212,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:message[0][value]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message[0][value]"
 
 SecRule REQUEST_FILENAME "@endsWith /admin/config/development/maintenance" \
     "id:9001214,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:maintenance_mode_message"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:maintenance_mode_message"
 
 SecRule REQUEST_FILENAME "@endsWith /admin/config/services/rss-publishing" \
     "id:9001216,\
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:feed_description"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:feed_description"
 
 
 SecMarker "END-DRUPAL-RULE-EXCLUSIONS"

confs/owasp-crs/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -49,7 +49,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
     pass,\
     t:none,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
 
 # Reset password
 SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
@@ -64,9 +64,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
         chain"
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 
 #
@@ -83,6 +83,38 @@ SecRule REQUEST_FILENAME "@endsWith /wp-comments-post.php" \
     ctl:ruleRemoveTargetById=931130;ARGS:url"
 
 
+#
+# [ Gutenberg Editor ]
+# Used when a user (auto)saves a post/page with Gutenberg.
+#
+
+# Gutenberg
+SecRule REQUEST_FILENAME "@rx ^/wp\-json/wp/v[0-9]+/(?:posts|pages)" \
+    "id:9002140,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content"
+
+# Gutenberg via rest_route for sites without pretty permalinks
+SecRule REQUEST_FILENAME "@endsWith /index.php" \
+    "id:9002141,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule &ARGS:rest_route "@eq 1" \
+        "t:none,\
+        nolog,\
+        chain"
+        SecRule ARGS:rest_route "@rx ^/wp/v[0-9]+/(?:posts|pages)" \
+            "t:none,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:json.content"
+
 #
 # [ Live preview ]
 # Used when an administrator customizes the site and previews the result
@@ -221,7 +253,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/setup-config.php" \
         chain"
         SecRule &ARGS:step "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pwd"
 
 # WordPress installation: exclude admin password
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
@@ -236,9 +268,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/install.php" \
         chain"
         SecRule &ARGS:step "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:admin_password2,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:admin_password2,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text"
 
 
 #
@@ -261,9 +293,11 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/profile.php" \
             ctl:ruleRemoveTargetById=931130;ARGS:url,\
             ctl:ruleRemoveTargetById=931130;ARGS:facebook,\
             ctl:ruleRemoveTargetById=931130;ARGS:googleplus,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
+            ctl:ruleRemoveTargetById=931130;ARGS:instagram,\
+            ctl:ruleRemoveTargetById=931130;ARGS:linkedin,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 # Edit user
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
@@ -279,9 +313,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-edit.php" \
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
             ctl:ruleRemoveTargetById=931130;ARGS:url,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 # Create user
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
@@ -297,9 +331,9 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/user-new.php" \
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
             ctl:ruleRemoveTargetById=931130;ARGS:url,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 
 #
@@ -321,6 +355,7 @@ SecAction \
     ctl:ruleRemoveTargetById=942200;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=942260;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=942431;ARGS:_wp_http_referer,\
+    ctl:ruleRemoveTargetById=942440;ARGS:_wp_http_referer,\
     ctl:ruleRemoveTargetById=920230;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=931130;ARGS:wp_http_referer,\
     ctl:ruleRemoveTargetById=932150;ARGS:wp_http_referer,\
@@ -352,7 +387,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/post.php" \
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
             ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:post_title,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:content,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:content,\
             ctl:ruleRemoveById=920272,\
             ctl:ruleRemoveById=921180"
 
@@ -371,7 +406,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
             ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:data[wp_autosave][post_title],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:data[wp_autosave][content],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:data[wp_autosave][content],\
             ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][post_id],\
             ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-refresh-post-lock][lock],\
             ctl:ruleRemoveTargetById=942431;ARGS_NAMES:data[wp-check-locked-posts][],\
@@ -415,46 +450,46 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
         chain"
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[0][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[1][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[2][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[3][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[4][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[5][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[6][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[7][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[8][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[9][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[10][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[11][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[12][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[13][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[14][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[15][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[16][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[17][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[18][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[19][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[20][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[21][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[22][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[23][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[24][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[25][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[26][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[27][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[28][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[29][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[30][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[31][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[32][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[33][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[34][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[35][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[36][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[37][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[38][text],\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-text[39][text]"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[0][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[1][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[2][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[3][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[4][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[5][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[6][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[7][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[8][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[9][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[10][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[11][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[12][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[13][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[14][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[15][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[16][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[17][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[18][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[19][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[20][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[21][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[22][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[23][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[24][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[25][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[26][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[27][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[28][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[29][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[30][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[31][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[32][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[33][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[34][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[35][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[36][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[37][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[38][text],\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-text[39][text]"
 
 # Reorder widgets
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
@@ -527,7 +562,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
         chain"
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:html"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html"
 
 
 #
@@ -591,8 +626,17 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
                 chain"
                 SecRule &ARGS:action "@eq 1" \
                     "t:none,\
-                    ctl:ruleRemoveTargetByTag=CRS;ARGS:blacklist_keys,\
-                    ctl:ruleRemoveTargetByTag=CRS;ARGS:moderation_keys"
+                    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:blacklist_keys,\
+                    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:moderation_keys"
+
+# Posts/pages overview search
+SecRule REQUEST_FILENAME "@endsWith /wp-admin/edit.php" \
+    "id:9002830,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:s"
 
 
 #

confs/owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -123,7 +123,7 @@ SecRule REQUEST_METHOD "@streq PUT" \
     chain"
     SecRule REQUEST_FILENAME "@rx (?:/public\.php/webdav/|/remote\.php/dav/uploads/)" \
         "ctl:ruleRemoveById=920340,\
-         ctl:ruleRemoveById=920420"
+        ctl:ruleRemoveById=920420"
 
 
 # Allow characters like /../ in files.
@@ -243,7 +243,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/apps/files_texteditor/" \
     pass,\
     t:none,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:filecontents,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:filecontents,\
     ctl:ruleRemoveTargetById=921110-921160;ARGS:filecontents,\
     ctl:ruleRemoveTargetById=932150;ARGS:filename,\
     ctl:ruleRemoveTargetById=920370-920390;ARGS:filecontents,\
@@ -318,7 +318,7 @@ SecRule REQUEST_FILENAME "@contains /index.php/login" \
     t:none,\
     nolog,\
     ctl:ruleRemoveTargetById=941100;ARGS:requesttoken,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
 
 # Reset password.
 
@@ -334,9 +334,9 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/login" \
         chain"
         SecRule &ARGS:action "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 # Change Password and Setting up a new user/password
 
@@ -346,8 +346,8 @@ SecRule REQUEST_FILENAME "@endsWith /index.php/settings/users" \
     pass,\
     t:none,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:newuserpassword,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:password"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newuserpassword,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
 
 
 SecMarker "END-NEXTCLOUD-ADMIN"

confs/owasp-crs/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -85,17 +85,17 @@ SecRule REQUEST_FILENAME "@rx (?:/doku.php|/lib/exe/ajax.php)$" \
         SecRule REQUEST_COOKIES:/S?DW[a-f0-9]+/ "@rx ^[%a-zA-Z0-9_-]+" \
             "t:none,\
             ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:wikitext,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:wikitext,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:wikitext,\
             ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:suffix,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:suffix,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:suffix,\
             ctl:ruleRemoveTargetByTag=attack-protocol;ARGS:prefix,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:prefix,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:prefix,\
             ctl:ruleRemoveTargetById=930100-930110;REQUEST_BODY"
 
 
 # Allow it to upload files. But check for cookies just to make sure.
 
-SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
+SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php" \
     "id:9004110,\
     phase:2,\
     pass,\
@@ -113,7 +113,7 @@ SecRule REQUEST_FILENAME "@endsWith /lib/exe/ajax.php"\
 
 # Show the index, even if things like "postgresql" or other things show up.
 
-SecRule REQUEST_FILENAME "@endsWith /doku.php"\
+SecRule REQUEST_FILENAME "@endsWith /doku.php" \
     "id:9004130,\
     phase:2,\
     pass,\
@@ -137,7 +137,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php"\
 # Turn off checks for password.
 
 SecRule REQUEST_FILENAME "@endsWith /doku.php" \
-   "id:9004200,\
+    "id:9004200,\
     phase:2,\
     pass,\
     t:none,\
@@ -149,7 +149,7 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
         chain"
         SecRule &ARGS:do "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:p"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:p"
 
 
 #
@@ -188,12 +188,12 @@ SecRule REQUEST_FILENAME "@endsWith /doku.php" \
     chain"
     SecRule ARGS:do "@streq login" \
         "t:none,\
-	chain"
+        chain"
         SecRule &ARGS:do "@eq 1" \
             "t:none,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass1-text,\
-            ctl:ruleRemoveTargetByTag=CRS;ARGS:pass2"
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass1-text,\
+            ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:pass2"
 
 
 # [ Save config ]

confs/owasp-crs/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under

confs/owasp-crs/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf

@@ -0,0 +1,509 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+# These exclusions remedy false positives in a default XenForo install.
+# The exclusions are only active if crs_exclusions_xenforo=1 is set.
+# See rule 900130 in crs-setup.conf.example for instructions.
+
+SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
+    "id:9006000,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    skipAfter:END-XENFORO"
+
+SecRule &TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo "@eq 0" \
+    "id:9006001,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    skipAfter:END-XENFORO"
+
+
+#
+# -=[ XenForo Front-End ]=-
+#
+
+# Proxy for images and remote content embedded in forum posts
+# GET /xf/proxy.php?image=https://example.com/some.jpg&hash=foo
+# GET /xf/proxy.php?link=https://example.com&hash=foo
+# POST /xf/proxy.php, body: referrer=...
+SecRule REQUEST_FILENAME "@endsWith /proxy.php" \
+    "id:9006100,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:image,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:link,\
+    ctl:ruleRemoveTargetById=931130;ARGS:referrer,\
+    ctl:ruleRemoveTargetById=942230;ARGS:referrer"
+
+# Store drafts for private message, forum post, thread reply
+# POST /xf/conversations/draft
+# POST /xf/conversations/convo-title.12345/draft
+# POST /xf/forums/forum-title.12345/draft
+# POST /xf/threads/thread-title-%E2%98%85.12345/draft
+#
+# attachment_hash_combined example:
+# {"type":"post","context":{"post_id":12345},"hash":"0123456789abcdef..."}
+SecRule REQUEST_FILENAME "@rx /(?:conversations|(?:conversations|forums|threads)/.*\.\d+)/draft$" \
+    "id:9006110,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=931130;ARGS:href,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\
+    ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined"
+
+# Send PM, edit post, create thread, reply to thread
+# POST /xf/conversations/add
+# POST /xf/conversations/add-preview
+# POST /xf/conversations/messages/1463947/edit
+# POST /xf/posts/12345/edit
+# POST /xf/posts/12345/preview
+# POST /xf/conversations/convo-title.12345/add-reply
+# POST /xf/threads/thread-title.12345/add-reply
+# POST /xf/threads/thread-title.12345/reply-preview
+# POST /xf/forums/forum-title.12345/post-thread
+# POST /xf/forums/forum-title.12345/thread-preview
+SecRule REQUEST_FILENAME "@rx /(?:conversations/add(?:-preview)?|conversations/messages/\d+/edit|posts/\d+/(?:edit|preview)|(?:conversations|threads)/.*\.\d+/(?:add-reply|reply-preview)|forums/.*\.\d+/(?:post-thread|thread-preview))$" \
+    "id:9006120,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message_html,\
+    ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined"
+
+# Quote
+# POST /xf/posts/12345/quote
+SecRule REQUEST_FILENAME "@rx /posts/\d+/quote$" \
+    "id:9006130,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quoteHtml"
+
+# Multi quote
+# POST /xf/conversations/convo-title.12345/multi-quote
+# POST /xf/threads/thread-title.12345/multi-quote
+# quotes={"12345":["quote-html"]}
+SecRule REQUEST_FILENAME "@rx /(?:conversations|threads)/.*\.\d+/multi-quote$" \
+    "id:9006140,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:quotes,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[0][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[1][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[2][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[3][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[4][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[5][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[6][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[7][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[8][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:insert[9][value]"
+
+# Delete thread
+SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/delete$" \
+    "id:9006150,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=942130;ARGS:starter_alert_reason"
+
+# Inline moderate thread
+# POST /xf/inline-mod/
+SecRule REQUEST_FILENAME "@streq /inline-mod/" \
+    "id:9006160,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message"
+
+# Warn member
+# POST /xf/members/name.12345/warn
+SecRule REQUEST_FILENAME "@rx /members/\*\.\d+/warn$" \
+    "id:9006170,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:conversation_message,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:notes"
+
+# Editor
+SecRule REQUEST_URI "@endsWith /index.php?editor/to-html" \
+    "id:9006200,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:bb_code,\
+    ctl:ruleRemoveTargetById=942200;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942260;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942340;ARGS:attachment_hash_combined,\
+    ctl:ruleRemoveTargetById=942370;ARGS:attachment_hash_combined"
+
+# Editor
+SecRule REQUEST_URI "@endsWith /index.php?editor/to-bb-code" \
+    "id:9006210,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:html"
+
+# Post attachment
+# POST /xf/account/avatar
+# POST /xf/attachments/upload?type=post&context[thread_id]=12345&hash=foo
+SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
+    "id:9006220,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveById=200003,\
+    ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\
+    ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
+    ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\
+    ctl:ruleRemoveTargetById=942440;ARGS:flowRelativePath"
+
+# Media
+# POST /xf/index.php?editor/media
+SecRule REQUEST_URI "@endsWith /index.php?editor/media" \
+    "id:9006230,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=931130;ARGS:url,\
+    ctl:ruleRemoveTargetById=942130;ARGS:url"
+
+# Emoji
+# GET /xf/index.php?misc/find-emoji&q=(%0A%0A
+SecRule REQUEST_URI "@rx /index\.php\?misc/find-emoji&q=" \
+    "id:9006240,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=921151;ARGS:q"
+
+# Login
+# POST /xf/login/login
+SecRule REQUEST_FILENAME "@endsWith /login/login" \
+    "id:9006300,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:password"
+
+# Register account
+# POST /xf/register/register
+# The password is passed in a variable-name form parameter. We don't
+# want to exclude all parameters completely as this would cause an
+# unacceptable bypass. So, we exclude only commonly hit rules.
+SecRule REQUEST_FILENAME "@endsWith /register/register" \
+    "id:9006310,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=942130;ARGS,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:reg_key"
+
+# Edit account
+# POST /xf/account/account-details
+SecRule REQUEST_FILENAME "@endsWith /account/account-details" \
+    "id:9006320,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:about_html"
+
+# Lost password
+# POST /xf/lost-password/user-name.12345/confirm?c=foo
+SecRule REQUEST_FILENAME "@rx /lost-password/.*\.\d+/confirm$" \
+    "id:9006330,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:c"
+
+# Set forum signature
+# POST /xf/account/signature
+SecRule REQUEST_FILENAME "@endsWith /account/signature" \
+    "id:9006340,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:signature_html"
+
+# Search
+# POST /xf/search/search
+SecRule REQUEST_FILENAME "@endsWith /search/search" \
+    "id:9006400,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:keywords,\
+    ctl:ruleRemoveTargetById=942200;ARGS:constraints,\
+    ctl:ruleRemoveTargetById=942260;ARGS:constraints,\
+    ctl:ruleRemoveTargetById=942340;ARGS:constraints,\
+    ctl:ruleRemoveTargetById=942370;ARGS:constraints"
+
+# Search within thread
+# GET /xf/threads/foo.12345/page12?highlight=foo
+SecRule REQUEST_FILENAME "@rx /threads/.*\.\d+/(?:page\d+)?$" \
+    "id:9006410,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:highlight"
+
+# Search within search result
+# GET /xf/search/12345/?q=foo
+SecRule REQUEST_FILENAME "@rx /search/\d+/$" \
+    "id:9006420,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:q"
+
+# Contact form
+# POST /xf/misc/contact
+SecRule REQUEST_FILENAME "@endsWith /misc/contact" \
+    "id:9006500,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:subject"
+
+# Report post
+# POST /xf/posts/12345/report
+SecRule REQUEST_FILENAME "@rx /posts/\d+/report$" \
+    "id:9006510,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message"
+
+# Alternate thread view route
+# /xf/index.php?threads/title-having-some-sql.12345/
+#
+# Especially threads with the HAVING sql keyword are FP prone.
+# This rule has some chains to narrow down the exclusion,
+# making it harder for an attacker to abuse the ARGS_NAMES
+# exclusion on other endpoints.
+SecRule REQUEST_FILENAME "@endsWith /index.php" \
+    "id:9006600,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_METHOD "@streq GET" \
+        "t:none,\
+        chain"
+        SecRule &ARGS "@eq 1" \
+            "t:none,\
+            chain"
+            SecRule REQUEST_URI "@rx /index\.php\?threads/.*\.\d+/$" \
+                "t:none,\
+                ctl:ruleRemoveTargetById=942100;ARGS_NAMES,\
+                ctl:ruleRemoveTargetById=942230;ARGS_NAMES"
+
+# Browser fingerprint (DBTech security extension)
+# May Contain various javascript/XSS false positives
+SecRule REQUEST_URI "@endsWith /index.php?dbtech-security/fingerprint" \
+    "id:9006700,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[14][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[15][value],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:components[16][value]"
+
+# Get location info
+SecRule REQUEST_FILENAME "@endsWith /misc/location-info" \
+    "id:9006710,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:location"
+
+#
+# -=[ XenForo Global Exclusions ]=-
+#
+
+# _xfRedirect, _xfRequestUri can appear on various endpoints.
+# Cookies can appear on all endpoints.
+
+SecAction \
+    "id:9006800,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ctl:ruleRemoveTargetById=931120;ARGS:_xfRedirect,\
+    ctl:ruleRemoveTargetById=941150;ARGS:_xfRedirect,\
+    ctl:ruleRemoveTargetById=931120;ARGS:_xfRequestUri,\
+    ctl:ruleRemoveTargetById=941150;ARGS:_xfRequestUri,\
+    ctl:ruleRemoveTargetById=942130;ARGS:_xfRequestUri,\
+    ctl:ruleRemoveTargetById=942230;ARGS:_xfRequestUri,\
+    ctl:ruleRemoveTargetById=942260;ARGS:_xfRequestUri,\
+    ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_csrf,\
+    ctl:ruleRemoveTargetById=942210;REQUEST_COOKIES:xf_csrf,\
+    ctl:ruleRemoveTargetById=942440;REQUEST_COOKIES:xf_csrf,\
+    ctl:ruleRemoveTargetById=942150;REQUEST_COOKIES:xf_emoji_usage,\
+    ctl:ruleRemoveTargetById=942410;REQUEST_COOKIES:xf_emoji_usage,\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;REQUEST_COOKIES:xf_ls,\
+    ctl:ruleRemoveTargetById=942100;REQUEST_COOKIES:xf_user"
+
+#
+# -=[ XenForo Administration Back-End ]=-
+#
+
+# Skip this section for performance unless requested file is admin.php
+
+SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
+    "id:9006900,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    skipAfter:END-XENFORO-ADMIN"
+
+SecRule REQUEST_FILENAME "!@endsWith /admin.php" \
+    "id:9006901,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    skipAfter:END-XENFORO-ADMIN"
+
+# Admin edit user
+# POST /xf/admin.php?users/the-user-name.12345/edit
+SecRule REQUEST_FILENAME "@endsWith /admin.php" \
+    "id:9006910,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/edit$" \
+        "t:none,\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
+        ctl:ruleRemoveTargetById=931130;ARGS:profile[website]"
+
+# Admin save user
+# POST /xf/admin.php?users/the-user-name.12345/save
+SecRule REQUEST_FILENAME "@endsWith /admin.php" \
+    "id:9006920,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_URI "@rx /admin\.php\?users/.*\.\d+/save$" \
+        "t:none,\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[occupation],\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[personal_quote],\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[about],\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:profile[signature],\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:custom_fields[sexuality],\
+        ctl:ruleRemoveTargetById=931130;ARGS:custom_fields[picture],\
+        ctl:ruleRemoveTargetById=931130;ARGS:profile[website]"
+
+
+# Admin edit forum notice
+# POST /xf/admin.php?notices/0/save
+# POST /xf/admin.php?notices/forum-name.12345/save
+SecRule REQUEST_FILENAME "@endsWith /admin.php" \
+    "id:9006930,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_URI "@rx /admin\.php\?notices/(?:.*\.)?\d+/save$" \
+        "t:none,\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:message,\
+        ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:title"
+
+# Admin batch thread update
+# POST /xf/admin.php?threads/batch-update/action
+SecRule REQUEST_FILENAME "@endsWith /admin.php" \
+    "id:9006940,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_URI "@rx /admin\.php\?threads/batch-update/action$" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=942200;ARGS:criteria,\
+        ctl:ruleRemoveTargetById=942260;ARGS:criteria,\
+        ctl:ruleRemoveTargetById=942330;ARGS:criteria,\
+        ctl:ruleRemoveTargetById=942340;ARGS:criteria,\
+        ctl:ruleRemoveTargetById=942370;ARGS:criteria"
+
+# Edit forum theme
+# POST /xf/admin.php?styles/title.1234/style-properties/group&group=basic
+SecRule REQUEST_FILENAME "@endsWith /admin.php" \
+    "id:9006950,\
+    phase:2,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_URI "@rx /admin\.php\?styles/" \
+        "t:none,\
+        ctl:ruleRemoveTargetById=942200;ARGS:json,\
+        ctl:ruleRemoveTargetById=942260;ARGS:json,\
+        ctl:ruleRemoveTargetById=942330;ARGS:json,\
+        ctl:ruleRemoveTargetById=942340;ARGS:json,\
+        ctl:ruleRemoveTargetById=942370;ARGS:json"
+
+SecMarker "END-XENFORO-ADMIN"
+
+SecMarker "END-XENFORO"

confs/owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under

confs/owasp-crs/REQUEST-910-IP-REPUTATION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -39,13 +39,11 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
     tag:'IP_REPUTATION/MALICIOUS_CLIENT',\
-    setvar:'tx.msg=%{rule.msg}',\
     severity:'CRITICAL',\
     chain,\
     skipAfter:BEGIN-REQUEST-BLOCKING-EVAL"
     SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
-        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -73,9 +71,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
     SecRule TX:REAL_IP "@geoLookup" \
         "chain"
         SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
-            "setvar:'tx.msg=%{rule.msg}',\
-            setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-            setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+            "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
             setvar:'ip.reput_block_flag=1',\
             setvar:'ip.reput_block_reason=%{rule.msg}',\
             expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -101,9 +97,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
 #    tag:'platform-multi',\
 #    tag:'attack-reputation-ip',\
 #    severity:'CRITICAL',\
-#    setvar:'tx.msg=%{rule.msg}',\
 #    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-#    setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
 #    setvar:'ip.reput_block_flag=1',\
 #    setvar:'ip.reput_block_reason=%{rule.msg}',\
 #    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -185,9 +179,7 @@ SecRule TX:block_search_ip "@eq 1" \
     chain,\
     skipAfter:END-RBL-CHECK"
     SecRule TX:httpbl_msg "@rx Search Engine" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\
@@ -208,9 +200,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
     chain,\
     skipAfter:END-RBL-CHECK"
     SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\
@@ -231,9 +221,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
     chain,\
     skipAfter:END-RBL-CHECK"
     SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\
@@ -254,9 +242,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
     chain,\
     skipAfter:END-RBL-CHECK"
     SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
+        "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
         setvar:'ip.previous_rbl_check=1',\

confs/owasp-crs/REQUEST-911-METHOD-ENFORCEMENT.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -34,16 +34,15 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-generic',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/POLICY/METHOD_NOT_ALLOWED',\
     tag:'WASCTC/WASC-15',\
     tag:'OWASP_TOP_10/A6',\
     tag:'OWASP_AppSensor/RE1',\
     tag:'PCI/12.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    ver:'OWASP_CRS/3.1.1',\
-    setvar:'tx.msg=%{rule.msg}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/POLICY/METHOD_NOT_ALLOWED-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/REQUEST-912-DOS-PROTECTION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -105,11 +105,11 @@ SecRule IP:DOS_BLOCK "@eq 1" \
     "id:912120,\
     phase:1,\
     drop,\
+    msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-dos',\
-    msg:'Denial of Service (DoS) attack identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)',\
     chain"
     SecRule &IP:DOS_BLOCK_FLAG "@eq 0" \
         "setvar:'ip.dos_block_counter=+1',\

confs/owasp-crs/REQUEST-913-SCANNER-DETECTION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -42,20 +42,19 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scanner',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
 
-SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
+SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
     "id:913110,\
     phase:2,\
     block,\
@@ -67,22 +66,21 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scanner',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
 
 
 
-SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
+SecRule REQUEST_FILENAME|ARGS "@pmFromFile scanners-urls.data" \
     "id:913120,\
     phase:2,\
     block,\
@@ -94,15 +92,14 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scanner',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER',\
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SECURITY_SCANNER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -136,16 +133,15 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scripting-user-agents.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-scripting',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/SCRIPTING',\
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/SCRIPTING-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
@@ -173,16 +169,15 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crawlers-user-agents.data" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-crawler',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/AUTOMATION/CRAWLER',\
     tag:'WASCTC/WASC-21',\
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/AUTOMATION/CRAWLER-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
     setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
     expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"

confs/owasp-crs/REQUEST-921-PROTOCOL-ATTACK.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -42,13 +42,13 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx [\n\r]+(?:get|post|head|options|connect|put|
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/REQUEST-SMUGGLING-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
 # -=[ HTTP Response Splitting ]=-
@@ -68,19 +68,19 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     block,\
     capture,\
     t:none,t:urlDecodeUni,t:lowercase,\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     msg:'HTTP Response Splitting Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
@@ -89,19 +89,19 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     block,\
     capture,\
     t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     msg:'HTTP Response Splitting Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RESPONSE_SPLITTING-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
 # -=[ HTTP Header Injection ]=-
@@ -129,19 +129,22 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # Detect newlines in argument names.
 # Checking for GET arguments has been moved to paranoia level 2 (921151)
 # in order to mitigate possible false positives.
 #
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
 SecRule ARGS_NAMES "@rx [\n\r]" \
     "id:921150,\
     phase:2,\
@@ -154,13 +157,13 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
@@ -175,13 +178,13 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx (?:\n|\r)+(?:\s|location|refresh|(?:set-)?c
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
@@ -211,13 +214,13 @@ SecRule ARGS_GET "@rx [\n\r]" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/HEADER_INJECTION',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
@@ -256,7 +259,7 @@ SecRule ARGS_NAMES "@rx ." \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'CAPEC-460',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
 
 SecRule TX:/paramcounter_.*/ "@gt 1" \
@@ -269,17 +272,17 @@ SecRule TX:/paramcounter_.*/ "@gt 1" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION',\
     tag:'paranoia-level/3',\
     tag:'CAPEC-460',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HTTP_PARAMETER_POLLUTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -38,18 +38,17 @@ SecRule REQUEST_URI_RAW|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XM
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-lfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
 
 #
 # [ Decoded /../ Payloads ]
 #
-SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@pm ..\ ../" \
+SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/* "@rx (?:^|[\\/])\.\.(?:[\\/]|$)" \
     "id:930110,\
     phase:2,\
     block,\
@@ -61,21 +60,20 @@ SecRule REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|XML:/*
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-lfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     multiMatch,\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
 
 #
 # -=[ OS File Access ]=-
 #
 # Ref: https://github.com/lightos/Panoptic/blob/master/cases.xml
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf lfi-os-files.data" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile lfi-os-files.data" \
     "id:930120,\
     phase:2,\
     block,\
@@ -87,16 +85,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-lfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
     tag:'WASCTC/WASC-33',\
     tag:'OWASP_TOP_10/A4',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
 # -=[ Restricted File Access ]=-
@@ -104,28 +101,27 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # Detects attempts to retrieve application source code, metadata,
 # credentials and version control history possibly reachable in a web root.
 #
-SecRule REQUEST_FILENAME "@pmf restricted-files.data" \
+SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
     "id:930130,\
     phase:2,\
     block,\
     capture,\
     t:none,t:utf8toUnicode,t:urlDecodeUni,t:normalizePathWin,t:lowercase,\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     msg:'Restricted File Access Attempt',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-lfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/FILE_INJECTION',\
     tag:'WASCTC/WASC-33',\
     tag:'OWASP_TOP_10/A4',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -45,14 +45,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-rfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/" \
     "id:931110,\
@@ -66,14 +65,13 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-rfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
     "id:931120,\
@@ -87,14 +85,13 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-rfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
@@ -116,18 +113,17 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(.*)$" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-rfi',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/RFI',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=%{tx.1}',\
     chain"
     SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{MATCHED_VAR_NAME}=%{tx.1}'"
+        "setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -31,6 +31,9 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,skipAf
 # The vulnerability exists when an application executes a shell command
 # without proper input escaping/validation.
 #
+# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
+# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
+#
 # To prevent false positives, we look for a 'starting sequence' that
 # precedes a command in shell syntax, such as: ; | & $( ` <( >(
 # Anatomy of the regexp with examples of patterns caught:
@@ -108,17 +111,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Apache 2.2 requires configuration file lines to be under 8kB.
 # Therefore, some remaining commands have been split off to a separate rule.
@@ -146,17 +148,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Windows command injection ]
@@ -245,22 +246,24 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-windows',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Apache 2.2 requires configuration file lines to be under 8kB.
 # Therefore, some remaining commands have been split off to a separate rule.
 # For explanation of this rule, see rule 932110.
 #
+# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
+# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
+#
 # To rebuild the word list regexp:
 #   cd util/regexp-assemble
 #   cat regexp-932115.txt | ./regexp-cmdline.py windows | ./regexp-assemble.pl
@@ -283,17 +286,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-windows',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Windows PowerShell, cmdlets and options ]
@@ -307,7 +309,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # https://technet.microsoft.com/en-us/magazine/ff714569.aspx
 # https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf windows-powershell-commands.data" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile windows-powershell-commands.data" \
     "id:932120,\
     phase:2,\
     block,\
@@ -320,17 +322,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-powershell',\
     tag:'platform-windows',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Unix shell expressions ]
@@ -345,7 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # $((foo))  Arithmetic expansion
 #
 # Regexp generated from util/regexp-assemble/regexp-932130.data using Regexp::Assemble.
-# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
 #
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:\$(?:\((?:\(.*\)|.*)\)|\{.*\})|[<>]\(.*\))" \
     "id:932130,\
@@ -359,17 +360,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Windows FOR, IF commands ]
@@ -393,9 +393,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # http://ss64.com/nt/for.html
 #
 # Regexp generated from util/regexp-assemble/regexp-932140.data using Regexp::Assemble.
-# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(/[dflr].*)* %+[^ ]+ in\(.*\)\s?do)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \b(?:if(?:/i)?(?: not)?(?: exist\b| defined\b| errorlevel\b| cmdextversion\b|(?: |\().*(?:\bgeq\b|\bequ\b|\bneq\b|\bleq\b|\bgtr\b|\blss\b|==))|for(?:/[dflr].*)? %+[^ ]+ in\(.*\)\s?do)" \
     "id:932140,\
     phase:2,\
     block,\
@@ -407,17 +407,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-windows',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Unix direct remote command execution ]
@@ -429,6 +428,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # command string is appended (injected) to a regular parameter, and then
 # passed to a shell unescaped.
 #
+# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
+# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
+#
 # Due to a higher risk of false positives, the following changes have been
 # made relative to rule 932100:
 # 1) the set of commands is smaller
@@ -457,17 +459,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Unix shell snippets ]
@@ -478,7 +479,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # have been added here with their full path, in order to catch some
 # cases where the full path is sent.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf unix-shell.data" \
+# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
+# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
+#
+# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
+# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile unix-shell.data" \
     "id:932160,\
     phase:2,\
     block,\
@@ -490,17 +497,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 # [ Shellshock vulnerability (CVE-2014-6271 and CVE-2014-7169) ]
@@ -524,17 +530,16 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     "id:932171,\
@@ -548,17 +553,16 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -574,28 +578,27 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
 # code execution.
 #
 SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name \
-        "@pmf restricted-upload.data" \
+    "@pmFromFile restricted-upload.data" \
     "id:932180,\
     phase:2,\
     block,\
     capture,\
     t:none,t:lowercase,\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     msg:'Restricted File Upload Attempt',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
@@ -642,18 +645,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 #
 # -=[ Bypass Rule 930120 (wildcard) ]=-
@@ -677,6 +679,7 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
     tag:'language-shell',\
     tag:'platform-unix',\
     tag:'attack-rce',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
@@ -684,10 +687,8 @@ SecRule ARGS "@rx (?:/|\\\\)(?:[\?\*]+[a-z/\\\\]+|[a-z/\\\\]+[\?\*]+)" \
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"

confs/owasp-crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -43,6 +43,8 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,skipAf
 # Therefore, that pattern is now checked by rule 933190 in paranoia levels
 # 3 or higher.
 #
+# Not supported by re2 (?!re).
+#
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:<\?(?!xml\s)|<\?php|\[(?:/|\\\\)?php\])" \
     "id:933100,\
     phase:2,\
@@ -55,15 +57,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
 # [ PHP Script Uploads ]
@@ -86,7 +87,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # X_Filename, or X-File-Name to transmit the file name to the server;
 # scan these request headers as well as multipart/form-data file names.
 #
-SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\.*$" \
     "id:933110,\
     phase:2,\
     block,\
@@ -98,21 +99,20 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
 # [ PHP Configuration Directives ]
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-config-directives.data" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-config-directives.data" \
     "id:933120,\
     phase:2,\
     block,\
@@ -124,24 +124,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@pm =" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
 # [ PHP Variables ]
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmf php-variables.data" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-variables.data" \
     "id:933130,\
     phase:2,\
     block,\
@@ -153,15 +152,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -191,15 +189,43 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+#
+# [ PHP Wrappers ]
+#
+# PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem
+# functions such as fopen(), copy(), file_exists() and filesize(). Abusing of PHP wrappers like phar://
+# could lead to RCE as describled by Sam Thomas at BlackHat USA 2018 (https://bit.ly/2yaKV5X), even
+# wrappers like zlib://, glob://, rar://, zip://, etc... could lead to LFI and expect:// to RCE.
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:zlib|glob|phar|ssh2|rar|ogg|expect|zip)://" \
+    "id:933200,\
+    phase:2,\
+    block,\
+    t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,t:cmdLine,\
+    msg:'PHP Injection Attack: Wrapper scheme detected',\
+    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
+    tag:'OWASP_TOP_10/A1',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -215,7 +241,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # - Rule 933150: ~40 words highly common to PHP injection payloads and extremely rare in
 #		natural language or other contexts.
 #		Examples: 'base64_decode', 'file_get_contents'.
-#		These words are detected as a match directly using @pmf.
+#		These words are detected as a match directly using @pmFromFile.
 #		Function names are defined in php-function-names-933150.data
 #
 # - Rule 933160: ~220 words which are common in PHP code, but have a higher chance to cause
@@ -226,7 +252,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #
 # - Rule 933151: ~1300 words of lesser importance. This includes most PHP functions and keywords.
 #		Examples: 'addslashes', 'array_diff'.
-#		For performance reasons, the @pmf operator is used, and many functions from lesser
+#		For performance reasons, the @pmFromFile operator is used, and many functions from lesser
 #		used PHP extensions are removed.
 #		To mitigate false positives, we only match when the '(' character is also found.
 #		This rule only runs in paranoia level 2 or higher.
@@ -248,7 +274,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # We block these function names outright, without using a complex regexp or chain.
 # This could make the detection a bit more robust against possible bypasses.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933150.data" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933150.data" \
     "id:933150,\
     phase:2,\
     block,\
@@ -260,15 +286,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -292,8 +317,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 #   system //comment \n (...)
 #   system #comment \n (...)
 #
+# This rule is also triggered by the following exploit(s):
+# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
+# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
 # Regexp generated from util/regexp-assemble/regexp-933160.data using Regexp::Assemble.
-# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
+#
 # Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
 # output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
 #
@@ -309,15 +340,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -366,15 +396,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
@@ -423,16 +452,56 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
+# [ PHP Functions: Variable Function Prevent Bypass ]
+#
+# Referring to https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/
+# the rule 933180 could be bypassed by using the following payloads:
+#
+# - (system)('uname')
+# - (sy.(st).em)('uname')
+# - (string)"system"('uname')
+# - define('x', 'sys' . 'tem');(x)/* comment */('uname')
+# - $y = 'sys'.'tem';($y)('uname')
+# - define('z', [['sys' .'tem']]);(z)[0][0]('uname');
+# - (system)(ls)
+# - (/**/system)(ls/**/);
+# - (['system'])[0]('uname');
+# - (++[++system++][++0++])++{/*dsasd*/0}++(++ls++);
+#
+# This rule blocks all payloads above and avoids to block values like:
+#
+# - [ACME] this is a test (just a test)
+# - Test (with two) rounded (brackets)
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:\(|\[)[a-zA-Z0-9_.$\"'\[\](){}/*\s]+(?:\)|\])[0-9_.$\"'\[\](){}/*\s]*\([a-zA-Z0-9_.$\"'\[\](){}/*\s].*\)|\([\s]*string[\s]*\)[\s]*(?:\"|'))" \
+    "id:933210,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
+    msg:'PHP Injection Attack: Variable Function Call Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
+    tag:'OWASP_TOP_10/A1',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
@@ -448,7 +517,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAf
 # The size of the PHP function list is considerable.
 # Even after excluding the more obscure PHP extensions, 1300+ functions remain.
 # For performance and maintenance reasons, this rule does not use a regexp,
-# but uses a phrase file (@pmf), and additionally looks for an '(' character
+# but uses a phrase file (@pmFromFile), and additionally looks for an '(' character
 # in the matched variable.
 #
 # This approach carries some risk for false positives. Therefore, the function list
@@ -457,7 +526,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,skipAf
 #
 # This rule is a stricter sibling of rule 933150.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmf php-function-names-933151.data" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@pmFromFile php-function-names-933151.data" \
     "id:933151,\
     phase:2,\
     block,\
@@ -469,19 +538,18 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@pm (" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
@@ -506,7 +574,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,skipAf
 # parameter names or values and this will lead to false positives.
 # Because this list is not expected to change and it is limited in size we use a
 # regex in this case to look for these values whereas in its sibling rule we use
-# @pmf for flexibility and performance.
+# @pmFromFile for flexibility and performance.
 #
 # To rebuild the regexp:
 #   cd util/regexp-assemble
@@ -525,16 +593,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -551,8 +618,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 #
 # This rule is a stricter sibling of rule 933160.
 #
+# This rule is also triggered by the following exploit(s):
+# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
 # Regexp generated from util/regexp-assemble/regexp-933161.data using Regexp::Assemble.
-# See http://blog.modsecurity.org/2007/06/optimizing-regu.html for usage.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
+#
 # Note that after assemble, PHP function syntax pre/postfix is added to the Regexp::Assemble
 # output. Example: "@rx (?i)\bASSEMBLE_OUTPUT_HERE(?:\s|/\*.*\*/|//.*|#.*)*\(.*\)"
 #
@@ -568,16 +640,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -601,7 +672,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 #
 # This rule is a stricter sibling of rule 933110.
 #
-SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
+SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEADERS:X.Filename|REQUEST_HEADERS:X-File-Name "@rx .*\.(?:php\d*|phtml)\..*$" \
     "id:933111,\
     phase:2,\
     block,\
@@ -613,16 +684,15 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 # [ PHP Closing Tag Found ]
@@ -634,27 +704,26 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
 # See issue #654 for discussion.
 #
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm ?>" \
-    "msg:'PHP Injection Attack: PHP Closing Tag Found',\
+    "id:933190,\
     phase:2,\
-    ver:'OWASP_CRS/3.1.1',\
-    t:none,t:urlDecodeUni,\
-    ctl:auditLogParts=+E,\
     block,\
     capture,\
+    t:none,t:urlDecodeUni,\
+    msg:'PHP Injection Attack: PHP Closing Tag Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
-    id:933190,\
-    severity:'CRITICAL',\
     tag:'application-multi',\
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-injection-php',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/PHP_INJECTION',\
     tag:'OWASP_TOP_10/A1',\
     tag:'paranoia-level/3',\
-    setvar:'tx.msg=%{rule.msg}',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/PHP_INJECTION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"

confs/owasp-crs/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf

@@ -0,0 +1,94 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.2.0
+# Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
+#
+
+
+# [ Insecure unserialization / generic RCE signatures ]
+#
+# Libraries performing insecure unserialization:
+# - node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941)
+# - funcster: __js_function
+#
+# See:
+# https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
+# https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
+#
+# Some generic snippets used:
+# - function() {
+# - new Function(
+# - eval(
+# - String.fromCharCode(
+#
+# Last two are used by nodejsshell.py,
+# https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py
+#
+# As base64 is sometimes (but not always) used to encode serialized values,
+# use multiMatch and t:base64decode.
+#
+# Regexp generated from util/regexp-assemble/regexp-934100.data using Regexp::Assemble.
+# See https://coreruleset.org/20190826/optimizing-regular-expressions/ for usage.
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:(?:_(?:\$\$ND_FUNC\$\$_|_js_function)|(?:new\s+Function|\beval)\s*\(|String\s*\.\s*fromCharCode|function\s*\(\s*\)\s*{|this\.constructor)|module\.exports\s*=)" \
+    "id:934100,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:urlDecodeUni,t:base64Decode,\
+    msg:'Node.js Injection Attack',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-javascript',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'attack-injection-nodejs',\
+    tag:'OWASP_CRS/WEB_ATTACK/NODEJS_INJECTION',\
+    tag:'OWASP_TOP_10/A1',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    multiMatch,\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
+#
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
+#
+
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"
+#
+# -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-REQUEST-934-APPLICATION-ATTACK-NODEJS"

confs/owasp-crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -45,6 +45,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -52,12 +53,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -65,7 +64,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 # http://xssplayground.net23.net/xssfilter.html
 # script tag based XSS vectors, e.g., <script> alert(1)</script>
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[<＜]script[^>＞]*[>＞][\s\S]*?" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<script[^>]*>[\s\S]*?" \
     "id:941110,\
     phase:2,\
     block,\
@@ -77,6 +76,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -84,12 +84,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -108,6 +106,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -115,18 +114,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
 # -=[ XSS Filters - Category 3 ]=-
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S](?:x(?:link:href|html|mlns)|!ENTITY.*?SYSTEM|data:text\/html|pattern(?=.*?=)|formaction|\@import|base64)\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\S]((?:x(?:link:href|html|mlns)|!ENTITY.*?(?:SYSTEM|PUBLIC)|data:text\/html|formaction|\@import|base64)\b|pattern\b.*?=)" \
     "id:941130,\
     phase:2,\
     block,\
@@ -138,6 +135,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -145,12 +143,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -169,6 +165,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -176,12 +173,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -190,7 +185,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 #
 # [NoScript InjectionChecker] HTML injection
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*(?:\W*?s\W*?c\W*?r\W*?i\W*?p\W*?t|\W*?f\W*?o\W*?r\W*?m|\W*?s\W*?t\W*?y\W*?l\W*?e|\W*?s\W*?v\W*?g|\W*?m\W*?a\W*?r\W*?q\W*?u\W*?e\W*?e|(?:\W*?l\W*?i\W*?n\W*?k|\W*?o\W*?b\W*?j\W*?e\W*?c\W*?t|\W*?e\W*?m\W*?b\W*?e\W*?d|\W*?a\W*?p\W*?p\W*?l\W*?e\W*?t|\W*?p\W*?a\W*?r\W*?a\W*?m|\W*?i?\W*?f\W*?r\W*?a\W*?m\W*?e|\W*?b\W*?a\W*?s\W*?e|\W*?b\W*?o\W*?d\W*?y|\W*?m\W*?e\W*?t\W*?a|\W*?i\W*?m\W*?a?\W*?g\W*?e?|\W*?v\W*?i\W*?d\W*?e\W*?o|\W*?a\W*?u\W*?d\W*?i\W*?o|\W*?b\W*?i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|\W*?s\W*?e\W*?t|\W*?a\W*?n\W*?i\W*?m\W*?a\W*?t\W*?e)[^>\w])|(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\x08]*?=" \
+# Regexp generated from util/regexp-assemble/regexp-941160.data using Regexp::Assemble.
+# To rebuild the regexp:
+#   cd util/regexp-assemble
+#   ./regexp-assemble.pl regexp-941160.data
+# Note that after assemble an ignore case flag (i) is added to the to the Regexp::Assemble output:
+#   Add ignore case flag between '?' and ':': "(?i:...)"
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:<\w[\s\S]*[\s\/]|['\"](?:[\s\S]*[\s\/])?)(?:on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|(?:peech|ound)(?:start|end)|u(?:ccess|spend|bmit)|croll|how)|m(?:o(?:z(?:(?:pointerlock|fullscreen)(?:change|error)|(?:orientation|time)change|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom)|s(?:tyle|rc)|background|formaction|lowsrc|ping)[\s\x08]*?=|<[^\w<>]*(?:[^<>\"'\s]*:)?[^\w<>]*\W*?(?:(?:a\W*?(?:n\W*?i\W*?m\W*?a\W*?t\W*?e|p\W*?p\W*?l\W*?e\W*?t|u\W*?d\W*?i\W*?o)|b\W*?(?:i\W*?n\W*?d\W*?i\W*?n\W*?g\W*?s|a\W*?s\W*?e|o\W*?d\W*?y)|i?\W*?f\W*?r\W*?a\W*?m\W*?e|o\W*?b\W*?j\W*?e\W*?c\W*?t|i\W*?m\W*?a?\W*?g\W*?e?|e\W*?m\W*?b\W*?e\W*?d|p\W*?a\W*?r\W*?a\W*?m|v\W*?i\W*?d\W*?e\W*?o|l\W*?i\W*?n\W*?k)[^>\w]|s\W*?(?:c\W*?r\W*?i\W*?p\W*?t|t\W*?y\W*?l\W*?e|e\W*?t[^>\w]|v\W*?g)|m\W*?(?:a\W*?r\W*?q\W*?u\W*?e\W*?e|e\W*?t\W*?a[^>\w])|f\W*?o\W*?r\W*?m))" \
     "id:941160,\
     phase:2,\
     block,\
@@ -202,6 +204,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -209,12 +212,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -232,6 +233,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -239,19 +241,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
 # [Blacklist Keywords from Node-Validator]
 # https://raw.github.com/chriso/node-validator/master/validator.js
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write document[ self[ .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@pm document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[" \
     "id:941180,\
     phase:2,\
     block,\
@@ -263,6 +263,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -270,12 +271,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -283,7 +282,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # Ref: http://blogs.technet.com/srd/archive/2008/08/18/ie-8-xss-filter-architecture-implementation.aspx
 # Ref: http://xss.cx/examples/ie/internet-exploror-ie9-xss-filter-rules-example-regexp-mshtmldll.txt
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?((@[i\\\\])|(([:=]|(&#x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\\\]|(&#x?0*((40)|(28)|(92)|(5C));?)))))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<style.*?>.*?(?:@[i\\\\]|(?:[:=]|&#x?0*(?:58|3A|61|3D);?).*?(?:[(\\\\]|&#x?0*(?:40|28|92|5C);?)))" \
     "id:941190,\
     phase:2,\
     block,\
@@ -295,6 +294,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -302,12 +302,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<.*[:]?vmlframe.*?[\s/+]*?src[\s/+]*=)" \
@@ -322,6 +320,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -329,15 +328,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(j|(&#x?0*((74)|(4A)|(106)|(6A));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&#x?0*((65)|(41)|(97)|(61));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:j|&#x?0*(?:74|4A|106|6A);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:a|&#x?0*(?:65|41|97|61);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
     "id:941210,\
     phase:2,\
     block,\
@@ -349,6 +346,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -356,15 +354,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|(&#x?0*((66)|(42)|(98)|(62));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(c|(&#x?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(:|(&((#x?0*((58)|(3A));?)|(colon;)))).)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:(?:v|&#x?0*(?:86|56|118|76);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:b|&#x?0*(?:66|42|98|62);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:s|&#x?0*(?:83|53|115|73);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:c|&#x?0*(?:67|43|99|63);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:r|&#x?0*(?:82|52|114|72);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:i|&#x?0*(?:73|49|105|69);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:p|&#x?0*(?:80|50|112|70);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?:t|&#x?0*(?:84|54|116|74);?)(?:\t|&(?:#x?0*(?:9|13|10|A|D);?|tab;|newline;))*(?::|&(?:#x?0*(?:58|3A);?|colon;)).)" \
     "id:941220,\
     phase:2,\
     block,\
@@ -376,6 +372,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -383,12 +380,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<EMBED[\s/+].*?(?:src|type).*?=" \
@@ -403,6 +398,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -410,12 +406,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <[?]?import[\s\/+\S]*?implementation[\s\/+]*?=" \
@@ -430,6 +424,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -437,15 +432,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"\'`]?(((c|(&#x?0*((67)|(43)|(99)|(63));?)))|((r|(&#x?0*((82)|(52)|(114)|(72));?)))|((s|(&#x?0*((83)|(53)|(115)|(73));?)))))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?http-equiv[\s/+]*=[\s/+]*[\"'`]?(?:(?:c|&#x?0*(?:67|43|99|63);?)|(?:r|&#x?0*(?:82|52|114|72);?)|(?:s|&#x?0*(?:83|53|115|73);?)))" \
     "id:941250,\
     phase:2,\
     block,\
@@ -457,6 +450,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -464,12 +458,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:<META[\s/+].*?charset[\s/+]*=)" \
@@ -484,6 +476,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -491,12 +484,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<LINK[\s/+].*?href[\s/+]*=" \
@@ -511,6 +502,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -518,12 +510,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<BASE[\s/+].*?href[\s/+]*=" \
@@ -538,6 +528,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -545,12 +536,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<APPLET[\s/+>]" \
@@ -565,6 +554,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -572,12 +562,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)<OBJECT[\s/+].*?(?:type|codetype|classid|code|data)[\s/+]*=" \
@@ -592,6 +580,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -599,12 +588,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
 # https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
@@ -624,6 +611,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-tomcat',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -631,12 +619,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 #
 # UTF-7 encoding XSS filter evasion for IE.
@@ -648,13 +634,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
+    t:none,t:urlDecodeUni,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
     msg:'UTF-7 Encoding IE XSS - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-internet-explorer',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -662,12 +649,80 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'OWASP_AppSensor/IE1',\
     tag:'CAPEC-242',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# Defend against JSFuck and Hieroglyphy obfuscation of Javascript code
+#
+# https://en.wikipedia.org/wiki/JSFuck
+# https://github.com/alcuadrado/hieroglyphy
+#
+# These JS obfuscations mostly aim for client side XSS exploits, hence the
+# integration of this rule into the XSS rule group. But serverside JS could
+# also be attacked via these techniques.
+#
+# Detection pattern / Core elements of JSFuck and Hieroglyphy are the
+# following two items:
+# !![]
+# !+[]
+#
+# ModSecurity always transforms "+" into " " with query strings and the
+# URLENCODE body processor (but not for JSON). So we need to check for
+# the following patterns:
+# !![]
+# !+[]
+# ! []
+
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ![!+ ]\[\]" \
+    "id:941360,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'JSFuck / Hieroglyphy obfuscation detected',\
+    logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'attack-xss',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'CAPEC-63',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+#
+# Prevent 941180 bypass by using JavaScript global variables
+# Examples:
+#    - /?search=/?a=";+alert(self["document"]["cookie"]);//
+#    - /?search=/?a=";+document+/*foo*/+.+/*bar*/+cookie;//
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:/* "@rx (?:self|document|this|top|window)\s*\)*(?:\[[^\]]+\]|\.\s*document|\.\s*cookie)" \
+    "id:941370,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:removeComments,t:urlDecodeUni,\
+    msg:'JavaScript global variable found',\
+    logdata:'Matched Data: Suspicious JS global variable found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'attack-xss',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'CAPEC-63',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
@@ -691,6 +746,7 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -699,12 +755,10 @@ SecRule REQUEST_HEADERS:Referer "@detectXSS" \
     tag:'CAPEC-242',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 #
@@ -723,6 +777,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -731,12 +786,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'CAPEC-242',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 # Detect tags that are the most common direct HTML injection points.
@@ -797,6 +850,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 #  - Links do not have to be fully qualified. For example, the following works:
 #    <script src="//ha.ckers.org/.j">
 #
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx <(?:a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgsound|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|col|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noembed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|var|wbr|xml|xmp)\W" \
     "id:941320,\
     phase:2,\
@@ -809,6 +865,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -816,25 +873,24 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/IE1',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"\'][ ]*(([^a-z0-9~_:\' ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))|((o|(\\\\u006F))(n|(\\\\u006E))(e|(\\\\u0065))(r|(\\\\u0072))(r|(\\\\u0072))(o|(\\\\u006F))(r|(\\\\u0072)))|((v|(\\\\u0076))(a|(\\\\u0061))(l|(\\\\u006C))(u|(\\\\u0075))(e|(\\\\u0065))(O|(\\\\u004F))(f|(\\\\u0066)))).*?=)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:[\"'][ ]*(?:[^a-z0-9~_:' ]|in).*?(?:(?:l|\\\\u006C)(?:o|\\\\u006F)(?:c|\\\\u0063)(?:a|\\\\u0061)(?:t|\\\\u0074)(?:i|\\\\u0069)(?:o|\\\\u006F)(?:n|\\\\u006E)|(?:n|\\\\u006E)(?:a|\\\\u0061)(?:m|\\\\u006D)(?:e|\\\\u0065)|(?:o|\\\\u006F)(?:n|\\\\u006E)(?:e|\\\\u0065)(?:r|\\\\u0072)(?:r|\\\\u0072)(?:o|\\\\u006F)(?:r|\\\\u0072)|(?:v|\\\\u0076)(?:a|\\\\u0061)(?:l|\\\\u006C)(?:u|\\\\u0075)(?:e|\\\\u0065)(?:O|\\\\u004F)(?:f|\\\\u0066)).*?=)" \
     "id:941330,\
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -842,25 +898,27 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/IE1',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"\'][ ]*(?:[^a-z0-9~_:\' ]|in).+?[.].+?=" \
     "id:941340,\
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-xss',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/XSS',\
     tag:'WASCTC/WASC-8',\
     tag:'WASCTC/WASC-22',\
@@ -868,13 +926,45 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'OWASP_AppSensor/IE1',\
     tag:'PCI/6.5.1',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
+#
+# Defend against AngularJS client side template injection
+#
+# Of course, pure client-side AngularJS commands can not be intercepted.
+# But once a command is sent to the server, the CRS will trigger.
+#
+# https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
+#
+# Example payload:
+# http://localhost/login?user=%20x%20%7B%7Bconstructor.constructor(%27alert(1)%27)()%7D%7D%20.%20ff
+# Decoded argument:
+# {{constructor.constructor('alert(1)')()}}
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx {{.*?}}" \
+    "id:941380,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'AngularJS client side template injection detected',\
+    logdata:'Matched Data: Suspicious payload found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'attack-xss',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/XSS',\
+    tag:'OWASP_TOP_10/A7',\
+    tag:'CAPEC-63',\
+    tag:'paranoia-level/2',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -39,16 +39,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-fixation',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
     tag:'WASCTC/WASC-37',\
     tag:'CAPEC-61',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
@@ -63,21 +62,20 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-fixation',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
     tag:'WASCTC/WASC-37',\
     tag:'CAPEC-61',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Referer "@rx ^(?:ht|f)tps?://(.*?)\/" \
         "capture,\
         chain"
         SecRule TX:1 "!@endsWith %{request_headers.host}" \
-            "setvar:'tx.msg=%{rule.msg}',\
-            setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
-            setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-            setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+            "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
+            setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
@@ -92,18 +90,17 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-fixation',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/WEB_ATTACK/SESSION_FIXATION',\
     tag:'WASCTC/WASC-37',\
     tag:'CAPEC-61',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Referer "@eq 0" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SESSION_FIXATION-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        "setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -12,38 +12,54 @@
 #
 # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
 
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:1,id:944011,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "phase:2,id:944012,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.executing_paranoia_level is sufficiently high: 1 or higher)
 #
+# This rule is also triggered by an Apache Struts exploit:
+# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
+#
+# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
+# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
+#
+# This rule is also triggered by an Apache Struts Remote Code Execution exploit:
+# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
+#
+# This rule is also triggered by an Oracle WebLogic Remote Command Execution exploit:
+# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
+#
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx java\.lang\.(?:runtime|processbuilder)" \
     "id:944100,\
     phase:2,\
     block,\
+    t:none,t:lowercase,\
     log,\
     msg:'Remote Command Execution: Suspicious Java class detected',\
     logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
-    t:none,t:lowercase,\
     tag:'application-multi',\
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
+# This rule is also triggered by the following exploit(s):
+# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
+# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
+# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
 # [ Java deserialization vulnerability/Apache Struts (CVE-2017-9805) ]
 # [ Java deserialization vulnerability/Oracle Weblogic (CVE-2017-10271) ]
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
 #
 # Generic rule to detect processbuilder or runtime calls, if any of thos is found and the same target contains
 # java. unmarshaller or base64data to trigger a potential payload execution
@@ -62,19 +78,18 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
-        "setvar:'tx.msg=%{rule.msg}',\
-        setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+        "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # Magic bytes detected and payload included possibly RCE vulnerable classess detected and process execution methods detected
 # anomaly score set to critical as all conditions indicate the request try to perform RCE.
@@ -91,49 +106,56 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
         "t:none,t:lowercase,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
-    "@pmf java-classes.data" \
+# This rule is also triggered by the following exploit(s):
+# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/mazen160/struts-pwn ]
+# [ Apache Struts vulnerability CVE-2017-5638 - Exploit tested: https://github.com/xsscx/cve-2017-5638 ]
+# [ Apache Struts vulnerability CVE-2017-9791 - Exploit tested: https://www.exploit-db.com/exploits/42324 ]
+# [ Apache Struts vulnerability CVE-2017-9805 - Exploit tested: https://www.exploit-db.com/exploits/42627 ]
+# [ Oracle WebLogic vulnerability CVE-2017-10271 - Exploit tested: https://www.exploit-db.com/exploits/43458 ]
+# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45262 ]
+# [ Apache Struts vulnerability CVE-2018-11776 - Exploit tested: https://www.exploit-db.com/exploits/45260 ]
+#
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_FILENAME|REQUEST_HEADERS|XML:/*|XML://@* \
+    "@pmFromFile java-classes.data" \
     "id:944130,\
     phase:2,\
     block,\
+    t:none,t:lowercase,\
     log,\
     msg:'Suspicious Java class detected',\
     logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
-    t:none,t:lowercase,\
     tag:'application-multi',\
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/1',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:1,id:944013,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "phase:2,id:944014,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 2 =- (apply only when tx.executing_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -161,17 +183,16 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 # Detecting possibe base64 text to match encoded magic bytes \xac\xed\x00\x05 with padding encoded in base64 strings are rO0ABQ KztAAU Cs7QAF
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
@@ -186,17 +207,16 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx (?:clonetransformer|forclosure|instantiatefactory|instantiatetransformer|invokertransformer|prototypeclonefactory|prototypeserializationfactory|whileclosure|getproperty|filewriter|xmldecoder)" \
@@ -211,47 +231,48 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
+# This rule is also triggered by the following exploit(s):
+# [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
+#
 SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
     "@rx java\b.+(?:runtime|processbuilder)" \
     "id:944250,\
     phase:2,\
     block,\
+    t:lowercase,\
     log,\
     msg:'Remote Command Execution: Suspicious Java method detected',\
     logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
-    t:lowercase,\
     tag:'application-multi',\
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/2',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:1,id:944015,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "phase:2,id:944016,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 3 =- (apply only when tx.executing_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -275,21 +296,20 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-rce',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
     tag:'paranoia-level/3',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RCE-%{MATCHED_VAR_NAME}=%{MATCHED_VAR}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:1,id:944017,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "phase:2,id:944018,nolog,pass,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 4 =- (apply only when tx.executing_paranoia_level is sufficiently high: 4 or higher)
 #

confs/owasp-crs/REQUEST-949-BLOCKING-EVALUATION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -71,8 +71,7 @@ SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
     severity:'CRITICAL',\
     chain"
     SecRule TX:DO_REPUT_BLOCK "@eq 1" \
-        "setvar:'tx.inbound_tx_msg=%{tx.msg}',\
-        setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
+        "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
 
 #
 # -=[ Anomaly Mode: Overall Transaction Anomaly Score ]=-
@@ -89,7 +88,6 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
     tag:'platform-multi',\
     tag:'attack-generic',\
     severity:'CRITICAL',\
-    setvar:'tx.inbound_tx_msg=%{tx.msg}',\
     setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
 
 

confs/owasp-crs/RESPONSE-950-DATA-LEAKAGES.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -39,18 +39,51 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/INFO-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
+#
+# -=[ CGI Source Code Leakage ]=-
+#
+# A CGI script begins normally with #! and the interpreter,
+# for example:
+#
+# #!/usr/bin/perl
+# #!/usr/bin/python
+# #!/usr/bin/ruby
+#
+# If the CGI script processors or MIME type handlers are misconfigured,
+# the script's source code could be erroneously returned to the client.
+SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
+    "id:950140,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'CGI source code leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_CGI',\
+    tag:'WASCTC/WASC-13',\
+    tag:'OWASP_TOP_10/A6',\
+    tag:'PCI/6.5.6',\
+    ctl:auditLogParts=+E,\
+    ver:'OWASP_CRS/3.2.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
@@ -79,12 +112,10 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
     tag:'PCI/6.5.6',\
     tag:'paranoia-level/2',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 
 
 

confs/owasp-crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -29,13 +29,13 @@ SecRule RESPONSE_BODY "@pmFromFile sql-errors.data" \
     "id:951100,\
     phase:4,\
     pass,\
-    nolog,\
     t:none,\
+    nolog,\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     setvar:'tx.sql_error_match=1'"
 
 SecRule TX:sql_error_match "@eq 1" \
@@ -50,19 +50,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-msaccess',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951120,\
@@ -76,19 +75,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-oracle',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:ORA-[0-9][0-9][0-9][0-9]|java\.sql\.SQLException|Oracle error|Oracle.*Driver|Warning.*oci_.*|Warning.*ora_.*)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951130,\
@@ -102,19 +100,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-db2',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951140,\
@@ -128,19 +125,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-emc',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951150,\
@@ -154,19 +150,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-firebird',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:sql_error_match "@eq 1" \
@@ -181,19 +176,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-frontbase',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951170,\
@@ -207,19 +201,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-hsqldb',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951180,\
@@ -233,19 +226,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-informix',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:sql_error_match "@eq 1" \
@@ -260,19 +252,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-ingres',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:sql_error_match "@eq 1" \
@@ -287,19 +278,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-interbase',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951210,\
@@ -313,19 +303,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-maxdb',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951220,\
@@ -339,19 +328,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-mssql',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[\-\_\ ]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951230,\
@@ -365,19 +353,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-mysql',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid MySQL|Column count doesn't match value count at row|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax;|You have an error in your SQL syntax near|MySQL server version for the right syntax to use|\[MySQL\]\[ODBC|Column count doesn't match|Table '[^']+' doesn't exist|SQL syntax.*MySQL|Warning.*mysql_.*|valid MySQL result|MySqlClient\.)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951240,\
@@ -391,19 +378,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-pgsql',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
-    SecRule RESPONSE_BODY "@rx (?i)(?:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::([a-zA-Z]*)Error|Supplied argument is not a valid PostgreSQL (?:.*?) resource|Unable to connect to PostgreSQL server)" \
+    SecRule RESPONSE_BODY "@rx (?i:PostgreSQL query failed:|pg_query\(\) \[:|pg_exec\(\) \[:|PostgreSQL.*ERROR|Warning.*pg_.*|valid PostgreSQL result|Npgsql\.|PG::[a-zA-Z]*Error|Supplied argument is not a valid PostgreSQL .*? resource|Unable to connect to PostgreSQL server)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951250,\
@@ -417,19 +403,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-sqlite',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:sql_error_match "@eq 1" \
     "id:951260,\
@@ -443,19 +428,18 @@ SecRule TX:sql_error_match "@eq 1" \
     tag:'language-multi',\
     tag:'platform-sybase',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_SQL',\
     tag:'CWE-209',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     chain"
     SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.*sybase.*|Sybase.*Server message.*)" \
         "capture,\
-        setvar:'tx.msg=%{rule.msg}',\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
         setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 

confs/owasp-crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -34,17 +34,16 @@ SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_JAVA',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 #
 # -=[ Java Errors ]=-
@@ -63,17 +62,16 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
     tag:'language-java',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_JAVA',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 

confs/owasp-crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -22,7 +22,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,skipAf
 #
 # -=[ PHP Error Message Leakage ]=-
 #
-SecRule RESPONSE_BODY "@pmf php-errors.data" \
+SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
     "id:953100,\
     phase:4,\
     block,\
@@ -34,17 +34,16 @@ SecRule RESPONSE_BODY "@pmf php-errors.data" \
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_PHP',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 #
 # -=[ PHP source code leakage ]=-
@@ -63,17 +62,16 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 # Detect the presence of the PHP open tag "<?" or "<?php" in output.
 #
@@ -82,6 +80,8 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
 # some common binary file format headers, such as gzip (\x1f\x8b\x08),
 # png (IHDR), mp3 (ID3), movie formats et cetera.
 #
+# Not supported by re2 (?!re).
+#
 SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
     "id:953120,\
     phase:4,\
@@ -94,21 +94,20 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
     chain"
-    SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
-        "t:none,\
-        capture,\
-        setvar:'tx.msg=%{rule.msg}',\
+    SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF(?:F|2))" \
+        "capture,\
+        t:none,\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/SOURCE_CODE-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"

confs/owasp-crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -34,9 +34,8 @@ SecRule RESPONSE_BODY "@rx [a-z]:\\\\inetpub\b" \
     tag:'platform-windows',\
     tag:'attack-disclosure',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -57,12 +56,10 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:<\/font
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-AVAILABILITY/APP_NOT_AVAIL-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 #
 # IIS Errors leakage
@@ -80,17 +77,16 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:A(?:DODB\.Command\b.{0,100}?\b(?:Application
     tag:'platform-iis',\
     tag:'platform-windows',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
-    setvar:'tx.msg=%{rule.msg}',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-    setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+    setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 SecRule RESPONSE_STATUS "!@rx ^404$" \
@@ -106,21 +102,20 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
     tag:'platform-iis',\
     tag:'platform-windows',\
     tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
     tag:'OWASP_CRS/LEAKAGE/ERRORS_IIS',\
     tag:'WASCTC/WASC-13',\
     tag:'OWASP_TOP_10/A6',\
     tag:'PCI/6.5.6',\
     ctl:auditLogParts=+E,\
-    ver:'OWASP_CRS/3.1.1',\
+    ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
     chain"
     SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
-        "t:none,\
-        capture,\
-        setvar:'tx.msg=%{rule.msg}',\
+        "capture,\
+        t:none,\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-        setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}',\
-        setvar:'tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{MATCHED_VAR_NAME}=%{tx.0}'"
+        setvar:'tx.anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 

confs/owasp-crs/RESPONSE-959-BLOCKING-EVALUATION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -60,13 +60,19 @@ SecRule TX:PARANOIA_LEVEL "@ge 4" \
 
 # Alert and Block on High Anomaly Scores - this would block outbound data leakages
 #
+# Note: This rule also sets the 'tx.anomaly_score' variable.
+# That variable name was formerly used in CRS, but not any longer.
+# However, Jwall AuditConsole depends on this exact variable name.
+# Without setting it, the 'Outbound Score' in the AuditConsole GUI would always be 0.
+
 SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
     "id:959100,\
     phase:4,\
     deny,\
     t:none,\
     msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
-    tag:'anomaly-evaluation'"
+    tag:'anomaly-evaluation',\
+    setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
 
 
 

confs/owasp-crs/RESPONSE-980-CORRELATION.conf

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
@@ -27,7 +27,7 @@ SecRule &TX:'/LEAKAGE\\\/ERRORS/' "@ge 1" \
     pass,\
     t:none,\
     log,\
-    msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} - Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
+    msg:'Correlated Successful Attack Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Data Leakage (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
     tag:'event-correlation',\
     severity:'EMERGENCY',\
     chain,\
@@ -43,9 +43,9 @@ SecRule &TX:'/AVAILABILITY\\\/APP_NOT_AVAIL/' "@ge 1" \
     pass,\
     t:none,\
     log,\
-    msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (%{tx.inbound_tx_msg} Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (%{tx.msg} - Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
-    severity:'ALERT',\
+    msg:'Correlated Attack Attempt Identified: (Total Score: %{tx.anomaly_score}) Inbound Attack (Inbound Anomaly Score: %{TX.INBOUND_ANOMALY_SCORE}) + Outbound Application Error (Outbound Anomaly Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
     tag:'event-correlation',\
+    severity:'ALERT',\
     chain,\
     skipAfter:END-CORRELATION"
     SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none"
@@ -70,7 +70,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_threshold}" \
     t:none,\
     log,\
     noauditlog,\
-    msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
+    msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
     tag:'event-correlation',\
     chain"
     SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"
@@ -82,7 +82,7 @@ SecRule TX:INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
     t:none,\
     log,\
     noauditlog,\
-    msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): %{tx.inbound_tx_msg}; individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
+    msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',\
     tag:'event-correlation'"
 
 SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
@@ -92,7 +92,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
     t:none,\
     log,\
     noauditlog,\
-    msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
+    msg:'Outbound Anomaly Score Exceeded (score %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
     tag:'event-correlation'"
 
 # Creating a total sum of all triggered outbound rules, including the ones only being monitored
@@ -115,7 +115,7 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@lt %{tx.outbound_anomaly_score_threshold}" \
     t:none,\
     log,\
     noauditlog,\
-    msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): %{tx.msg}; individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
+    msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',\
     tag:'event-correlation',\
     chain"
     SecRule TX:MONITOR_ANOMALY_SCORE "@gt 1"

confs/owasp-crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example

@@ -1,5 +1,5 @@
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.1
+# OWASP ModSecurity Core Rule Set ver.3.2.0
 # Copyright (c) 2006-2019 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under

confs/owasp-crs/crawlers-user-agents.data

@@ -1,5 +1,7 @@
 # Search engine crawlers and other bots
-
+# crawler
+# https://80legs.com/
+80legs
 # site ripper
 # http://www.softbytelabs.com/en/BlackWidow/
 black widow
@@ -32,3 +34,5 @@ MJ12bot
 Owlin bot
 # misbehaving spider
 Lingewoud-550-Spyder
+# https://www.wappalyzer.com/
+Wappalyzer

confs/owasp-crs/java-classes.data

@@ -8,6 +8,8 @@ java.io.CharArrayReader
 java.io.DataInputStream
 java.io.File
 java.io.FileOutputStream
+java.io.FilePermission
+java.io.FileWriter
 java.io.FilterInputStream
 java.io.FilterOutputStream
 java.io.FilterReader
@@ -35,4 +37,7 @@ java.lang.StringBuilder
 java.lang.System
 javax.script.ScriptEngineManager
 org.apache.commons
+org.apache.struts
+org.apache.struts2
 org.omg.CORBA
+java.beans.XMLDecode

confs/owasp-crs/php-errors.data

@@ -1,4 +1,3 @@
-<b>Warning</b>:
 No row with the given identifier
 open_basedir restriction in effect
 eval()'d code</b> on line <b>

confs/owasp-crs/php-function-names-933150.data

@@ -10,6 +10,11 @@ convert_uudecode
 file_get_contents
 file_put_contents
 fsockopen
+get_class_methods
+get_class_vars
+get_defined_constants
+get_defined_functions
+get_defined_vars
 gzdecode
 gzinflate
 gzuncompress

confs/owasp-crs/php-function-names-933151.data

@@ -218,14 +218,9 @@ gd_info
 get_browser
 get_called_class
 get_class
-get_class_methods
-get_class_vars
 get_declared_classes
 get_declared_interfaces
 get_declared_traits
-get_defined_constants
-get_defined_functions
-get_defined_vars
 get_extension_funcs
 get_headers
 get_html_translation_table

confs/owasp-crs/restricted-files.data

@@ -3,7 +3,7 @@
 .htaccess
 .htdigest
 .htpasswd
-# dotfiles (keep in sync with lfi-os-files.data)
+# home level dotfiles (keep in sync with lfi-os-files.data)
 .aptitude/config
 .bash_config
 .bash_history
@@ -107,10 +107,39 @@ wp-config.txt
 /packages.json
 # dotenv
 /.env
-/.env
 # OSX
 /.DS_Store
 # WS FTP
 /.ws_ftp.ini
 # common, old network config file
 .netrc
+# New Top Level dotfiles
+.thunderbird/
+.vmware/
+.kube/
+.java/
+.anydesk/
+.docker/
+.npm/
+.nvm/
+.minikube/
+.atom/
+.aws/config
+.aws/credentials
+.cups/
+.dbus/
+.boto
+.gem/
+.gnonme/
+.gsutil/
+# New Per-Project Files
+.idea
+nbproject/
+bower.json
+.bowerrc
+.eslintrc
+.jshintrc
+.gitlab-ci.yml
+.travis.yml
+database.yml
+Dockerfile

confs/owasp-crs/scanners-user-agents.data

@@ -61,6 +61,9 @@ floodgate
 # "F-Secure Radar is a turnkey vulnerability scanning and management platform."
 F-Secure Radar
 get-minimal
+# Scanner that looks for existing or hidden web objects
+# https://github.com/OJ/gobuster
+gobuster
 # vuln scanner
 gootkit auto-rooter scanner
 grabber
@@ -77,6 +80,8 @@ internet ninja
 jaascois
 # vuln scanner
 zmeu
+# "Mozilla/5.0 Jorgee", vuln scanner
+Jorgee
 # port scanner
 # https://github.com/robertdavidgraham/masscan
 masscan
@@ -137,6 +142,8 @@ sqlmap
 # sql injection
 # http://sqlninja.sourceforge.net/
 sqlninja
+# https://www.cyber.nj.gov/threat-profiles/trojan-variants/sysscan
+sysscan
 # password cracker
 # http://foofus.net/goons/jmk/medusa/medusa.html
 teh forest lobster
@@ -193,3 +200,6 @@ struts-pwn
 # Detectify website vulnerability scanner
 # https://detectify.com/
 Detectify
+# ZGrab scanner (Mozilla/5.0 zgrab/0.x)
+# https://zmap.io
+zgrab

confs/owasp-crs/sql-function-names.data

@@ -1,236 +0,0 @@
-abs
-acos
-adddate
-addtime
-aes_decrypt
-aes_encrypt
-ascii
-asciistr
-asin
-atan
-atan2
-avg
-benchmark
-bin
-bin_to_num
-bit_and
-bit_count
-bit_length
-bit_or
-bit_xor
-cast
-ciel
-cieling
-char_length
-char
-character_length
-charset
-chr
-coalesce
-coercibility
-collation
-compress
-concat_ws
-concat
-connection_id
-conv
-convert_tz
-convert
-cos
-cot
-count
-dcount
-cr32
-curdate
-current_date
-current_time
-current_timestamp
-current_user
-curtime
-database
-date
-date_add
-date_format
-date_sub
-datediff
-day
-dayname
-dayofmonth
-dayofweek
-dayofyear
-decode
-default
-degrees
-des_decrypt
-des_encrypt
-dump
-elt
-encode
-encrypt
-exp
-export_set
-extract
-extractvalue
-field
-field_in_set
-find_in_set
-floor
-format
-found_rows
-from_base64
-from_days
-from_unixtime
-get_format
-get_lock
-greatest
-group_concat
-hex
-hextoraw
-rawtohex
-hour
-if
-ifnull
-in
-inet6_aton
-inet6_ntoa
-inet_aton
-inet_ntoa
-insert
-instr
-interval
-isnull
-is_free_lock
-is_ipv4_compat
-is_ipv4_mapped
-is_ipv4
-is_ipv6
-is_not_null
-is_not
-is_null
-is_used_lock
-last
-last_day
-last_inser_id
-lcase
-least
-left
-length
-ln
-load_file
-local
-localtimestamp
-locate
-log
-log2
-log10
-lower
-lpad
-ltrim
-make_set
-makedate
-master_pos_wait
-max
-md5
-microsecond
-mid
-min
-minute
-mod
-month
-monthname
-name_const
-not_in
-now
-nullif
-oct
-octet_length
-old_password
-ord
-password
-period_add
-period_diff
-pi
-position
-pow
-power
-procedure_analyse
-quarter
-quote
-radians
-rand
-release_lock
-repeat
-replace
-reverse
-right
-round
-row_count
-rpad
-rtrim
-schema
-sec_to_time
-second
-session_user
-sha
-sha1
-sha2
-sign
-sin
-pg_sleep
-sleep
-soundex
-space
-sqrt
-std
-stddev_pop
-stddev_samp
-str_to_date
-strcmp
-subdate
-substring
-substring_index
-substr
-subtime
-sum
-sysdate
-system_user
-tan
-time
-timestamp
-timestampadd
-timestampdiff
-timediff
-time_format
-time_to_sec
-to_base64
-todays
-toseconds
-tochar
-tonchar
-trim
-truncate
-ucase
-uncompress
-uncompressed_length
-unhex
-unix_timestamp
-updatexml
-upper
-user
-utc_date
-utc_time
-utc_timestamp
-uuid
-uuid_short
-values
-var_pop
-var_samp
-variance
-version
-week
-weekday
-weekofyear
-weight_string
-year
-yearweek
-xmltype

confs/owasp-crs/unix-shell.data

@@ -1,3 +1,21 @@
+${CDPATH}
+${DIRSTACK}
+${HOME}
+${HOSTNAME}
+${IFS}
+${OLDPWD}
+${OSTYPE}
+${PATH}
+${PWD}
+$CDPATH
+$DIRSTACK
+$HOME
+$HOSTNAME
+$IFS
+$OLDPWD
+$OSTYPE
+$PATH
+$PWD
 bin/bash
 bin/cat
 bin/csh
@@ -7,6 +25,7 @@ bin/echo
 bin/grep
 bin/less
 bin/ls
+bin/mknod
 bin/more
 bin/nc
 bin/ps
@@ -32,6 +51,9 @@ etc/shadow
 etc/shells
 etc/spwd.db
 proc/self/
+usr/bin/awk
+usr/bin/base64
+usr/bin/cat
 usr/bin/cc
 usr/bin/clang
 usr/bin/clang++
@@ -42,31 +64,46 @@ usr/bin/fetch
 usr/bin/file
 usr/bin/find
 usr/bin/ftp
+usr/bin/gawk
 usr/bin/gcc
 usr/bin/head
+usr/bin/hexdump
 usr/bin/id
 usr/bin/less
+usr/bin/ln
+usr/bin/mkfifo
 usr/bin/more
 usr/bin/nc
+usr/bin/ncat
 usr/bin/nice
 usr/bin/nmap
 usr/bin/perl
 usr/bin/php
 usr/bin/php5
 usr/bin/php7
+usr/bin/php-cgi
+usr/bin/printf
+usr/bin/psed
 usr/bin/python
 usr/bin/python2
 usr/bin/python3
 usr/bin/ruby
+usr/bin/sed
+usr/bin/socat
 usr/bin/tail
+usr/bin/tee
+usr/bin/telnet
 usr/bin/top
 usr/bin/uname
 usr/bin/wget
 usr/bin/who
 usr/bin/whoami
 usr/bin/xargs
+usr/bin/xxd
+usr/bin/yes
 usr/local/bin/bash
 usr/local/bin/curl
+usr/local/bin/ncat
 usr/local/bin/nmap
 usr/local/bin/perl
 usr/local/bin/php

confs/server.conf

@@ -22,5 +22,5 @@ server {
 	%BLOCK_TOR_EXIT_NODE%
 	%COOKIE_FLAGS%
 	%ERRORS%
-	include /confs/*.conf;
+	include /server-confs/*.conf;
 }

entrypoint.sh

@@ -55,8 +55,9 @@ PHP_ALLOW_URL_FOPEN="${PHP_ALLOW_URL_FOPEN-no}"
 PHP_ALLOW_URL_INCLUDE="${PHP_ALLOW_URL_INCLUDE-no}"
 PHP_FILE_UPLOADS="${PHP_FILE_UPLOADS-yes}"
 PHP_UPLOAD_MAX_FILESIZE="${PHP_UPLOAD_MAX_FILESIZE-10M}"
-PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
+PHP_DISABLE_FUNCTIONS="${PHP_DISABLE_FUNCTIONS-system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo}"
 USE_MODSECURITY="${USE_MODSECURITY-yes}"
+USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-default-src 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts; reflected-xss block; base-uri 'self'; referrer no-referrer}"
 COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly}"
 SERVE_FILES="${SERVE_FILES-yes}"
@@ -224,6 +225,24 @@ fi
 
 if [ "$USE_MODSECURITY" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" "include /etc/nginx/modsecurity.conf;"
+	if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" "include /modsec-confs/*.conf"
+	else
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_RULES%" ""
+	fi
+	if [ "$USE_MODSECURITY_CRS" = "yes" ] ; then
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" "include /etc/nginx/owasp-crs.conf"
+		if ls /modsec-crs-confs/*.conf > /dev/null 2>&1 ; then
+			replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" "include /modsec-crs-confs/*.conf"
+		else
+			replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
+		fi
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" "include /etc/nginx/owasp-crs/*.conf"
+	else
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS%" ""
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CUSTOM_CRS%" ""
+		replace_in_file "/etc/nginx/modsecurity-rules.conf" "%MODSECURITY_INCLUDE_CRS_RULES%" ""
+	fi
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_MODSECURITY%" ""
 fi