Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Announcing Release of OWASP ModSecurity Core Rule Set v2.2.0

May 26, 2011

Ryan Barnett

--------------------------

The ModSecurity Development Team is pleased to announce the release of the OWASP ModSecurity Core Rule Set v.2.20. There are many significant improvements as listed below from the CHANGES file.

--------------------------

Version 2.2.0 - 05/26/2011

--------------------------

Improvements:

- Changed Licensing from GPLv2 to Apache Software License v2 (ASLv2)

http://www.apache.org/licenses/LICENSE-2.0.txt

- Created new INSTALL file outlining quick config setup

- Added a new rule regression testing framework to the /util directory

- Added new activated_rules directory which will allow users to place symlinks pointing

to files they want to run. This allows for easier Apache Include wild-carding

- Adding in new RULE_MATURITY and RULE_ACCURACY tags

- Adding in a check for X-Forwarded-For source IP when creating IP collection

- Added new Application Defect checks (55 app defect file) from Watcher tool (Check Charset)

http://websecuritytool.codeplex.com/wikipage?title=Checks#charset

- Added new AppSensor rules to experimental_dir

https://www.owasp.org/index.php/AppSensor_DetectionPoints

- Added new Generic Malicious JS checks in outbound content

- Added experimental IP Forensic rules to gather Client hostname/whois info http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html

- Added support for Mozilla's Content Security Policy (CSP) to the experimental_rules

http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html

- Global collection in the 10 file now uses the Host Request Header as the collection key.

This allows for per-site global collections.

- Added new SpiderLabs Research (SLR) rules directory (slr_rules) for known vulnerabilties.

This includes both converted web rules from Emerging Threats (ET) and from SLR Team.

- Added new SLR rule packs for known application vulns for WordPress, Joomla and phpBB

- Added experimental rules for detecting Open Proxy Abuse

http://blog.spiderlabs.com/2011/03/detecting-malice-with-modsecurity-open-proxy-abuse.html

- Added experimental Passive Vulnerability Scanning ruleset using OSVDB and Lua API

http://blog.spiderlabs.com/2011/02/modsecurity-advanced-topic-of-the-week-passive-vulnerability-scanning-part-1-osvdb-checks.html

- Added additional URI Request Validation rule to the 20 protocol violations file (Rule ID - 981227)

- Added new SQLi detection rules (959070, 959071 and 959072)

- Added "Toata dragostea mea pentru diavola" to the malicious User-Agent data

https://www.modsecurity.org/tracker/browse/CORERULES-64

Bug Fixes:

- Assigned IDs to all active SecRules/SecActions

- Removed rule inversion (!) from rule ID 960902

- Fixed false negative issue in Response Splitting Rule

- Fixed false negative issue with @validateByteRange check

- Updated the TARGETS lising for rule ID 950908

- Updated TX data for REQBODY processing

- Changed the pass action to block in the RFI rules in the 40 generic file

- Updated RFI regex to catch IP address usage in hostname

https://www.modsecurity.org/tracker/browse/CORERULES-68

- Changed REQUEST_URI_RAW variable to REQUEST_LINE in SLR rules to allow matches on request methods.

- Updated the RFI rules in the 40 generic attacks conf file to remove explicit logging actions.

They will now inherit the settings from the SecDefaultAction

--------------------------

DOWNLOADING

--------------------------

Manual Downloading:

You can always download the latest CRS version here -

https://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/

Automated Downloading:

Use the rules-updater.pl script in the CRS /util directory

# Get a list of what the repository contains:

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -l

Repository: http://www.modsecurity.org/autoupdate/repository

modsecurity-crs {

2.0.0: modsecurity-crs_2.0.0.zip

2.0.1: modsecurity-crs_2.0.1.zip

2.0.2: modsecurity-crs_2.0.2.zip

2.0.3: modsecurity-crs_2.0.3.zip

2.0.4: modsecurity-crs_2.0.4.zip

2.0.5: modsecurity-crs_2.0.5.zip

2.0.6: modsecurity-crs_2.0.6.zip

2.0.7: modsecurity-crs_2.0.7.zip

2.0.8: modsecurity-crs_2.0.8.zip

2.0.9: modsecurity-crs_2.0.9.zip

2.0.9: modsecurity-crs_2.0.10.zip

2.1.0: modsecurity-crs_2.1.0.zip

2.1.1: modsecurity-crs_2.1.1.zip

2.1.2: modsecurity-crs_2.1.2.zip

2.2.0: modsecurity-crs_2.2.0.zip

}

# Get the latest stable version of "modsecurity-crs":

$ ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs

Fetching: modsecurity-crs/modsecurity-crs_2.2.0.zip ...

$ ls -R rules

modsecurity-crs

rules/modsecurity-crs:

modsecurity-crs_2.2.0.zip modsecurity-crs_2.2.0.zip.sig

--

Ryan Barnett

OWASP ModSecurity CRS Project Leader

Blogs & Stories

SpiderLabs Blog

Announcing Release of OWASP ModSecurity Core Rule Set v2.2.0

Related SpiderLabs Blogs

ModSecurity Request Body Parsing: Recent Bypass Issues

ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

CrypKey License Service Allows Privilege Escalation

Stay Informed

Blogs & Stories

SpiderLabs Blog

Announcing Release of OWASP ModSecurity Core Rule Set v2.2.0

Related SpiderLabs Blogs

ModSecurity Request Body Parsing: Recent Bypass Issues

ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

CrypKey License Service Allows Privilege Escalation

Stay Informed

Help Us Stop the Robot Uprising

Thank You

Thank You