[Owasp-modsecurity-core-rule-set] New CRS Release - v2.0.5

Ryan Barnett rcbarnett at gmail.com
Fri Feb 5 16:03:13 EST 2010 

--------------------------
Version 2.0.5 - 02/01/2100
--------------------------

Improvements:
- Removed previous 10 config files as they may conflict with local customized Mod configs.
- Added a new 10 config file that allows the user to globally set TX variables to turn on/off
  PARANOID_MODE inspection, set anomaly score levels and http policies.
  Must have ModSecurity 2.5.12 to use the macro expansion in numeric operators.
- Added Rule Logic and Reference links to rules descriptions.
- Added Rule IDs to all rules.
- Added tag data mapping to new OWASP Top 10 and AppSensor Projects, WASC Threat 
  Classification
- Removed Apache limit directives from the 23 file
- Added macro expansion to 23 file checks.
- Added @pmFromFile check to 35 bad robots file
- Added malicious UA strings to 35 bad robots check
- Created an experimental rules file
- Updated HTTP Parameter Pollution (HPP) rule logic to concat data into a TX variable for 
  inspection
- Removed TX inspections for generic attacks and reverted to standard ARGS inspection
  https://www.modsecurity.org/tracker/browse/MODSEC-120
- Updated the variable list for standard inspections (ARGS|ARGS_NAMES|XML:/*) and moved 
  the other variables to the PARANOID list (REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|
  HX:HPP_DATA)
- Moved converted ET Snort rules to the /optional_rules directory
- Created a new Header Tagging ruleset (optional_rules) that will add matched rule data to 
  the request headers.
- Updated Inbound blocking conf file to use macro expansion from the 10 config file settings
- Added separate anomaly scores for inbound, outbound and total to be evaluated for 
  blocking.
- Updated the regex logic in the (1=1) rule to factor in quotes and other logical 
  operators. 
- Updated the SPAMMER RBL check rules logic to only check once per IP/Day.
- Added new outbound malware link detection rules.
- Added PHP "call_user_func" to blacklist
  Identified by SOGETI ESEC R&D
 
Bug Fixes:
- Removed Non-numeric Rule IDs
  https://www.modsecurity.org/tracker/browse/CORERULES-28
- Updated the variable list on SQLi rules.
- Fixed outbound @pmFromFile action from allow to skipAfter to allow for outbound anomaly 
  scoring and blocking

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

More information about the Owasp-modsecurity-core-rule-set mailing list