Merge pull request #940 from fgsch/fgsch/rule-cleanup-contd

Tidy up single quotes and other polishing

Author: fzipi

rules/REQUEST-901-INITIALIZATION.conf

@@ -57,7 +57,7 @@ SecRule &TX:crs_setup_version "@eq 0" \
     status:500,\
     auditlog,\
     log,\
-    severity:CRITICAL,\
+    severity:'CRITICAL',\
     msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'"
 
 
@@ -75,76 +75,76 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.inbound_anomaly_score_threshold=5"
+    setvar:'tx.inbound_anomaly_score_threshold=5'"
 
 # Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
 SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
     "id:901110,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.outbound_anomaly_score_threshold=4"
+    setvar:'tx.outbound_anomaly_score_threshold=4'"
 
 # Default Paranoia Level (rule 900000 in setup.conf)
 SecRule &TX:paranoia_level "@eq 0" \
     "id:901120,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.paranoia_level=1"
+    setvar:'tx.paranoia_level=1'"
 
 # Default Sampling Percentage (rule 900400 in setup.conf)
 SecRule &TX:sampling_percentage "@eq 0" \
     "id:901130,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.sampling_percentage=100"
+    setvar:'tx.sampling_percentage=100'"
 
 # Default Anomaly Scores (rule 900100 in setup.conf)
 SecRule &TX:critical_anomaly_score "@eq 0" \
     "id:901140,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.critical_anomaly_score=5"
+    setvar:'tx.critical_anomaly_score=5'"
 
 SecRule &TX:error_anomaly_score "@eq 0" \
     "id:901141,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.error_anomaly_score=4"
+    setvar:'tx.error_anomaly_score=4'"
 
 SecRule &TX:warning_anomaly_score "@eq 0" \
     "id:901142,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.warning_anomaly_score=3"
+    setvar:'tx.warning_anomaly_score=3'"
 
 SecRule &TX:notice_anomaly_score "@eq 0" \
     "id:901143,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.notice_anomaly_score=2"
+    setvar:'tx.notice_anomaly_score=2'"
 
 # Default do_reput_block
 SecRule &TX:do_reput_block "@eq 0" \
     "id:901150,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.do_reput_block=0"
+    setvar:'tx.do_reput_block=0'"
 
 # Default block duration
 SecRule &TX:reput_block_duration "@eq 0" \
     "id:901152,\
     phase:1,\
     pass,\
     nolog,\
-    setvar:tx.reput_block_duration=300"
+    setvar:'tx.reput_block_duration=300'"
 
 # Default HTTP policy: allowed_methods (rule 900200)
 SecRule &TX:allowed_methods "@eq 0" \
@@ -210,18 +210,18 @@ SecAction \
     pass,\
     t:none,\
     nolog,\
-    setvar:tx.anomaly_score=0,\
-    setvar:tx.sql_injection_score=0,\
-    setvar:tx.xss_score=0,\
-    setvar:tx.rfi_score=0,\
-    setvar:tx.lfi_score=0,\
-    setvar:tx.rce_score=0,\
-    setvar:tx.php_injection_score=0,\
-    setvar:tx.http_violation_score=0,\
-    setvar:tx.session_fixation_score=0,\
-    setvar:tx.inbound_anomaly_score=0,\
-    setvar:tx.outbound_anomaly_score=0,\
-    setvar:tx.sql_error_match=0"
+    setvar:'tx.anomaly_score=0',\
+    setvar:'tx.sql_injection_score=0',\
+    setvar:'tx.xss_score=0',\
+    setvar:'tx.rfi_score=0',\
+    setvar:'tx.lfi_score=0',\
+    setvar:'tx.rce_score=0',\
+    setvar:'tx.php_injection_score=0',\
+    setvar:'tx.http_violation_score=0',\
+    setvar:'tx.session_fixation_score=0',\
+    setvar:'tx.inbound_anomaly_score=0',\
+    setvar:'tx.outbound_anomaly_score=0',\
+    setvar:'tx.sql_error_match=0'"
 
 
 #
@@ -233,22 +233,22 @@ SecAction \
 #
 
 SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
-    "id:901318, \
-    phase:1, \
-    pass, \
-    t:none,t:sha1,t:hexEncode, \
-    nolog, \
-    setvar:tx.ua_hash=%{matched_var}"
+    "id:901318,\
+    phase:1,\
+    pass,\
+    t:none,t:sha1,t:hexEncode,\
+    nolog,\
+    setvar:'tx.ua_hash=%{matched_var}'"
 
 SecAction \
-    "id:901321, \
-    phase:1, \
-    pass, \
-    t:none, \
-    nolog, \
-    initcol:global=global, \
-    initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
-    setvar:tx.real_ip=%{remote_addr}"
+    "id:901321,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    initcol:global=global,\
+    initcol:ip=%{remote_addr}_%{tx.ua_hash},\
+    setvar:'tx.real_ip=%{remote_addr}'"
 
 
 #
@@ -290,34 +290,33 @@ SecRule UNIQUE_ID "@rx ^." \
     "id:901410,\
     phase:1,\
     pass,\
-    t:sha1,\
-    t:hexEncode,\
+    t:sha1,t:hexEncode,\
     nolog,\
-    setvar:TX.sampling_rnd100=%{MATCHED_VAR}"
+    setvar:'TX.sampling_rnd100=%{MATCHED_VAR}'"
 
 SecRule DURATION "@rx (..)$" \
     "id:901420,\
     phase:1,\
     pass,\
     capture,\
     nolog,\
-    setvar:TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}"
+    setvar:'TX.sampling_rnd100=%{TX.sampling_rnd100}%{TX.1}'"
 
 SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
     "id:901430,\
     phase:1,\
     pass,\
     capture,\
     nolog,\
-    setvar:TX.sampling_rnd100=%{TX.1}%{TX.2}"
+    setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
 
 SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
     "id:901440,\
     phase:1,\
     pass,\
     capture,\
     nolog,\
-    setvar:TX.sampling_rnd100=%{TX.1}"
+    setvar:'TX.sampling_rnd100=%{TX.1}'"
 
 
 #
@@ -340,7 +339,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
     log,\
     noauditlog,\
     msg:'Sampling: Disable the rule engine based on sampling_percentage \
-%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.', \
+%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.',\
     ctl:ruleEngine=off"
 
 SecMarker "END-SAMPLING"

rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

@@ -255,7 +255,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/config/content/formats/manage/full_ht
 # Extensive checks make sure these uploads are really legitimate.
 #
 SecRule REQUEST_METHOD "@streq POST" \
-    "id:'9001180',\
+    "id:9001180,\
     phase:1,\
     pass,\
     t:none,\
@@ -268,7 +268,7 @@ SecRule REQUEST_METHOD "@streq POST" \
             "ctl:requestBodyAccess=Off"
 
 SecRule REQUEST_METHOD "@streq POST" \
-    "id:'9001182',\
+    "id:9001182,\
     phase:1,\
     pass,\
     t:none,\
@@ -285,7 +285,7 @@ SecRule REQUEST_METHOD "@streq POST" \
                     "ctl:requestBodyAccess=Off"
 
 SecRule REQUEST_METHOD "@streq POST" \
-    "id:'9001184',\
+    "id:9001184,\
     phase:1,\
     pass,\
     t:none,\

rules/REQUEST-910-IP-REPUTATION.conf

@@ -44,8 +44,8 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
     chain,\
     skipAfter:BEGIN_REQUEST_BLOCKING_EVAL"
     SecRule IP:REPUT_BLOCK_FLAG "@eq 1" \
-        "setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-        setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
+        "setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}'"
 
 
 #
@@ -73,11 +73,11 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
         "chain"
         SecRule GEO:COUNTRY_CODE "@within %{tx.high_risk_country_codes}" \
             "setvar:'tx.msg=%{rule.msg}',\
-            setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-            setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
-            setvar:ip.reput_block_flag=1,\
+            setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+            setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+            setvar:'ip.reput_block_flag=1',\
             setvar:'ip.reput_block_reason=%{rule.msg}'\
-            expirevar:ip.reput_block_flag=%{tx.reput_block_duration}"
+            expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
 
 
 #
@@ -100,11 +100,11 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
     tag:'attack-reputation-ip',\
     msg:'Client IP in Trustwave SpiderLabs IP Reputation Blacklist.',\
     setvar:'tx.msg=%{rule.msg}',\
-    setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-    setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
-    setvar:ip.reput_block_flag=1,\
+    setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+    setvar:'ip.reput_block_flag=1',\
     setvar:'ip.reput_block_reason=%{rule.msg}',\
-    expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
+    expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
     severity:'CRITICAL'"
 
 
@@ -162,12 +162,12 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
-    setvar:tx.httpbl_msg=%{tx.0},\
+    setvar:'tx.httpbl_msg=%{tx.0}',\
     chain"
     SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
         "capture,\
         t:none,\
-        setvar:tx.httpbl_msg=%{tx.1}"
+        setvar:'tx.httpbl_msg=%{tx.1}'"
 
 # The following regexs are generated based off re_operators.c
 SecRule TX:block_search_ip "@eq 1" \
@@ -185,13 +185,13 @@ SecRule TX:block_search_ip "@eq 1" \
     skipAfter:END_RBL_CHECK"
     SecRule TX:httpbl_msg "@rx Search Engine" \
         "setvar:'tx.msg=%{rule.msg}',\
-        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-        setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
-        setvar:ip.reput_block_flag=1,\
+        setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
-        setvar:ip.previous_rbl_check=1,\
-        expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
-        expirevar:ip.previous_rbl_check=86400"
+        setvar:'ip.previous_rbl_check=1',\
+        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
+        expirevar:'ip.previous_rbl_check=86400'"
 
 SecRule TX:block_spammer_ip "@eq 1" \
     "id:910160,\
@@ -208,13 +208,13 @@ SecRule TX:block_spammer_ip "@eq 1" \
     skipAfter:END_RBL_CHECK"
     SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
-        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-        setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
-        setvar:ip.reput_block_flag=1,\
+        setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
-        setvar:ip.previous_rbl_check=1,\
-        expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
-        expirevar:ip.previous_rbl_check=86400"
+        setvar:'ip.previous_rbl_check=1',\
+        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
+        expirevar:'ip.previous_rbl_check=86400'"
 
 SecRule TX:block_suspicious_ip "@eq 1" \
     "id:910170,\
@@ -231,13 +231,13 @@ SecRule TX:block_suspicious_ip "@eq 1" \
     skipAfter:END_RBL_CHECK"
     SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
-        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-        setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
-        setvar:ip.reput_block_flag=1,\
+        setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
-        setvar:ip.previous_rbl_check=1,\
-        expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
-        expirevar:ip.previous_rbl_check=86400"
+        setvar:'ip.previous_rbl_check=1',\
+        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
+        expirevar:'ip.previous_rbl_check=86400'"
 
 SecRule TX:block_harvester_ip "@eq 1" \
     "id:910180,\
@@ -254,13 +254,13 @@ SecRule TX:block_harvester_ip "@eq 1" \
     skipAfter:END_RBL_CHECK"
     SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
-        setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
-        setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
-        setvar:ip.reput_block_flag=1,\
+        setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}',\
+        setvar:'tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}',\
+        setvar:'ip.reput_block_flag=1',\
         setvar:'ip.reput_block_reason=%{rule.msg}',\
-        setvar:ip.previous_rbl_check=1,\
-        expirevar:ip.reput_block_flag=%{tx.reput_block_duration},\
-        expirevar:ip.previous_rbl_check=86400"
+        setvar:'ip.previous_rbl_check=1',\
+        expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}',\
+        expirevar:'ip.previous_rbl_check=86400'"
 
 SecAction \
     "id:910190,\
@@ -272,8 +272,8 @@ SecAction \
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-reputation-ip',\
-    setvar:ip.previous_rbl_check=1,\
-    expirevar:ip.previous_rbl_check=86400"
+    setvar:'ip.previous_rbl_check=1',\
+    expirevar:'ip.previous_rbl_check=86400'"
 
 SecMarker END_RBL_LOOKUP