Merge pull request #900 from fgsch/fgsch/update-examples

Update examples to match the current cleanup

Author: dune73

rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

@@ -88,7 +88,11 @@
 #
 # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
 # SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-#     "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off"
+#     "id:1000,\
+#     phase:1,\
+#     pass,\
+#     nolog,\
+#     ctl:ruleEngine=Off"
 #
 #
 # Example Exclusion Rule: Removing a specific ARGS parameter from inspection
@@ -99,7 +103,10 @@
 # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
 #
 # SecRule REQUEST_URI "@beginsWith /index.php" \
-#    "id:1001,phase:1,pass,nolog, \
+#     "id:1001,\
+#     phase:1,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveTargetById=942100;ARGS:password"
 #
 #
@@ -112,7 +119,10 @@
 # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
 #                             for all rules tagged attack-sqli
 # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
-#     "id:1002,phase:request,pass,nolog,\
+#     "id:1002,\
+#     phase:2,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
 #
 
@@ -127,7 +137,10 @@
 # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
 #                             for all CRS rules
 # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
-#     "id:1003,phase:request,pass,nolog,\
+#     "id:1003,\
+#     phase:2,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
 
 #
@@ -139,7 +152,10 @@
 #
 # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
 # SecRule REQUEST_FILENAME "@beginsWith /admin" \
-#     "id:1004,phase:request,pass,nolog,\
+#     "id:1004,\
+#     phase:2,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveById=941000-942999"
 #
 #

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -422,9 +422,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded
     SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
         "chain"
         SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" \
-           "setvar:'tx.msg=%{rule.msg}',\
-           setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
-           setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
+            "setvar:'tx.msg=%{rule.msg}',\
+            setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
+            setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
 
 
 #
@@ -642,10 +642,10 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
         "chain"
         SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \
-           "t:none,\
-           setvar:'tx.msg=%{rule.msg}',\
-           setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
-           setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+            "t:none,\
+            setvar:'tx.msg=%{rule.msg}',\
+            setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},\
+            setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
 
 #
 # This rule is a sibling of rule 920310.

rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

@@ -174,7 +174,7 @@ SecRule TX:sql_error_match "@eq 1" \
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/LEAKAGE/ERRORS-%{matched_var_name}=%{tx.0}"
 
-	
+
 SecRule TX:sql_error_match "@eq 1" \
     "id:951160,\
     phase:4,\