Merge remote-tracking branch 'upstream/v3.1/dev' into v3.1/dev-contributing

Author: fzipi

.travis.yml

@@ -9,3 +9,4 @@ branches:
   only:
   - v3.0/dev
   - v3.0/master
+  - v3.1/dev

rules/REQUEST-901-INITIALIZATION.conf

@@ -232,7 +232,7 @@ SecAction \
 # have already been initiated.
 #
 
-SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
+SecRule REQUEST_HEADERS:User-Agent "@rx ^(.*)$" \
     "id:901318, \
     phase:1, \
     t:none,t:sha1,t:hexEncode, \

rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

@@ -264,7 +264,7 @@ SecRule REQUEST_METHOD "@streq POST" \
     chain"
     SecRule REQUEST_FILENAME "@rx /admin/content/assets/add/[a-z]+$" \
         "chain"
-        SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^[a-zA-Z0-9_-]+" \
+        SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
             "ctl:requestBodyAccess=Off"
 
 SecRule REQUEST_METHOD "@streq POST" \
@@ -299,7 +299,7 @@ SecRule REQUEST_METHOD "@streq POST" \
             "chain"
             SecRule REQUEST_HEADERS:Content-Type "@streq multipart/form-data" \
                 "chain"
-                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "^@rx [a-zA-Z0-9_-]+" \
+                SecRule REQUEST_COOKIES:/S?SESS[a-f0-9]+/ "@rx ^[a-zA-Z0-9_-]+" \
                     "ctl:requestBodyAccess=Off"
 
 

rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

@@ -410,7 +410,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
     nolog,\
     pass,\
     chain"
-    SecRule ARGS:action "^(save-widget|update-widget)$" \
+    SecRule ARGS:action "@rx ^(save-widget|update-widget)$" \
         "t:none,\
         chain"
         SecRule &ARGS:action "@eq 1" \

rules/REQUEST-905-COMMON-EXCEPTIONS.conf

@@ -32,7 +32,7 @@ SecRule REQUEST_LINE "@streq GET /" \
 #
 # Exception for Apache internal dummy connection
 #
-SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
+SecRule REQUEST_LINE "@rx ^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
     "phase:1,\
     id:905110,\
     t:none,\
@@ -46,7 +46,7 @@ SecRule REQUEST_LINE "^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
     SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
         "t:none,\
         chain"
-        SecRule REQUEST_HEADERS:User-Agent "^.*\(internal dummy connection\)$" \
+        SecRule REQUEST_HEADERS:User-Agent "@rx ^.*\(internal dummy connection\)$" \
             "t:none,\
             ctl:ruleEngine=Off,\
             ctl:auditEngine=Off"

rules/REQUEST-910-IP-REPUTATION.conf

@@ -57,7 +57,7 @@ SecRule TX:DO_REPUT_BLOCK "@eq 1" \
 #
 # This rule does a GeoIP resolution on the client IP address.
 #
-SecRule TX:HIGH_RISK_COUNTRY_CODES "!^$" \
+SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
     "msg:'Client IP is from a HIGH Risk Country Location.',\
     severity:'CRITICAL',\
     id:910100,\
@@ -162,7 +162,7 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
     tag:'attack-reputation-ip',\
     chain,\
     setvar:tx.httpbl_msg=%{tx.0}"
-    SecRule TX:httpbl_msg "RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
+    SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
         "t:none,\
         capture,\
         setvar:tx.httpbl_msg=%{tx.1}"
@@ -181,7 +181,7 @@ SecRule TX:block_search_ip "@eq 1" \
     tag:'attack-reputation-ip',\
     chain,\
     skipAfter:END_RBL_CHECK"
-    SecRule TX:httpbl_msg "Search Engine" \
+    SecRule TX:httpbl_msg "@rx Search Engine" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
         setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
@@ -204,7 +204,7 @@ SecRule TX:block_spammer_ip "@eq 1" \
     tag:'attack-reputation-ip',\
     chain,\
     skipAfter:END_RBL_CHECK"
-    SecRule TX:httpbl_msg "(?i)^.*? spammer .*?$" \
+    SecRule TX:httpbl_msg "@rx (?i)^.*? spammer .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
         setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
@@ -227,7 +227,7 @@ SecRule TX:block_suspicious_ip "@eq 1" \
     tag:'attack-reputation-ip',\
     chain,\
     skipAfter:END_RBL_CHECK"
-    SecRule TX:httpbl_msg "(?i)^.*? suspicious .*?$" \
+    SecRule TX:httpbl_msg "@rx (?i)^.*? suspicious .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
         setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
@@ -250,7 +250,7 @@ SecRule TX:block_harvester_ip "@eq 1" \
     tag:'attack-reputation-ip',\
     chain,\
     skipAfter:END_RBL_CHECK"
-    SecRule TX:httpbl_msg "(?i)^.*? harvester .*?$" \
+    SecRule TX:httpbl_msg "@rx (?i)^.*? harvester .*?$" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
         setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\

rules/REQUEST-912-DOS-PROTECTION.conf

@@ -158,7 +158,7 @@ SecRule IP:DOS_BLOCK "@eq 1" \
 #
 # DOS Counter: Count the number of requests to non-static resources
 #
-SecRule REQUEST_BASENAME ".*?(\.[a-z0-9]{1,10})?$" \
+SecRule REQUEST_BASENAME "@rx .*?(\.[a-z0-9]{1,10})?$" \
     "phase:5,\
     id:912150,\
     t:none,\

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -44,7 +44,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:920012,nolog,pass,skipAfter:END-RE
 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1
 # http://capec.mitre.org/data/definitions/272.html
 #
-SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
+SecRule REQUEST_LINE "!@rx ^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$" \
     "msg:'Invalid HTTP Request Line',\
     severity:'WARNING',\
     id:920100,\
@@ -95,7 +95,7 @@ SecRule REQUEST_LINE "!^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?
 # https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960000
 # http://www.ietf.org/rfc/rfc2183.txt
 #
-SecRule FILES_NAMES|FILES "(?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" \
+SecRule FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" \
     "msg:'Attempted multipart/form-data bypass',\
     severity:'CRITICAL',\
     id:920120,\
@@ -204,7 +204,7 @@ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
 # -=[ References ]=-
 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.13
 #
-SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \
+SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
     "msg:'Content-Length HTTP header is not numeric.',\
     severity:'CRITICAL',\
     id:920160,\
@@ -240,7 +240,7 @@ SecRule REQUEST_HEADERS:Content-Length "!^\d+$" \
 # -=[ References ]=-
 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.3
 #
-SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
+SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     "msg:'GET or HEAD Request with Body Content.',\
     severity:'CRITICAL',\
     id:920170,\
@@ -257,7 +257,7 @@ SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'CAPEC-272',\
     chain"
-    SecRule REQUEST_HEADERS:Content-Length "!^0?$" \
+    SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
         "t:none,\
         setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
@@ -274,7 +274,7 @@ SecRule REQUEST_METHOD "^(?:GET|HEAD)$" \
 # -=[ References ]=-
 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5
 #
-SecRule REQUEST_METHOD "^POST$" \
+SecRule REQUEST_METHOD "@rx ^POST$" \
     "msg:'POST request missing Content-Length Header.',\
     severity:'WARNING',\
     id:920180,\
@@ -320,7 +320,7 @@ SecRule REQUEST_METHOD "^POST$" \
 # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
 # http://seclists.org/fulldisclosure/2011/Aug/175
 #
-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," \
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)\-(\d+)\," \
     "capture,\
     phase:2,\
     rev:'2',\
@@ -354,7 +354,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "(\d+)\-(\d+)\," \
 # -=[ References ]=-
 # http://www.bad-behavior.ioerror.us/documentation/how-it-works/
 #
-SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b" \
+SecRule REQUEST_HEADERS:Connection "@rx \b(keep-alive|close),\s?(keep-alive|close)\b" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\
@@ -384,7 +384,7 @@ SecRule REQUEST_HEADERS:Connection "\b(keep-alive|close),\s?(keep-alive|close)\b
 # -=[ References ]=-
 # http://www.ietf.org/rfc/rfc1738.txt
 #
-SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+SecRule REQUEST_URI "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\
@@ -404,7 +404,7 @@ SecRule REQUEST_URI "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
         setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
 
-SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+SecRule REQUEST_HEADERS:Content-Type "@rx ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\
@@ -419,7 +419,8 @@ SecRule REQUEST_HEADERS:Content-Type "^(application\/x-www-form-urlencoded|text\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/EVASION',\
     severity:'WARNING',\
     chain"
-    SecRule REQUEST_BODY|XML:/* "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" "chain"
+    SecRule REQUEST_BODY|XML:/* "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+        "chain"
         SecRule REQUEST_BODY|XML:/* "@validateUrlEncoding" \
            "setvar:'tx.msg=%{rule.msg}',\
            setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
@@ -473,7 +474,7 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
 # https://www.checkpoint.com/defense/advisories/public/2007/cpai-2007-201.html
 # https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/719
 #
-SecRule REQUEST_URI|REQUEST_BODY "\%u[fF]{2}[0-9a-fA-F]{2}" \
+SecRule REQUEST_URI|REQUEST_BODY "@rx \%u[fF]{2}[0-9a-fA-F]{2}" \
     "msg:'Unicode Full/Half Width Abuse Attack Attempt',\
     id:920260,\
     severity:'WARNING',\
@@ -582,7 +583,7 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
     skipAfter:END_HOST_CHECK"
 
 
-SecRule REQUEST_HEADERS:Host "^$" \
+SecRule REQUEST_HEADERS:Host "@rx ^$" \
     "msg:'Empty Host Header',\
     severity:'WARNING',\
     phase:2,\
@@ -623,7 +624,7 @@ SecMarker END_HOST_CHECK
 # https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/366
 #
 
-SecRule REQUEST_HEADERS:Accept "^$" \
+SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     "msg:'Request Has an Empty Accept Header',\
     chain,\
     phase:2,\
@@ -638,7 +639,7 @@ SecRule REQUEST_HEADERS:Accept "^$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
-    SecRule REQUEST_METHOD "!^OPTIONS$" \
+    SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
         "chain"
         SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android Business Enterprise Entreprise" \
            "t:none,\
@@ -649,7 +650,7 @@ SecRule REQUEST_HEADERS:Accept "^$" \
 #
 # This rule is a sibling of rule 920310.
 #
-SecRule REQUEST_HEADERS:Accept "^$" \
+SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     "msg:'Request Has an Empty Accept Header',\
     chain,\
     phase:2,\
@@ -664,7 +665,7 @@ SecRule REQUEST_HEADERS:Accept "^$" \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT'"
-    SecRule REQUEST_METHOD "!^OPTIONS$" \
+    SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
         "chain"
         SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
             "t:none,\
@@ -683,7 +684,7 @@ SecRule REQUEST_HEADERS:Accept "^$" \
 # the existence of the User-Agent header.
 #
 
-SecRule REQUEST_HEADERS:User-Agent "^$" \
+SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
     "msg:'Empty User Agent Header',\
     severity:'NOTICE',\
     phase:2,\
@@ -714,7 +715,7 @@ SecRule REQUEST_HEADERS:User-Agent "^$" \
 # -=[ References ]=-
 # http://httpwg.org/specs/rfc7231.html#header.content-type
 
-SecRule REQUEST_HEADERS:Content-Length "!^0$" \
+SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     "msg:'Request Containing Content, but Missing Content-Type header',\
     chain,\
     phase:2,\
@@ -745,7 +746,7 @@ SecRule REQUEST_HEADERS:Content-Length "!^0$" \
 # http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
 #
 
-SecRule REQUEST_HEADERS:Host "^[\d.:]+$" \
+SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
     "msg:'Host header is a numeric IP address',\
     phase:2,\
     rev:'2',\
@@ -934,7 +935,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
 #
 # Restrict which content-types we accept.
 #
-SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
+SecRule REQUEST_METHOD "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
     "phase:2,\
     chain,\
     t:none,\
@@ -954,10 +955,10 @@ SecRule REQUEST_METHOD "!^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
     tag:'OWASP_TOP_10/A1',\
     tag:'OWASP_AppSensor/EE2',\
     tag:'PCI/12.1'"
-    SecRule REQUEST_HEADERS:Content-Type "^([^;\s]+)" \
+    SecRule REQUEST_HEADERS:Content-Type "@rx ^([^;\s]+)" \
         "chain,\
         capture"
-        SecRule TX:0 "!^%{tx.allowed_request_content_type}$" \
+        SecRule TX:0 "!@rx ^%{tx.allowed_request_content_type}$" \
             "t:none,\
             ctl:forceRequestBodyVariable=On,\
             setvar:'tx.msg=%{rule.msg}',\
@@ -992,7 +993,7 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
 #
 # Restrict file extension
 #
-SecRule REQUEST_BASENAME "\.(.*)$" \
+SecRule REQUEST_BASENAME "@rx \.(.*)$" \
     "chain,\
     capture,\
     phase:2,\
@@ -1100,7 +1101,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:920014,nolog,pass,skipAfter:END-RE
 # -=[ References ]=-
 # https://httpd.apache.org/security/CVE-2011-3192.txt
 
-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
     "phase:2,\
     capture,\
     rev:'2',\
@@ -1145,13 +1146,13 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'paranoia-level/2',\
     chain"
-    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){63}" \
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=((\d+)?\-(\d+)?\s*,?\s*){63}" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
 
 
-SecRule ARGS "\%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+SecRule ARGS "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     "phase:2,\
     rev:'2',\
     ver:'OWASP_CRS/3.0.0',\
@@ -1196,7 +1197,7 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
     tag:'OWASP_TOP_10/A7',\
     tag:'PCI/6.5.10',\
     tag:'paranoia-level/2'"
-    SecRule REQUEST_METHOD "!^OPTIONS$" \
+    SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
         "chain"
         SecRule REQUEST_HEADERS:User-Agent "!@pm AppleWebKit Android" \
             "t:none,\
@@ -1260,7 +1261,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
 #
 # PL2: This is a stricter sibling of 920120.
 #
-SecRule FILES_NAMES|FILES "['\";=]" \
+SecRule FILES_NAMES|FILES "@rx ['\";=]" \
     "msg:'Attempted multipart/form-data bypass',\
     severity:'CRITICAL',\
     id:920121,\
@@ -1339,7 +1340,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',\
     tag:'paranoia-level/4',\
     chain"
-    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
@@ -1417,7 +1418,7 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
 # negative look-behind construct. If that is the case, the backslash character
 # is allowed.
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "(?<!\Q\\\E)\Q\\\E[cdeghijklmpqwxyz123456789]" \
+SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?<!\Q\\\E)\Q\\\E[cdeghijklmpqwxyz123456789]" \
     "phase:2,\
     id:920460,\
     rev:'1',\