Merge remote-tracking branch 'upstream/v3.1/dev' into v3.1/dev-contributing

Author: fzipi

.travis.yml

@@ -9,3 +9,4 @@ branches:
   only:
   - v3.0/dev
   - v3.0/master
+  - v3.1/dev

KNOWN_BUGS

@@ -20,7 +20,8 @@ or the CRS mailinglist at
   with an error such as:
     Error parsing actions: Unknown action: \\
     Action 'configtest' failed.
-  This bug is known to plague RHEL 7 and Ubuntu 14.04 LTS users.
+  This bug is known to plague RHEL/Centos 7 below v7.4 or
+  httpd v2.4.6 release 67 and Ubuntu 14.04 LTS users.
   https://bz.apache.org/bugzilla/show_bug.cgi?id=55910
   We advise to upgrade your Apache version. If upgrading is not possible,
   we have provided a script in the util/join-multiline-rules directory

rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

@@ -88,7 +88,11 @@
 #
 # ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
 # SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-#     "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off"
+#     "id:1000,\
+#     phase:1,\
+#     pass,\
+#     nolog,\
+#     ctl:ruleEngine=Off"
 #
 #
 # Example Exclusion Rule: Removing a specific ARGS parameter from inspection
@@ -99,7 +103,10 @@
 # ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
 #
 # SecRule REQUEST_URI "@beginsWith /index.php" \
-#    "id:1001,phase:1,pass,nolog, \
+#     "id:1001,\
+#     phase:1,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveTargetById=942100;ARGS:password"
 #
 #
@@ -112,7 +119,10 @@
 # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
 #                             for all rules tagged attack-sqli
 # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
-#     "id:1002,phase:request,pass,nolog,\
+#     "id:1002,\
+#     phase:2,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
 #
 
@@ -127,7 +137,10 @@
 # ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
 #                             for all CRS rules
 # SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
-#     "id:1003,phase:request,pass,nolog,\
+#     "id:1003,\
+#     phase:2,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
 
 #
@@ -139,7 +152,10 @@
 #
 # ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
 # SecRule REQUEST_FILENAME "@beginsWith /admin" \
-#     "id:1004,phase:request,pass,nolog,\
+#     "id:1004,\
+#     phase:2,\
+#     pass,\
+#     nolog,\
 #     ctl:ruleRemoveById=941000-942999"
 #
 #

rules/REQUEST-901-INITIALIZATION.conf

@@ -53,10 +53,10 @@ SecComponentSignature "OWASP_CRS/3.0.2"
 SecRule &TX:crs_setup_version "@eq 0" \
     "id:901001,\
     phase:1,\
-    auditlog,\
-    log,\
     deny,\
     status:500,\
+    auditlog,\
+    log,\
     severity:CRITICAL,\
     msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'"
 
@@ -207,9 +207,9 @@ SecRule &TX:static_extensions "@eq 0" \
 SecAction \
     "id:901200,\
     phase:1,\
-    nolog,\
     pass,\
     t:none,\
+    nolog,\
     setvar:tx.anomaly_score=0,\
     setvar:tx.sql_injection_score=0,\
     setvar:tx.xss_score=0,\
@@ -232,23 +232,23 @@ SecAction \
 # have already been initiated.
 #
 
-SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
+SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
     "id:901318, \
     phase:1, \
+    pass, \
     t:none,t:sha1,t:hexEncode, \
-    setvar:tx.ua_hash=%{matched_var}, \
     nolog, \
-    pass"
+    setvar:tx.ua_hash=%{matched_var}"
 
 SecAction \
     "id:901321, \
     phase:1, \
+    pass, \
     t:none, \
+    nolog, \
     initcol:global=global, \
     initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
-    setvar:tx.real_ip=%{remote_addr}, \
-    nolog, \
-    pass"
+    setvar:tx.real_ip=%{remote_addr}"
 
 
 #
@@ -290,9 +290,9 @@ SecRule UNIQUE_ID "@rx ^." \
     "id:901410,\
     phase:1,\
     pass,\
-    nolog,\
     t:sha1,\
     t:hexEncode,\
+    nolog,\
     setvar:TX.sampling_rnd100=%{MATCHED_VAR}"
 
 SecRule DURATION "@rx (..)$" \
@@ -307,8 +307,8 @@ SecRule TX:sampling_rnd100 "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
     "id:901430,\
     phase:1,\
     pass,\
-    nolog,\
     capture,\
+    nolog,\
     setvar:TX.sampling_rnd100=%{TX.1}%{TX.2}"
 
 SecRule TX:sampling_rnd100 "@rx ^0([0-9])" \
@@ -339,8 +339,8 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
     pass,\
     log,\
     noauditlog,\
-    ctl:ruleEngine=off,\
     msg:'Sampling: Disable the rule engine based on sampling_percentage \
-%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.'"
+%{TX.sampling_percentage} and random number %{TX.sampling_rnd100}.', \
+    ctl:ruleEngine=off"
 
 SecMarker "END-SAMPLING"