Solved conflicts from #838 merge and fixed indentation.

Author: fzipi

rules/REQUEST-901-INITIALIZATION.conf

@@ -232,7 +232,7 @@ SecAction \
 # have already been initiated.
 #
 
-SecRule REQUEST_HEADERS:User-Agent "@rx ^(.*)$" \
+SecRule REQUEST_HEADERS:User-Agent "@rx ^.*$" \
     "id:901318, \
     phase:1, \
     pass, \

rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf

@@ -351,7 +351,7 @@ SecRule REQUEST_FILENAME "@endsWith /admin/structure/block/block-content/manage/
     nolog,\
     ctl:ruleRemoveTargetByTag=CRS;ARGS:description"
 
-SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(full|basic)_html$" \
+SecRule REQUEST_FILENAME "@rx /editor/filter_xss/(?:full|basic)_html$" \
     "id:9001210,\
     phase:2,\
     pass,\

rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf

@@ -410,7 +410,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
     t:none,\
     nolog,\
     chain"
-    SecRule ARGS:action "@rx ^(save-widget|update-widget)$" \
+    SecRule ARGS:action "@rx ^(?:save-widget|update-widget)$" \
         "t:none,\
         chain"
         SecRule &ARGS:action "@eq 1" \
@@ -603,7 +603,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/options.php" \
 # customize-base,customize&load%5B%5D=-loader,thickbox,plugin-install,
 # wp-util,wp-a11y,updates,shortcode,media-upload,svg-painter,
 # jquery-ui-accordion&ver=3f9999390861a0133beda3ee8acf152e
-SecRule REQUEST_FILENAME "@rx /wp-admin/load-(scripts|styles)\.php$" \
+SecRule REQUEST_FILENAME "@rx /wp-admin/load-(?:scripts|styles)\.php$" \
     "id:9002900,\
     phase:2,\
     pass,\

rules/REQUEST-905-COMMON-EXCEPTIONS.conf

@@ -32,7 +32,7 @@ SecRule REQUEST_LINE "@streq GET /" \
 #
 # Exception for Apache internal dummy connection
 #
-SecRule REQUEST_LINE "@rx ^(GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
+SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
     "phase:1,\
     id:905110,\
     pass,\

rules/REQUEST-910-IP-REPUTATION.conf

@@ -77,7 +77,7 @@ SecRule TX:HIGH_RISK_COUNTRY_CODES "!@rx ^$" \
             setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var},\
             setvar:ip.reput_block_flag=1,\
             setvar:'ip.reput_block_reason=%{rule.msg}'\
-	    expirevar:ip.reput_block_flag=%{tx.reput_block_duration}"
+            expirevar:ip.reput_block_flag=%{tx.reput_block_duration}"
 
 
 #
@@ -166,7 +166,7 @@ SecRule TX:REAL_IP "@rbl dnsbl.httpbl.org" \
     chain"
     SecRule TX:httpbl_msg "@rx RBL lookup of .*?.dnsbl.httpbl.org succeeded at TX:checkip. (.*?): .*" \
         "capture,\
-	t:none,\
+        t:none,\
         setvar:tx.httpbl_msg=%{tx.1}"
 
 # The following regexs are generated based off re_operators.c

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -354,7 +354,7 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)\-(\d+)\,"
 # -=[ References ]=-
 # http://www.bad-behavior.ioerror.us/documentation/how-it-works/
 #
-SecRule REQUEST_HEADERS:Connection "@rx \b(keep-alive|close),\s?(keep-alive|close)\b" \
+SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|close)\b" \
     "id:920210,\
     phase:2,\
     block,\
@@ -384,7 +384,7 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(keep-alive|close),\s?(keep-alive|clos
 # -=[ References ]=-
 # http://www.ietf.org/rfc/rfc1738.txt
 #
-SecRule REQUEST_URI "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
+SecRule REQUEST_URI "@rx \%(?:(?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
     "id:920220,\
     phase:2,\
     block,\
@@ -404,7 +404,7 @@ SecRule REQUEST_URI "@rx \%((?!$|\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" \
         setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/EVASION-%{matched_var_name}=%{matched_var}"
 
-SecRule REQUEST_HEADERS:Content-Type "@rx ^(application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
+SecRule REQUEST_HEADERS:Content-Type "@rx ^(?:application\/x-www-form-urlencoded|text\/xml)(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$" \
     "id:920240,\
     phase:2,\
     block,\
@@ -955,7 +955,7 @@ SecRule REQUEST_METHOD "!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$" \
     ver:'OWASP_CRS/3.0.0',\
     severity:'CRITICAL',\
     chain"
-    SecRule REQUEST_HEADERS:Content-Type "@rx ^([^;\s]+)" \
+    SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
         "capture,\
 	chain"
         SecRule TX:0 "!@rx ^%{tx.allowed_request_content_type}$" \
@@ -1045,7 +1045,7 @@ SecRule REQUEST_BASENAME "@rx \.(.*)$" \
 # -=[ References ]=-
 # https://access.redhat.com/security/vulnerabilities/httpoxy (Header Proxy)
 #
-SecRule REQUEST_HEADERS_NAMES "@rx ^(.*)$" \
+SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     "id:920450,\
     phase:2,\
     block,\
@@ -1100,7 +1100,8 @@ SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:920014,nolog,pass,skipAfter:END-RE
 # -=[ References ]=-
 # https://httpd.apache.org/security/CVE-2011-3192.txt
 
-SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
+
+SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
     "id:920200,\
     phase:2,\
     block,\
@@ -1145,7 +1146,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     ver:'OWASP_CRS/3.0.0',\
     severity:'WARNING',\
     chain"
-    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=((\d+)?\-(\d+)?\s*,?\s*){63}" \
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){63}" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"
@@ -1262,22 +1263,22 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
 # PL2: This is a stricter sibling of 920120.
 #
 SecRule FILES_NAMES|FILES "@rx ['\";=]" \
-    "msg:'Attempted multipart/form-data bypass',\
-    severity:'CRITICAL',\
-    id:920121,\
-    ver:'OWASP_CRS/3.0.0',\
-    rev:'1',\
-    logdata:'%{matched_var}',\
+    "id:920121,\
     phase:2,\
     block,\
     t:none,t:urlDecodeUni,\
+    msg:'Attempted multipart/form-data bypass',\
+    logdata:'%{matched_var}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ',\
     tag:'CAPEC-272',\
     tag:'paranoia-level/2',\
+    ver:'OWASP_CRS/3.0.0',\
+    rev:'1',\
+    severity:'CRITICAL',\
     setvar:'tx.msg=%{rule.msg}',\
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ-%{matched_var_name}=%{matched_var}'"
@@ -1340,7 +1341,7 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     ver:'OWASP_CRS/3.0.0',\
     severity:'WARNING',\
     chain"
-    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=((\d+)?\-(\d+)?\s*,?\s*){6}" \
+    SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?\-(?:\d+)?\s*,?\s*){6}" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
         setvar:tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}"

rules/REQUEST-921-PROTOCOL-ATTACK.conf

@@ -32,7 +32,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:921012,nolog,pass,skipAfter:END-RE
 # http://projects.webappsec.org/HTTP-Request-Smuggling
 # http://article.gmane.org/gmane.comp.apache.mod-security.user/3299
 #
-SecRule REQUEST_HEADERS:'/(Content-Length|Transfer-Encoding)/' "@rx ," \
+SecRule REQUEST_HEADERS:'/(?:Content-Length|Transfer-Encoding)/' "@rx ," \
     "id:921100,\
     phase:2,\
     block,\
@@ -100,7 +100,7 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:get|post|head|options|connect|p
 # [ References ]
 # http://projects.webappsec.org/HTTP-Response-Splitting
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(type|length)|set-cookie|location):" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx [\r\n]\W*?(?:content-(?:type|length)|set-cookie|location):" \
     "id:921120,\
     phase:2,\
     block,\
@@ -157,7 +157,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # [ References ]
 # https://en.wikipedia.org/wiki/HTTP_header_injection
 #
-SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx (\n|\r)" \
+SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     "id:921140,\
     phase:2,\
     block,\
@@ -183,7 +183,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx (\n|\r)" \
 # Checking for GET arguments has been moved to paranoia level 2 (921151)
 # in order to mitigate possible false positives.
 #
-SecRule ARGS_NAMES "@rx (\n|\r)" \
+SecRule ARGS_NAMES "@rx [\n\r]" \
     "id:921150,\
     phase:2,\
     block,\
@@ -205,7 +205,7 @@ SecRule ARGS_NAMES "@rx (\n|\r)" \
     setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/HEADER_INJECTION-%{matched_var_name}=%{tx.0}"
 
 
-SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
+SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?:\n|\r)+(?:\s+|location|refresh|(?:set-)?cookie|(?:X-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))\s*:" \
     "id:921160,\
     phase:2,\
     block,\
@@ -241,7 +241,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 2" "phase:2,id:921014,nolog,pass,skipAfter:END-RE
 #
 # See also: rule 921140, 921150
 #
-SecRule ARGS_GET "@rx (\n|\r)" \
+SecRule ARGS_GET "@rx [\n\r]" \
     "id:921151,\
     phase:2,\
     block,\

rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf

@@ -33,7 +33,7 @@ SecRule TX:PARANOIA_LEVEL "@lt 1" "phase:2,id:931012,nolog,pass,skipAfter:END-RE
 # http://projects.webappsec.org/Remote-File-Inclusion
 # http://tacticalwebappsec.blogspot.com/2009/06/generic-remote-file-inclusion-attack.html
 #
-SecRule ARGS "@rx ^(?i)(?:file|ftps?|https?):\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
+SecRule ARGS "@rx ^(?i)(?:file|ftps?|https?):\/\/(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" \
     "id:931100, \
     phase:2,\
     block,\
@@ -55,7 +55,7 @@ SecRule ARGS "@rx ^(?i)(?:file|ftps?|https?):\/\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
 
-SecRule QUERY_STRING|REQUEST_BODY "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(file|ftps?|https?):\/\/)" \
+SecRule QUERY_STRING|REQUEST_BODY "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolute_path|_CONF\[path\]|_SERVER\[DOCUMENT_ROOT\]|GALLERY_BASEDIR|path\[docroot\]|appserv_root|config\[root_dir\])=(?:file|ftps?|https?):\/\/)" \
     "id:931110,\
     phase:2,\
     block,\
@@ -77,7 +77,7 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i:(\binclude\s*\([^)]*|mosConfig_absolu
     setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\
     setvar:tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/RFI-%{matched_var_name}=%{tx.0}"
 
-SecRule ARGS "@rx ^(?i)(?:file|ftps?|https?)(.*?)\?+$" \
+SecRule ARGS "@rx ^(?i)(?:file|ftps?|https?).*?\?+$" \
     "id:931120,\
     phase:2,\
     block,\