Merge branch 'v3.2/dev' into v3.3/dev

Author: lifeforms

INSTALL

@@ -29,25 +29,21 @@ Installing From a Package Manager
 
     modsecurity-crs  - Debian
     mod_security_crs - Fedora
-    modsecurity-crs  - Gentoo 
+    modsecurity-crs  - Gentoo
 
     Packages of CRS 2.x are incompatible with CRS 3.x.
 
-Installing From Git
-===================
+Installing
+==========
 
-    Github is the preferred way to download and install CRS. Doing so
-    insures that you have the most recent version of the rules. We
-    encourage you to create scripts that will automatically download
-    updates at regular intervals so that you may be protected against
-    the latest threats that CRS adds protection for.
+    You can download a copy of the CRS from the following URL:
+    https://coreruleset.org/installation/
 
-    The script util/upgrade.py is an example for script. You can use
-    it as follows:
+    Our release zip/tar.gz files are the preferred way to install CRS.
 
-    ```
-    ./util/upgrade.py --crs
-    ```
+    However, if you want to follow rule development closely and get
+    the newest protections quickly, you can also clone our GitHub
+    repository to get the current work-in-progress for the next release.
 
 Prerequisites
 -------------
@@ -85,20 +81,19 @@ Installing on Apache
     to create a new folder underneath the Apache directory (typically
     /usr/local/apache/, /etc/httpd/, or /etc/apache2). Often this folder
     is called 'modsecurity.d'. Create this folder and cd into it.
-    4. Clone the repository into the modsecurity.d folder using:
-    ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs .```
-    This will create a new owasp-modsecurity-crs folder.
+    4. Download our release from https://coreruleset.org/installation/
+    and unpack it into a new owasp-modsecurity-crs folder.
     5. Move the crs-setup.conf.example file to crs-setup.conf.
     Please take the time to go through this file and customize the settings
-    for your local environment. Failure to do so may result in false 
-    negatives and false positives. See the section entitled OWASP CRS 
+    for your local environment. Failure to do so may result in false
+    negatives and false positives. See the section entitled OWASP CRS
     Configuration for more detail.
     6. Rename rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
     rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the
     '.example' extension. This will allow you to add exclusions without updates
     overwriting them in the future.
-    7. Add the following line to your httpd.conf/apache2.conf (the following 
-    assumes you've cloned CRS into modsecurity.d/owasp-modsecurity-crs). You 
+    7. Add the following line to your httpd.conf/apache2.conf (the following
+    assumes you've put CRS into modsecurity.d/owasp-modsecurity-crs). You
     can alternatively place these in any config file included by Apache:
     ```
 	<IfModule security2_module>
@@ -121,8 +116,8 @@ Installing on Nginx
     to create a new folder underneath the Nginx directory (typically
     /usr/local/nginx/conf/). Often this folder
     is called 'owasp-modsecurity-crs'. Create this folder and cd into it.
-    4. Clone the repository into the current folder using:
-    ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs .```
+    4. Download our release from https://coreruleset.org/installation/
+    and unpack it into a new owasp-modsecurity-crs folder.
     5. Move the crs-setup.conf.example file to crs-setup.conf.
     Please take this time to go through this
     file and customize the settings for your local environment. Failure to
@@ -147,6 +142,12 @@ Installing on Nginx
     include owasp-modsecurity-crs/crs-setup.conf
     include owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
     include owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
+    include owasp-modsecurity-crs/rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
     include owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
     include owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
     include owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -158,9 +159,11 @@ Installing on Nginx
     include owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
     include owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
     include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+    include owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
     include owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
     include owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
     include owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+    include owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-JAVA.conf
     include owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
     include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
     include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -181,8 +184,8 @@ Installing on IIS
     To upgrade or install this after the fact follow the following
     steps.
     1. Navigate to "[drive_letters]:\Program Files\ModSecurity IIS\"
-    2. Clone the repository into the current folder using:
-    ```git clone https://github.com/SpiderLabs/owasp-modsecurity-crs```
+    2. Download our release from https://coreruleset.org/installation/
+    and unpack it into the current folder.
     3. Move the crs-setup.conf.example file to crs-setup.conf.
     Please take this time to go through this
     file and customize the settings for your local environment. Failure to
@@ -290,16 +293,7 @@ OWASP CRS Configuration
     Make sure your GeoIP and Project Honeypot settings are specified
     if you are using them.
     The GeoIP database is no longer included with the CRS. Instead
-    you are advised to download it regularly. The script
-    util/upgrade.py brings this functionality.  You can use it as
-    follows in cron:
-
-    ```
-    0 2 * * *  util/upgrade.py --geoip --cron
-
-    ```
-    The use of the option --cron guarantees that the GeoIP
-    download server is not hammered.
+    you are advised to download it regularly.
 
     The use of Project Honeypot requires a
     free API key. These require an account but can be obtained at

rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf

@@ -189,7 +189,6 @@ SecRule REQUEST_FILENAME "@rx /(?:account/avatar|attachments/upload)$" \
     t:none,\
     nolog,\
     ctl:ruleRemoveById=200003,\
-    ctl:ruleRemoveById=920150,\
     ctl:ruleRemoveTargetById=942220;ARGS:flowChunkSize,\
     ctl:ruleRemoveTargetById=942440;ARGS:flowIdentifier,\
     ctl:ruleRemoveTargetById=942440;ARGS:flowFilename,\

rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf

@@ -487,7 +487,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecode,t:replaceComments,t:compressWhiteSpace,\
+    t:none,t:urlDecode,t:replaceComments,t:compressWhitespace,\
     msg:'PHP Injection Attack: Variable Function Call Found',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\

rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf

@@ -64,7 +64,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     multiMatch,\
-    setvar:'tx.rce_injection_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -883,7 +883,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -911,7 +911,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,\
+    t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhitespace,\
     msg:'IE XSS Filters - Attack Detected.',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -964,7 +964,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 

rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf

@@ -1379,7 +1379,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
@@ -1646,7 +1646,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     ver:'OWASP_CRS/3.2.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
-    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"

rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf

@@ -43,7 +43,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -79,7 +79,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -107,7 +107,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -143,7 +143,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -184,7 +184,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -208,7 +208,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -232,7 +232,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -259,7 +259,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\
@@ -297,7 +297,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'OWASP_CRS',\
-    tag:'OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION',\
+    tag:'OWASP_CRS/WEB_ATTACK/JAVA_INJECTION',\
     tag:'WASCTC/WASC-31',\
     tag:'OWASP_TOP_10/A1',\
     tag:'PCI/6.5.2',\

rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

@@ -103,7 +103,7 @@ SecRule RESPONSE_BODY "@rx <\?(?!xml)" \
     ver:'OWASP_CRS/3.2.0',\
     severity:'ERROR',\
     chain"
-    SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b)" \
+    SecRule RESPONSE_BODY "!@rx (?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF(?:F|2))" \
         "capture,\
         t:none,\
         setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}',\