diff --git a/ftw/Dockerfile b/ftw/Dockerfile
index ea08c78..3b21b4b 100644
--- a/ftw/Dockerfile
+++ b/ftw/Dockerfile
@@ -8,8 +8,10 @@ RUN apk update && apk add curl
 WORKDIR /workspace
 
 # Keep this CRS version aligned with the one embedded in wasmplugin/rules
-ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.5.0.tar.gz /workspace/coreruleset/
-RUN cd coreruleset && tar -xf v4.5.0.tar.gz --strip-components 1
+ARG CRS_VERSION=v4.14.0
+
+ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/${CRS_VERSION}.tar.gz /workspace/coreruleset/
+RUN cd coreruleset && tar -xf ${CRS_VERSION}.tar.gz --strip-components 1
 
 COPY ftw.yml /workspace/ftw.yml
 COPY tests.sh /workspace/tests.sh
diff --git a/ftw/docker-compose.yml b/ftw/docker-compose.yml
index 9ab5abf..1642391 100644
--- a/ftw/docker-compose.yml
+++ b/ftw/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   albedo:
-    image: ghcr.io/coreruleset/albedo:0.1.0
+    image: ghcr.io/coreruleset/albedo:0.2.0
   chown:
     image: alpine:3.16
     command:
diff --git a/ftw/ftw.yml b/ftw/ftw.yml
index a09b9d6..a00b88c 100644
--- a/ftw/ftw.yml
+++ b/ftw/ftw.yml
@@ -57,9 +57,15 @@ testoverride:
     '934120-26': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '934120-39': 'Rule 934120 partially detected. With HTTP/1.1 Envoy return 400. With HTTP/2 Enclosed alphanumerics not detected. Coraza Side'
     '932200-13': 'Unfortunate match inside logs against a different rule log. wip'
-    '930110-7': 'Coraza/CRS side: See https://github.com/corazawaf/coraza/pull/1081'
 
     '920274-1': 'Host validation. Apache expects status 400, investigate Coraza-proxy-wasm behavior'
     '920430-5': 'To be investigated Coraza side'
     '932300-10': 'To be investigated Coraza side, failing only with multiphase evaluation'
     '933120-2': 'To be investigated Coraza side, failing only with multiphase evaluation'
+
+    '921140-1': 'Expected 400. To be investigated'
+    '921250-1': 'Expected to match $Version in cookies, To be investigated Coraza side'
+    '921250-2': 'Expected to match $Version in cookies, To be investigated Coraza side'
+    '922130-1': 'match_regex, likely different error message. To be investigated'
+    '922130-2': 'match_regex, likely different error message. To be investigated'
+    '922130-7': 'match_regex, likely different error message. To be investigated'
diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf
index dd810b3..64786d1 100644
--- a/wasmplugin/rules/coraza-demo.conf
+++ b/wasmplugin/rules/coraza-demo.conf
@@ -28,32 +28,32 @@ SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
 SecRule REQUEST_HEADERS:Content-Type "^application/json" \
      "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
-# Sample rule to enable JSON request body parser for more subtypes.
-# Uncomment or adapt this rule if you want to engage the JSON
-# Processor for "+json" subtypes
+# Enable JSON request body parser for more subtypes.
+# Adapt this rule if you want to engage the JSON Processor for "+json" subtypes
 #
-#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
-#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
 # Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
-
+# file uploads, this value must has to be as large as the largest file
+# you are willing to accept.
 SecRequestBodyLimit 131072
 
+# Maximum request body size that Coraza will store in memory. If the body
+# size exceeds this value, it will be saved to a temporary file on disk.
 SecRequestBodyInMemoryLimit 131072
 
-# SecRequestBodyNoFilesLimit is currently not supported by Coraza
+# Maximum request body size we will accept for buffering, with files excluded.
+# You want to keep that value as low as practical.
+# Note: SecRequestBodyNoFilesLimit is currently NOT supported by Coraza
 # SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial
 # when SecRuleEngine is set to DetectionOnly mode in order to minimize
 # disruptions when initially deploying Coraza.
+# Warning: Setting this directive to ProcessPartial introduces a potential bypass
+# risk, as attackers could prepend junk data equal to or greater than the inspected body size.
 #
 SecRequestBodyLimitAction ProcessPartial
 
@@ -67,87 +67,18 @@ SecRule REQBODY_ERROR "!@eq 0" \
 
 # By default be strict with what we accept in the multipart/form-data
 # request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
+# environment consider changing it to detection-only.
+# Do NOT remove it, as it will catch many evasion attempts.
 #
 SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:400, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-# Here is a short description about the Coraza Multipart parser: the
-# parser returns with value 0, if all "boundary-like" line matches with
-# the boundary string which given in MIME header. In any other cases it returns
-# with different value, eg. 1 or 2.
-#
-# The RFC 1341 descript the multipart content-type and its syntax must contains
-# only three mandatory lines (above the content):
-# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
-# * --BOUNDARY_STRING
-# * --BOUNDARY_STRING--
-#
-# First line indicates, that this is a multipart content, second shows that
-# here starts a part of the multipart content, third shows the end of content.
-#
-# If there are any other lines, which starts with "--", then it should be
-# another boundary id - or not.
-#
-# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
-#
-# If multipart content contains the three necessary lines with correct order, but
-# there are one or more lines with "--", then parser returns with value 2 (non-zero).
-#
-# If some of the necessary lines (usually the start or end) misses, or the order
-# is wrong, then parser returns with value 1 (also a non-zero).
-#
-# You can choose, which one is what you need. The example below contains the
-# 'strict' mode, which means if there are any lines with start of "--", then
-# Coraza blocked the content. But the next, commented example contains
-# the 'permissive' mode, then you check only if the necessary lines exists in
-# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
-# or other text files, which contains eg. HTTP headers.
-#
-# The difference is only the operator - in strict mode (first) the content blocked
-# in case of any non-zero value. In permissive mode (second, commented) the
-# content blocked only if the value is explicit 1. If it 0 or 2, the content will
-# allowed.
-#
-
-#
-# See #1747 and #1924 for further information on the possible values for
-# MULTIPART_UNMATCHED_BOUNDARY.
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
-    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_".  The following flags currently exist:
-#
-# COR_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^COR_/ "!@streq 0" \
-        "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
-
+"id:'200003',phase:2,t:none,log,deny,status:400, msg:'Multipart request body failed strict validation.'"
 
 # -- Response body handling --------------------------------------------------
 
-# Allow Coraza to access response bodies.
+# Allow Coraza to access response bodies. 
 # You should have this directive enabled in order to identify errors
 # and data leakage issues.
-#
+# 
 # Do keep in mind that enabling this directive does increases both
 # memory consumption and response latency.
 #
@@ -171,7 +102,7 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza will keep its persistent data.  This default setting
+# The location where Coraza will keep its persistent data. This default setting 
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
@@ -186,15 +117,16 @@ SecResponseBodyLimitAction ProcessPartial
 #
 #SecUploadDir /opt/coraza/var/upload/
 
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
+# If On, the WAF will store the uploaded files in the SecUploadDir
+# directory.
+# Note: SecUploadKeepFiles is currently NOT supported by Coraza
 #
-#SecUploadKeepFiles RelevantOnly
+#SecUploadKeepFiles Off
 
 # Uploaded files are by default created with permissions that do not allow
 # any other user to access them. You may need to relax that if you want to
 # interface Coraza to an external program (e.g., an anti-virus).
+# Note: SecUploadFileMode is currently NOT supported by Coraza
 #
 #SecUploadFileMode 0600
 
@@ -209,8 +141,7 @@ SecResponseBodyLimitAction ProcessPartial
 # 3:   Info
 # 4-8: Debug
 # 9:   Trace (most verbose)
-# Most logging has not been implemented because it will be replaced with
-# advanced rule profiling options
+# 
 #SecDebugLog /opt/coraza/var/log/debug.log
 SecDebugLogLevel 3
 
@@ -218,13 +149,13 @@ SecDebugLogLevel 3
 # -- Audit log configuration -------------------------------------------------
 
 # Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
 # level response status codes).
 #
 SecAuditEngine RelevantOnly
 SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"
 
-# Log everything we know about a transaction.
+# Define which parts of the transaction are going to be recorded in the audit log
 SecAuditLogParts ABIJDEFHZ
 
 # Use a single file for logging. This is much easier to look at, but
@@ -234,18 +165,15 @@ SecAuditLogParts ABIJDEFHZ
 # which end up in the proxy logs.
 SecAuditLogType Serial
 SecAuditLog /dev/stdout
-SecAuditLogFormat JSON
-
-# -- Miscellaneous -----------------------------------------------------------
 
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
+# The format used to write the audit log.
+# Can be one of JSON|JsonLegacy|Native|OCSF
+SecAuditLogFormat JSON
 
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
+# The following settings are not supported by Coraza
+# SecCookieFormat 0
+# SecArgumentSeparator &
+# SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+#    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+# SecRule TX:/^COR_/ "!@streq 0" \
+#       "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf
index c8bcd0d..5643f51 100644
--- a/wasmplugin/rules/coraza.conf-recommended.conf
+++ b/wasmplugin/rules/coraza.conf-recommended.conf
@@ -28,31 +28,32 @@ SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
 SecRule REQUEST_HEADERS:Content-Type "^application/json" \
      "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
-# Sample rule to enable JSON request body parser for more subtypes.
-# Uncomment or adapt this rule if you want to engage the JSON
-# Processor for "+json" subtypes
+# Enable JSON request body parser for more subtypes.
+# Adapt this rule if you want to engage the JSON Processor for "+json" subtypes
 #
-#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
-#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
 
 # Maximum request body size we will accept for buffering. If you support
-# file uploads then the value given on the first line has to be as large
-# as the largest file you are willing to accept. The second value refers
-# to the size of data, with files excluded. You want to keep that value as
-# low as practical.
-#
-# Running as a Wasm plugin, we expect Limit equal to MemoryLimit: it would be prevented buffering request body to files anyways.
-
+# file uploads, this value must has to be as large as the largest file
+# you are willing to accept.
 SecRequestBodyLimit 131072
 
+# Maximum request body size that Coraza will store in memory. If the body
+# size exceeds this value, it will be saved to a temporary file on disk.
 SecRequestBodyInMemoryLimit 131072
 
+# Maximum request body size we will accept for buffering, with files excluded.
+# You want to keep that value as low as practical.
+# Note: SecRequestBodyNoFilesLimit is currently NOT supported by Coraza
 # SecRequestBodyNoFilesLimit 131072
 
 # What to do if the request body size is above our configured limit.
 # Keep in mind that this setting will automatically be set to ProcessPartial
 # when SecRuleEngine is set to DetectionOnly mode in order to minimize
 # disruptions when initially deploying Coraza.
+# Warning: Setting this directive to ProcessPartial introduces a potential bypass
+# risk, as attackers could prepend junk data equal to or greater than the inspected body size.
 #
 SecRequestBodyLimitAction Reject
 
@@ -66,87 +67,18 @@ SecRule REQBODY_ERROR "!@eq 0" \
 
 # By default be strict with what we accept in the multipart/form-data
 # request body. If the rule below proves to be too strict for your
-# environment consider changing it to detection-only. You are encouraged
-# _not_ to remove it altogether.
+# environment consider changing it to detection-only.
+# Do NOT remove it, as it will catch many evasion attempts.
 #
 SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-"id:'200003',phase:2,t:none,log,deny,status:400, \
-msg:'Multipart request body failed strict validation: \
-PE %{REQBODY_PROCESSOR_ERROR}, \
-BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-DB %{MULTIPART_DATA_BEFORE}, \
-DA %{MULTIPART_DATA_AFTER}, \
-HF %{MULTIPART_HEADER_FOLDING}, \
-LF %{MULTIPART_LF_LINE}, \
-SM %{MULTIPART_MISSING_SEMICOLON}, \
-IQ %{MULTIPART_INVALID_QUOTING}, \
-IP %{MULTIPART_INVALID_PART}, \
-IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
-# Did we see anything that might be a boundary?
-#
-# Here is a short description about the Coraza Multipart parser: the
-# parser returns with value 0, if all "boundary-like" line matches with
-# the boundary string which given in MIME header. In any other cases it returns
-# with different value, eg. 1 or 2.
-#
-# The RFC 1341 descript the multipart content-type and its syntax must contains
-# only three mandatory lines (above the content):
-# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
-# * --BOUNDARY_STRING
-# * --BOUNDARY_STRING--
-#
-# First line indicates, that this is a multipart content, second shows that
-# here starts a part of the multipart content, third shows the end of content.
-#
-# If there are any other lines, which starts with "--", then it should be
-# another boundary id - or not.
-#
-# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
-#
-# If multipart content contains the three necessary lines with correct order, but
-# there are one or more lines with "--", then parser returns with value 2 (non-zero).
-#
-# If some of the necessary lines (usually the start or end) misses, or the order
-# is wrong, then parser returns with value 1 (also a non-zero).
-#
-# You can choose, which one is what you need. The example below contains the
-# 'strict' mode, which means if there are any lines with start of "--", then
-# Coraza blocked the content. But the next, commented example contains
-# the 'permissive' mode, then you check only if the necessary lines exists in
-# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
-# or other text files, which contains eg. HTTP headers.
-#
-# The difference is only the operator - in strict mode (first) the content blocked
-# in case of any non-zero value. In permissive mode (second, commented) the
-# content blocked only if the value is explicit 1. If it 0 or 2, the content will
-# allowed.
-#
-
-#
-# See #1747 and #1924 for further information on the possible values for
-# MULTIPART_UNMATCHED_BOUNDARY.
-#
-SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
-    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
-# Some internal errors will set flags in TX and we will need to look for these.
-# All of these are prefixed with "MSC_".  The following flags currently exist:
-#
-# COR_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-#
-SecRule TX:/^COR_/ "!@streq 0" \
-        "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
-
+"id:'200003',phase:2,t:none,log,deny,status:400, msg:'Multipart request body failed strict validation.'"
 
 # -- Response body handling --------------------------------------------------
 
-# Allow Coraza to access response bodies.
+# Allow Coraza to access response bodies. 
 # You should have this directive enabled in order to identify errors
 # and data leakage issues.
-#
+# 
 # Do keep in mind that enabling this directive does increases both
 # memory consumption and response latency.
 #
@@ -170,7 +102,7 @@ SecResponseBodyLimitAction ProcessPartial
 
 # -- Filesystem configuration ------------------------------------------------
 
-# The location where Coraza will keep its persistent data.  This default setting 
+# The location where Coraza will keep its persistent data. This default setting 
 # is chosen due to all systems have /tmp available however, it
 # too should be updated to a place that other users can't access.
 #
@@ -185,15 +117,16 @@ SecResponseBodyLimitAction ProcessPartial
 #
 #SecUploadDir /opt/coraza/var/upload/
 
-# By default, only keep the files that were determined to be unusual
-# in some way (by an external inspection script). For this to work you
-# will also need at least one file inspection rule.
+# If On, the WAF will store the uploaded files in the SecUploadDir
+# directory.
+# Note: SecUploadKeepFiles is currently NOT supported by Coraza
 #
-#SecUploadKeepFiles RelevantOnly
+#SecUploadKeepFiles Off
 
 # Uploaded files are by default created with permissions that do not allow
 # any other user to access them. You may need to relax that if you want to
 # interface Coraza to an external program (e.g., an anti-virus).
+# Note: SecUploadFileMode is currently NOT supported by Coraza
 #
 #SecUploadFileMode 0600
 
@@ -208,8 +141,7 @@ SecResponseBodyLimitAction ProcessPartial
 # 3:   Info
 # 4-8: Debug
 # 9:   Trace (most verbose)
-# Most logging has not been implemented because it will be replaced with
-# advanced rule profiling options
+# 
 #SecDebugLog /opt/coraza/var/log/debug.log
 #SecDebugLogLevel 3
 
@@ -217,34 +149,31 @@ SecResponseBodyLimitAction ProcessPartial
 # -- Audit log configuration -------------------------------------------------
 
 # Log the transactions that are marked by a rule, as well as those that
-# trigger a server error (determined by a 5xx or 4xx, excluding 404,
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
 # level response status codes).
 #
 SecAuditEngine Off
 SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"
 
-# Log everything we know about a transaction.
+# Define which parts of the transaction are going to be recorded in the audit log
 SecAuditLogParts ABIJDEFHZ
 
 # Use a single file for logging. This is much easier to look at, but
 # assumes that you will use the audit log only occasionally.
 #
 # Because of proxy-wasm limitations, audit logs can only be written to stdout
-# which end up in the proxy logs. 
+# which end up in the proxy logs.
 SecAuditLogType Serial
 SecAuditLog /dev/stdout
-SecAuditLogFormat JSON
-
-# -- Miscellaneous -----------------------------------------------------------
 
-# Use the most commonly used application/x-www-form-urlencoded parameter
-# separator. There's probably only one application somewhere that uses
-# something else so don't expect to change this value.
-#
-SecArgumentSeparator &
+# The format used to write the audit log.
+# Can be one of JSON|JsonLegacy|Native|OCSF
+SecAuditLogFormat JSON
 
-# Settle on version 0 (zero) cookies, as that is what most applications
-# use. Using an incorrect cookie version may open your installation to
-# evasion attacks (against the rules that examine named cookies).
-#
-SecCookieFormat 0
+# The following settings are not supported by Coraza
+# SecCookieFormat 0
+# SecArgumentSeparator &
+# SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+#    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+# SecRule TX:/^COR_/ "!@streq 0" \
+#       "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
diff --git a/wasmplugin/rules/crs-setup.conf.example b/wasmplugin/rules/crs-setup.conf.example
index 661f410..7da3d83 100644
--- a/wasmplugin/rules/crs-setup.conf.example
+++ b/wasmplugin/rules/crs-setup.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -37,8 +37,8 @@
 #
 # The CRS assumes that modsecurity.conf has been loaded. It is bundled with
 # ModSecurity. If you don't have it, you can get it from:
-# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended
-# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
+# 2.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v2/master/modsecurity.conf-recommended
+# 3.x: https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended
 #
 # The order of file inclusion in your webserver configuration should always be:
 # 1. modsecurity.conf
@@ -181,7 +181,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.blocking_paranoia_level=1"
 
 
@@ -209,7 +209,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.detection_paranoia_level=1"
 
 
@@ -235,7 +235,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.enforce_bodyproc_urlencoded=1"
 
 
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.critical_anomaly_score=5,\
 #    setvar:tx.error_anomaly_score=4,\
 #    setvar:tx.warning_anomaly_score=3,\
@@ -324,7 +324,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.inbound_anomaly_score_threshold=5,\
 #    setvar:tx.outbound_anomaly_score_threshold=4"
 
@@ -385,7 +385,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.reporting_level=4"
 
 
@@ -417,7 +417,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
      t:none,\
      nolog,\
      tag:'OWASP_CRS',\
-     ver:'OWASP_CRS/4.5.0',\
+     ver:'OWASP_CRS/4.14.0',\
      setvar:tx.early_blocking=1"
 
 
@@ -438,7 +438,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.enable_default_collections=1"
 
 
@@ -459,6 +459,16 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
 #          MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
 # Uncomment this rule to change the default.
+#
+# The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL.
+# If enabled, an attacker may be able to inject arbitrary, and potentially malicious, content into the application or on to the file system of the web server.
+# Depending on the server's configuration, this may lead to compromise of other users (by uploading
+# client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
+# For this reason, the PUT method is disabled by default.
+# GET, HEAD, POST and OPTIONS are seen as the minimal set of HTTP methods
+# from a security perspective. For static sites, removing the POST is
+# recommended. Add other HTTP methods as seen fit (see above).
+#
 #SecAction \
 #    "id:900200,\
 #    phase:1,\
@@ -466,13 +476,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Content-Types that a client is allowed to send in a request.
-# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
-# |text/xml| |application/xml| |application/soap+xml| |application/json|
-# |application/cloudevents+json| |application/cloudevents-batch+json|
+# Default: |application/x-www-form-urlencoded| |multipart/form-data| |text/xml|
+# |application/xml| |application/soap+xml| |application/json|
 #
 # Please note, that the rule where CRS uses this variable (920420) evaluates it with operator
 # `@within`, which is case sensitive, but uses t:lowercase. You must add your whole custom
@@ -484,22 +493,38 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # body processor (for example: "text/plain", "application/x-amf", "application/octet-stream", etc..)
 # could lead to a WAF bypass. For example, a malicious JSON payload submitted with a "text/plain"
 # content type may still be interpreted as JSON by a backend application but would not trigger the
-# JSON body parser at the WAF, leading to a bypass.
+# JSON body parser at the WAF, leading to a bypass. To avoid bypasses, you must enable the appropriate
+# body parser based on the expected data in the request bodies (For example JSON for JSON data, XML for XML data, etc).
+#
+# When additional JSON content types are legitimately used in a deployment,
+# e.g. application/cloudevents+json, it is extremely important to ensure that a
+# rule exists to enable the engine's JSON body processor for these additional
+# JSON content types. Failure to do so can lead to a request body bypass. The
+# default JSON rule in modsecurity.conf-recommended (200001) will only activate
+# the JSON body processor for the specific content type application/json. The
+# optional modsecurity.conf-recommended rule 200006 can be used to enable the
+# JSON body processor for a wide variety of JSON content types.
 #
 # To prevent blocking request with not allowed content-type by default, you can create an exclusion
-# rule that removes rule 920420. For example:
-#SecRule REQUEST_HEADERS:Content-Type "@rx ^text/plain" \
+# rule that removes rule 920420. It's important that you enable the correct body parser when allowing
+# an additional content type to prevent bypasses. For example, this rule enables the JSON body processor
+# for the text/plain content type:
+#SecRule REQUEST_HEADERS:Content-Type "@beginsWith text/plain" \
 #    "id:1234,\
 #    phase:1,\
 #    pass,\
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ctl:ruleRemoveById=920420,\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    chain"
 #    SecRule REQUEST_URI "@rx ^/foo/bar" \
-#        "t:none"
+#        "t:none,\
+#        ctl:ruleRemoveById=920420,\
+#        ctl:requestBodyProcessor=JSON"
+#
+# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#ctl
+# See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#ctl
 #
 # Uncomment this rule to change the default.
 #
@@ -510,8 +535,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
-#    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+#    ver:'OWASP_CRS/4.14.0',\
+#    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0
@@ -526,12 +551,12 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
-# Default: .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
+# Default: .ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/
 # Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
 # Note that .axd was removed due to false positives (see PR 1925).
 #
@@ -550,8 +575,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
-#    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+#    ver:'OWASP_CRS/4.14.0',\
+#    setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
 
 # Restricted request headers.
 # The HTTP request headers that CRS restricts are split into two categories:
@@ -561,7 +586,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # [ Basic ]
 # Includes deprecated headers and headers with known security risks. Always
 # forbidden.
-# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/
+# Default: /content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/
 #
 # /content-encoding/
 #   Used to list any encodings that have been applied to the original payload.
@@ -587,6 +612,9 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #   Blocking these headers prevents method override attacks, as described here:
 #   https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
 #
+# /x-middleware-subrequest/
+#   CVE-2025-29927 (Next.js)
+#
 # Uncomment this rule to change the default.
 #SecAction \
 #    "id:900250,\
@@ -595,8 +623,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
-#    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+#    ver:'OWASP_CRS/4.14.0',\
+#    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/'"
 #
 # [ Extended ]
 # Includes deprecated headers that are still in use (so false positives are
@@ -621,11 +649,16 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Content-Types charsets that a client is allowed to send in a request.
 # The content-types are enclosed by |pipes| as delimiters to guarantee exact matches.
+#
+# You can add additional character sets if something more exotic is required. One caveat: you will also need to edit 'regex-assembly/include/allowed-charsets.ra' and rebuild all the associated regular expressions using `crs-toolchain regex update --all`. See https://coreruleset.org/docs/6-development/6-2-crs-toolchain/.
+#
+# Warning: If the WAF engine is unable to fully and correctly decode a newly added character encoding then this can lead to a full request body or response body bypass. Additional permitted character encodings should be added with caution and tested to ensure inspection is not affected.
+#
 # Default: |utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|
 # Uncomment this rule to change the default.
 #SecAction \
@@ -635,7 +668,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 #
@@ -661,7 +694,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.max_num_args=255"
 
 # Block request if the length of any argument name is too high
@@ -675,7 +708,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.arg_name_length=100"
 
 # Block request if the length of any argument value is too high
@@ -689,7 +722,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.arg_length=400"
 
 # Block request if the total length of all combined arguments is too high
@@ -703,7 +736,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.total_arg_length=64000"
 
 # Block request if the file size of any individual uploaded file is too high
@@ -717,7 +750,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.max_file_size=1048576"
 
 # Block request if the total size of all combined uploaded files is too high
@@ -731,7 +764,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.combined_file_sizes=1048576"
 
 
@@ -771,7 +804,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    pass,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.sampling_percentage=100"
 
 
@@ -792,9 +825,30 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    t:none,\
 #    nolog,\
 #    tag:'OWASP_CRS',\
-#    ver:'OWASP_CRS/4.5.0',\
+#    ver:'OWASP_CRS/4.14.0',\
 #    setvar:tx.crs_validate_utf8_encoding=1"
 
+# -- [[ Skip Checking Responses ]] ------------------------------------------------
+#
+# CRS will perform analysis of the response contents if this is enabled and you have
+# the directive `SecResponseBodyAccess On`.
+#
+# Warning: this feature is _enabled_ by default, but depending on your applications
+# you might be targeted in a Request Filter Denial of Service (RFDoS) attack.
+#
+# References: https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/
+#
+# Uncomment this rule to _skip checking responses_.
+#
+#SecAction \
+#    "id:900500,\
+#    phase:1,\
+#    pass,\
+#    t:none,\
+#    nolog,\
+#    tag:'OWASP_CRS',\
+#    ver:'OWASP_CRS/4.14.0',\
+#    setvar:tx.crs_skip_response_analysis=1"
 
 #
 # -- [[ End of setup ]] --------------------------------------------------------
@@ -814,5 +868,5 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
-    setvar:tx.crs_setup_version=450"
+    ver:'OWASP_CRS/4.14.0',\
+    setvar:tx.crs_setup_version=4140"
diff --git a/wasmplugin/rules/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example b/wasmplugin/rules/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
index e9fdc1e..a08e4ff 100644
--- a/wasmplugin/rules/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+++ b/wasmplugin/rules/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
diff --git a/wasmplugin/rules/crs/REQUEST-901-INITIALIZATION.conf b/wasmplugin/rules/crs/REQUEST-901-INITIALIZATION.conf
index 0998db8..e2b632c 100644
--- a/wasmplugin/rules/crs/REQUEST-901-INITIALIZATION.conf
+++ b/wasmplugin/rules/crs/REQUEST-901-INITIALIZATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -26,7 +26,7 @@
 #
 # Ref: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#seccomponentsignature
 #
-SecComponentSignature "OWASP_CRS/4.5.0"
+SecComponentSignature "OWASP_CRS/4.14.0"
 
 #
 # -=[ Default setup values ]=-
@@ -58,9 +58,9 @@ SecRule &TX:crs_setup_version "@eq 0" \
     status:500,\
     log,\
     auditlog,\
-    msg:'ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
+    msg:'CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL'"
 
 
@@ -79,7 +79,7 @@ SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.inbound_anomaly_score_threshold=5'"
 
 # Default Outbound Anomaly Threshold Level (rule 900110 in crs-setup.conf)
@@ -89,7 +89,7 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.outbound_anomaly_score_threshold=4'"
 
 # Default Reporting Level (rule 900115 in crs-setup.conf)
@@ -99,7 +99,7 @@ SecRule &TX:reporting_level "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.reporting_level=4'"
 
 # Default Early Blocking (rule 900120 in crs-setup.conf)
@@ -109,7 +109,7 @@ SecRule &TX:early_blocking "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.early_blocking=0'"
 
 # Default Blocking Paranoia Level (rule 900000 in crs-setup.conf)
@@ -119,7 +119,7 @@ SecRule &TX:blocking_paranoia_level "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_paranoia_level=1'"
 
 # Default Detection Paranoia Level (rule 900001 in crs-setup.conf)
@@ -129,7 +129,7 @@ SecRule &TX:detection_paranoia_level "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_paranoia_level=%{TX.blocking_paranoia_level}'"
 
 # Default Sampling Percentage (rule 900400 in crs-setup.conf)
@@ -139,7 +139,7 @@ SecRule &TX:sampling_percentage "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.sampling_percentage=100'"
 
 # Default Anomaly Scores (rule 900100 in crs-setup.conf)
@@ -149,7 +149,7 @@ SecRule &TX:critical_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.critical_anomaly_score=5'"
 
 SecRule &TX:error_anomaly_score "@eq 0" \
@@ -158,7 +158,7 @@ SecRule &TX:error_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.error_anomaly_score=4'"
 
 SecRule &TX:warning_anomaly_score "@eq 0" \
@@ -167,7 +167,7 @@ SecRule &TX:warning_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.warning_anomaly_score=3'"
 
 SecRule &TX:notice_anomaly_score "@eq 0" \
@@ -176,7 +176,7 @@ SecRule &TX:notice_anomaly_score "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.notice_anomaly_score=2'"
 
 # Default HTTP policy: allowed_methods (rule 900200 in crs-setup.conf)
@@ -186,7 +186,7 @@ SecRule &TX:allowed_methods "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
 # Default HTTP policy: allowed_request_content_type (rule 900220 in crs-setup.conf)
@@ -196,8 +196,8 @@ SecRule &TX:allowed_request_content_type "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
-    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+    ver:'OWASP_CRS/4.14.0',\
+    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Default HTTP policy: allowed_request_content_type_charset (rule 900280 in crs-setup.conf)
 SecRule &TX:allowed_request_content_type_charset "@eq 0" \
@@ -206,7 +206,7 @@ SecRule &TX:allowed_request_content_type_charset "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.allowed_request_content_type_charset=|utf-8| |iso-8859-1| |iso-8859-15| |windows-1252|'"
 
 # Default HTTP policy: allowed_http_versions (rule 900230 in crs-setup.conf)
@@ -216,7 +216,7 @@ SecRule &TX:allowed_http_versions "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
 
 # Default HTTP policy: restricted_extensions (rule 900240 in crs-setup.conf)
@@ -226,8 +226,8 @@ SecRule &TX:restricted_extensions "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
-    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+    ver:'OWASP_CRS/4.14.0',\
+    setvar:'tx.restricted_extensions=.ani/ .asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .compositefont/ .config/ .conf/ .crt/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dist/ .dll/ .dos/ .dpkg-dist/ .drv/ .gadget/ .hta/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .inf/ .ini/ .jse/ .key/ .licx/ .lnk/ .log/ .mdb/ .msc/ .ocx/ .old/ .pass/ .pdb/ .pfx/ .pif/ .pem/ .pol/ .prf/ .printer/ .pwd/ .rdb/ .rdp/ .reg/ .resources/ .resx/ .scr/ .sct/ .shs/ .sql/ .swp/ .sys/ .tlb/ .tmp/ .url/ .vb/ .vbe/ .vbs/ .vbproj/ .vsdisco/ .vxd/ .webinfo/ .ws/ .wsc/ .wsf/ .wsh/ .xsd/ .xsx/'"
 
 # Default HTTP policy: restricted_headers_basic (rule 900250 in crs-setup.conf)
 SecRule &TX:restricted_headers_basic "@eq 0" \
@@ -236,8 +236,8 @@ SecRule &TX:restricted_headers_basic "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
-    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"
+    ver:'OWASP_CRS/4.14.0',\
+    setvar:'tx.restricted_headers_basic=/content-encoding/ /proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/ /x-middleware-subrequest/'"
 
 # Default HTTP policy: restricted_headers_extended (rule 900255 in crs-setup.conf)
 SecRule &TX:restricted_headers_extended "@eq 0" \
@@ -246,7 +246,7 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
 # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
@@ -256,7 +256,7 @@ SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.enforce_bodyproc_urlencoded=0'"
 
 # Default check for UTF8 encoding validation (rule 900950 in crs-setup.conf)
@@ -266,9 +266,19 @@ SecRule &TX:crs_validate_utf8_encoding "@eq 0" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.crs_validate_utf8_encoding=0'"
 
+# Default check for skipping response analysis (rule 900500 in crs-setup.conf)
+SecRule &TX:crs_skip_response_analysis "@eq 0" \
+    "id:901170,\
+    phase:1,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.14.0',\
+    setvar:'tx.crs_skip_response_analysis=0'"
+
 #
 # -=[ Initialize internal variables ]=-
 #
@@ -284,7 +294,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=0',\
     setvar:'tx.detection_inbound_anomaly_score=0',\
     setvar:'tx.inbound_anomaly_score_pl1=0',\
@@ -320,19 +330,21 @@ SecAction \
 # The creation of the IP and the GLOBAL collection is not being tested as
 # of this writing due to limits in ftw and our testing setup.
 # Proper testing would involve the checking of a variable in the said collections.
-SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
+SecRule &TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
     "id:901320,\
     phase:1,\
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.ua_hash=%{REQUEST_HEADERS.User-Agent}',\
     chain"
-    SecRule TX:ua_hash "@unconditionalMatch" \
-        "t:none,t:sha1,t:hexEncode,\
-        initcol:global=global,\
-        initcol:ip=%{remote_addr}_%{MATCHED_VAR}"
+    SecRule TX:ENABLE_DEFAULT_COLLECTIONS "@eq 1" \
+        "chain"
+        SecRule TX:ua_hash "@unconditionalMatch" \
+            "t:none,t:sha1,t:hexEncode,\
+            initcol:global=global,\
+            initcol:ip=%{remote_addr}_%{MATCHED_VAR}"
 
 #
 # -=[ Initialize Correct Body Processing ]=-
@@ -350,7 +362,7 @@ SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
     msg:'Enabling body inspection',\
     tag:'OWASP_CRS',\
     ctl:forceRequestBodyVariable=On,\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
 # Force body processor URLENCODED
 SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
@@ -362,7 +374,7 @@ SecRule TX:enforce_bodyproc_urlencoded "@eq 1" \
     noauditlog,\
     msg:'Enabling forced body inspection for ASCII content',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     chain"
     SecRule REQBODY_PROCESSOR "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" \
         "ctl:requestBodyProcessor=URLENCODED"
@@ -402,7 +414,7 @@ SecRule TX:sampling_percentage "@eq 100" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-SAMPLING"
 
 SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
@@ -413,7 +425,7 @@ SecRule UNIQUE_ID "@rx ^[a-f]*([0-9])[a-f]*([0-9])" \
     t:sha1,t:hexEncode,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'TX.sampling_rnd100=%{TX.1}%{TX.2}'"
 
 #
@@ -438,7 +450,7 @@ SecRule TX:sampling_rnd100 "!@lt %{tx.sampling_percentage}" \
     msg:'Sampling: Disable the rule engine based on sampling_percentage %{TX.sampling_percentage} and random number %{TX.sampling_rnd100}',\
     tag:'OWASP_CRS',\
     ctl:ruleRemoveByTag=OWASP_CRS,\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
 SecMarker "END-SAMPLING"
 
@@ -457,4 +469,4 @@ SecRule TX:detection_paranoia_level "@lt %{tx.blocking_paranoia_level}" \
     log,\
     msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
diff --git a/wasmplugin/rules/crs/REQUEST-905-COMMON-EXCEPTIONS.conf b/wasmplugin/rules/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
index f43aebd..bb02656 100644
--- a/wasmplugin/rules/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
+++ b/wasmplugin/rules/crs/REQUEST-905-COMMON-EXCEPTIONS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -25,7 +25,7 @@ SecRule REQUEST_LINE "@streq GET /" \
     tag:'platform-apache',\
     tag:'attack-generic',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     chain"
     SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
         "t:none,\
@@ -46,7 +46,7 @@ SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,::1" \
     tag:'platform-apache',\
     tag:'attack-generic',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@endsWith (internal dummy connection)" \
         "t:none,\
diff --git a/wasmplugin/rules/crs/REQUEST-911-METHOD-ENFORCEMENT.conf b/wasmplugin/rules/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
index 1eca78f..888997c 100644
--- a/wasmplugin/rules/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
+++ b/wasmplugin/rules/crs/REQUEST-911-METHOD-ENFORCEMENT.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:911012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -37,33 +37,34 @@ SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}" \
     tag:'attack-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/METHOD-ENFORCEMENT',\
     tag:'capec/1000/210/272/220/274',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:911014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:911016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:911018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-913-SCANNER-DETECTION.conf b/wasmplugin/rules/crs/REQUEST-913-SCANNER-DETECTION.conf
index 1d9a022..b66a77c 100644
--- a/wasmplugin/rules/crs/REQUEST-913-SCANNER-DETECTION.conf
+++ b/wasmplugin/rules/crs/REQUEST-913-SCANNER-DETECTION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -49,31 +49,32 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
     tag:'attack-reputation-scanner',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/SCANNER-DETECTION',\
     tag:'capec/1000/118/224/541/310',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:913014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:913016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:913018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-913-SCANNER-DETECTION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/wasmplugin/rules/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
index 9d7a12a..b28b1b5 100644
--- a/wasmplugin/rules/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+++ b/wasmplugin/rules/crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -23,8 +23,8 @@
 #
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:920012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -63,8 +63,9 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -87,11 +88,11 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
 #
 # -=[ Targets, characters and html entities ]=-
 #
-# 920120 + 920122: PL1 : FILES_NAMES, FILES
-#    Disallow ['\";=], except for frequently used HTML entities (see 920120.data).
+# 920120: PL1 : FILES_NAMES, FILES
+#    Disallow ['\";=\\], except for frequently used HTML entities (see 920120.ra).
 #
 # 920121: PL2 : FILES_NAMES, FILES
-#    Disallow ['\";=]
+#    Disallow ['\";=\\]
 #
 # -=[ References ]=-
 # http://www.ietf.org/rfc/rfc2183.txt
@@ -105,7 +106,7 @@ SecRule REQUEST_LINE "!@rx (?i)^(?:get /[^#\?]*(?:\?[^\s\x0b#]*)?(?:#[^\s\x0b]*)
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 920120
 #
-SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" \
+SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[aino]tild)e|[c-elnr-tz]caron|(?:[cgklnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=\x5c])*$" \
     "id:920120,\
     phase:2,\
     block,\
@@ -118,8 +119,9 @@ SecRule FILES|FILES_NAMES "!@rx (?i)^(?:&(?:(?:[acegilnorsuz]acut|[aeiou]grav|[a
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -147,8 +149,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^\d+$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -181,8 +184,9 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Length "!@rx ^0?$" \
@@ -206,8 +210,9 @@ SecRule REQUEST_METHOD "@rx ^(?:GET|HEAD)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
@@ -246,8 +251,9 @@ SecRule REQUEST_PROTOCOL "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_METHOD "@streq POST" \
@@ -276,8 +282,9 @@ SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Length "!@eq 0" \
@@ -314,8 +321,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx (\d+)-(\d+)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule TX:2 "@lt %{tx.1}" \
@@ -346,89 +354,12 @@ SecRule REQUEST_HEADERS:Connection "@rx \b(?:keep-alive|close),\s?(?:keep-alive|
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
-#
-# Check URL encodings
-#
-# -=[ Rule Logic ]=-
-# There are two different chained rules.    We need to separate them as we are inspecting two
-# different variables - REQUEST_URI_RAW and REQUEST_BODY.   For REQUEST_BODY, we only want to
-# run the @validateUrlEncoding operator if the content-type is application/x-www-form-urlencoding.
-#
-# We exclude the last path segment from validation because it could be a file name, which could
-# easily contain a '%' character that is not part of a URI encoded sequence.
-#
-# -=[ References ]=-
-# http://www.ietf.org/rfc/rfc1738.txt
-#
-# -=[ Example payload ]=-
-# http://localhost/?s=a%20b%20c%'/
-# reason: %'/ is not a valid url encoding
-#
-# Regular expression generated from regex-assembly/920220-chain1.ra.
-# To update the regular expression run the following shell script
-# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
-#   crs-toolchain regex update 920220-chain1
-#
-SecRule REQUEST_URI_RAW "@rx \x25" \
-    "id:920220,\
-    phase:1,\
-    block,\
-    t:none,t:urlDecodeUni,\
-    msg:'URL Encoding Abuse Attack Attempt',\
-    logdata:'%{REQUEST_URI_RAW}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.5.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule REQUEST_URI_RAW "@rx ^(.*)/(?:[^\?]+)?(\?.*)?$" \
-        "capture,\
-        chain"
-        SecRule TX:1|TX:2 "@validateUrlEncoding" \
-            "t:none,t:urlDecodeUni,\
-            setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
-
-# Validate URI encoding of the last path segment, only if it does not look like a file name.
-# A file name could easily contain a '%' character that is not part of a URI encoded sequence.
-#
-# Regular expression generated from regex-assembly/920221.ra.
-# To update the regular expression run the following shell script
-# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
-#   crs-toolchain regex update 920221
-#
-SecRule REQUEST_BASENAME "!@rx ^.*%.*\.[^\s\x0b\.]+$" \
-    "id:920221,\
-    phase:1,\
-    block,\
-    capture,\
-    t:none,t:urlDecodeUni,\
-    msg:'URL Encoding Abuse Attack Attempt',\
-    logdata:'%{REQUEST_BASENAME}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.5.0',\
-    severity:'CRITICAL',\
-    chain"
-    SecRule TX:0 "@validateUrlEncoding" \
-        "t:none,t:urlDecodeUni,\
-        setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
-
 
 #
 # Check UTF encoding
@@ -452,8 +383,9 @@ SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
@@ -496,8 +428,9 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -539,7 +472,7 @@ SecRule REQUEST_URI|REQUEST_BODY "@rx (?i)%uff[0-9a-f]{2}" \
 # 920274 generally has few positives. However, it would detect rare attacks
 # on Accept request headers and friends.
 
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     "id:920270,\
     phase:2,\
     block,\
@@ -552,8 +485,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 1-255" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -583,9 +517,10 @@ SecRule &REQUEST_HEADERS:Host "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}',\
     skipAfter:END-HOST-CHECK"
@@ -603,8 +538,9 @@ SecRule REQUEST_HEADERS:Host "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -643,8 +579,9 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -668,8 +605,9 @@ SecRule REQUEST_HEADERS:Accept "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
@@ -701,8 +639,9 @@ SecRule REQUEST_HEADERS:User-Agent "@rx ^$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.notice_anomaly_score}'"
 
@@ -738,8 +677,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'NOTICE',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -782,9 +722,10 @@ SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
@@ -815,8 +756,9 @@ SecRule &TX:MAX_NUM_ARGS "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &ARGS "@gt %{tx.max_num_args}" \
@@ -840,8 +782,9 @@ SecRule &TX:ARG_NAME_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_NAMES "@gt %{tx.arg_name_length}" \
@@ -867,8 +810,9 @@ SecRule &TX:ARG_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS "@gt %{tx.arg_length}" \
@@ -891,8 +835,9 @@ SecRule &TX:TOTAL_ARG_LENGTH "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule ARGS_COMBINED_SIZE "@gt %{tx.total_arg_length}" \
@@ -916,8 +861,9 @@ SecRule &TX:MAX_FILE_SIZE "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)multipart/form-data" \
@@ -942,8 +888,9 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule FILES_COMBINED_SIZE "@gt %{tx.combined_file_sizes}" \
@@ -968,7 +915,7 @@ SecRule &TX:COMBINED_FILE_SIZES "@eq 1" \
 # - application/soap+xml; charset=utf-8; action="urn:localhost-hwh#getQuestions"
 # - application/*+json
 
-SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
+SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s*(?:action|boundary|charset|component|start(?:-info)?|type|version)\s?=\s?['\"\w.()+,/:=?<>@#*-]+)*$" \
     "id:920470,\
     phase:1,\
     block,\
@@ -981,9 +928,10 @@ SecRule REQUEST_HEADERS:Content-Type "!@rx ^[\w/.+*-]+(?:\s?;\s?(?:action|bounda
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1004,9 +952,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^;\s]+" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.content_type=|%{tx.0}|',\
     chain"
@@ -1032,9 +981,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset\s*=\s*[\"']?([^;\"'\s]+)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.content_type_charset=|%{tx.1}|',\
     chain"
@@ -1059,9 +1009,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx charset.*?charset" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1081,9 +1032,10 @@ SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1104,9 +1056,10 @@ SecRule REQUEST_BASENAME "@rx \.([^.]+)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.extension=.%{tx.1}/',\
     chain"
@@ -1131,9 +1084,10 @@ SecRule REQUEST_FILENAME "@rx \.[^.~]+~(?:/.*|)$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1185,9 +1139,10 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920450_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1219,9 +1174,10 @@ SecRule REQUEST_HEADERS:Accept-Encoding "@gt 100" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1253,7 +1209,8 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1275,8 +1232,9 @@ SecRule REQBODY_PROCESSOR "!@streq JSON" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?i)\x5cu[0-9a-f]{4}" \
@@ -1300,7 +1258,8 @@ SecRule REQUEST_URI_RAW "@contains #" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -1332,13 +1291,14 @@ SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -1376,8 +1336,9 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BASENAME "!@endsWith .pdf" \
@@ -1400,8 +1361,9 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){63}" \
@@ -1421,8 +1383,9 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/120',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
@@ -1430,7 +1393,7 @@ SecRule ARGS "@rx %[0-9a-fA-F]{2}" \
 #
 # PL2: This is a stricter sibling of 920270.
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,32-126,128-255" \
     "id:920271,\
     phase:2,\
     block,\
@@ -1443,8 +1406,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@validateByteRange 9,10,13,
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -1469,9 +1433,10 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'NOTICE',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.notice_anomaly_score}'"
 
@@ -1479,7 +1444,7 @@ SecRule &REQUEST_HEADERS:User-Agent "@eq 0" \
 #
 # PL2: This is a stricter sibling of 920120.
 #
-SecRule FILES_NAMES|FILES "@rx ['\";=]" \
+SecRule FILES_NAMES|FILES "@rx ['\";=\x5c]" \
     "id:920121,\
     phase:2,\
     block,\
@@ -1492,8 +1457,9 @@ SecRule FILES_NAMES|FILES "@rx ['\";=]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
@@ -1517,8 +1483,9 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule &REQUEST_HEADERS:Content-Type "@eq 0" \
@@ -1543,9 +1510,10 @@ SecRule REQUEST_HEADERS_NAMES "@rx ^.*$" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.header_name_920451_%{tx.0}=/%{tx.0}/',\
     chain"
@@ -1571,8 +1539,9 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153/267/72',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_BODY "@rx \x25" \
@@ -1580,8 +1549,8 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
         SecRule REQUEST_BODY "@validateUrlEncoding" \
             "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1592,7 +1561,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'O
 # This rule is also triggered by the following exploit(s):
 # [ SAP CRM Java vulnerability CVE-2018-2380 - Exploit tested: https://www.exploit-db.com/exploits/44292 ]
 #
-SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
+SecRule REQUEST_URI_RAW|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 32-36,38-126" \
     "id:920272,\
     phase:2,\
     block,\
@@ -1605,8 +1574,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteR
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
@@ -1638,9 +1608,10 @@ SecRule &REQUEST_HEADERS:Accept "@eq 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
     tag:'PCI/6.5.10',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'NOTICE',\
     chain"
     SecRule REQUEST_METHOD "!@rx ^(?:OPTIONS|CONNECT)$" \
@@ -1672,8 +1643,9 @@ SecRule &REQUEST_HEADERS:x-up-devcap-post-charset "@ge 1" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:User-Agent "@rx ^(?i)up" \
@@ -1725,8 +1697,9 @@ SecRule &REQUEST_HEADERS:Cache-Control "@gt 0" \
     tag:'header-allowlist',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule REQUEST_HEADERS:Cache-Control "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:\s*\,\s*|$)){1,7}$" \
@@ -1755,14 +1728,15 @@ SecRule REQUEST_HEADERS:Accept-Encoding "!@rx br|compress|deflate|(?:pack200-)?g
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:920018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -1784,8 +1758,9 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     chain"
     SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d+)?-(?:\d+)?\s*,?\s*){6}" \
@@ -1811,8 +1786,9 @@ SecRule ARGS|ARGS_NAMES|REQUEST_BODY "@validateByteRange 38,44-46,48-58,61,65-90
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1832,8 +1808,9 @@ SecRule REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent|!REQUEST_HEADERS:Referer|!RE
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1858,8 +1835,9 @@ SecRule REQUEST_HEADERS:Sec-Fetch-User|REQUEST_HEADERS:Sec-CH-UA-Mobile "!@rx ^(
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/210/272',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
 
@@ -1902,8 +1880,9 @@ SecRule REQUEST_URI|REQUEST_HEADERS|ARGS|ARGS_NAMES "@rx (?:^|[^\x5c])\x5c[cdegh
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
     tag:'capec/1000/153/267',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/wasmplugin/rules/crs/REQUEST-921-PROTOCOL-ATTACK.conf b/wasmplugin/rules/crs/REQUEST-921-PROTOCOL-ATTACK.conf
index a60fe28..6bb8c99 100644
--- a/wasmplugin/rules/crs/REQUEST-921-PROTOCOL-ATTACK.conf
+++ b/wasmplugin/rules/crs/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:921012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -45,8 +45,9 @@ SecRule ARGS_NAMES|ARGS|REQUEST_BODY|XML:/* "@rx (?:get|post|head|options|connec
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -77,8 +78,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -98,8 +100,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -123,7 +126,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     phase:1,\
     block,\
     capture,\
-    t:none,t:htmlEntityDecode,\
+    t:none,t:urlDecodeUni,\
     msg:'HTTP Header Injection Attack via headers',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -132,8 +135,9 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/273',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -151,7 +155,7 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:htmlEntityDecode,\
+    t:none,\
     msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -160,8 +164,9 @@ SecRule ARGS_NAMES "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -172,7 +177,7 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
     phase:1,\
     block,\
     capture,\
-    t:none,t:htmlEntityDecode,t:lowercase,\
+    t:none,t:lowercase,\
     msg:'HTTP Header Injection Attack via payload (CR/LF and header-name detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -181,8 +186,9 @@ SecRule ARGS_GET_NAMES|ARGS_GET "@rx [\n\r]+(?:\s|location|refresh|(?:set-)?cook
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -207,8 +213,9 @@ SecRule REQUEST_FILENAME "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/34',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -240,8 +247,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/248/136',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -272,9 +280,10 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -285,7 +294,7 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?(?:applicati
 # This issue affects Apache HTTP Server 2.4.48 and earlier.
 # GET /?unix:AAAAAAAAAAAAA|http://coreruleset.org/
 #
-SecRule REQUEST_URI "@rx unix:[^|]*\|" \
+SecRule REQUEST_URI_RAW "@rx unix:[^|]*\|" \
     "id:921240,\
     phase:1,\
     block,\
@@ -299,14 +308,43 @@ SecRule REQUEST_URI "@rx unix:[^|]*\|" \
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
+    tag:'capec/1000/210/272/220/33',\
+    ver:'OWASP_CRS/4.14.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+# Detection for old V1 cookie format from RFC 2109.
+#
+# This has been abused by the cookie sandwich technique, in diverse issues affecting Apache Tomcat, Python, and maybe others.
+# RFC 6265 deprecated and replaced RFCs 2109 and 2965.
+# It completely removed "$Version", meaning user agents and servers no longer use this attribute.
+# See:
+# - https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique
+# - https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v2.x%29#seccookieformat
+SecRule REQUEST_COOKIES:/\x22?\x24Version/ "@streq 1" \
+    "id:921250,\
+    phase:1,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Old Cookies V1 usage attempt detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:921014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -323,7 +361,7 @@ SecRule ARGS_GET "@rx [\n\r]" \
     phase:1,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:htmlEntityDecode,\
+    t:none,\
     msg:'HTTP Header Injection Attack via payload (CR/LF detected)',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -332,8 +370,9 @@ SecRule ARGS_GET "@rx [\n\r]" \
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220/33',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -367,15 +406,16 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^[^\s\x0b,;]+[\s\x0b,;].*?\b(?:((?:tex
     tag:'attack-protocol',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/255/153',\
     tag:'PCI/12.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:921016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -404,8 +444,9 @@ SecRule &REQUEST_HEADERS:Range "@gt 0" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/210/272/220',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
@@ -438,30 +479,29 @@ SecRule ARGS_NAMES "@rx ." \
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"
 
 SecRule TX:/paramcounter_.*/ "@gt 1" \
     "id:921180,\
     phase:2,\
     pass,\
-    msg:'HTTP Parameter Pollution (%{TX.1})',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    msg:'HTTP Parameter Pollution (%{MATCHED_VAR_NAME})',\
+    logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
-    chain"
-    SecRule MATCHED_VARS_NAMES "@rx TX:paramcounter_(.*)" \
-        "capture,\
-        setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
-        setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
+    setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 # -=[ HTTP Parameter Pollution ]=-
@@ -499,16 +539,17 @@ SecRule ARGS_NAMES "@rx (][^\]]+$|][^\]]+\[)" \
     tag:'attack-protocol',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:921018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -547,8 +588,9 @@ SecRule ARGS_NAMES "@rx \[" \
     tag:'attack-protocol',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ATTACK',\
     tag:'capec/1000/152/137/15/460',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.http_violation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/wasmplugin/rules/crs/REQUEST-922-MULTIPART-ATTACK.conf b/wasmplugin/rules/crs/REQUEST-922-MULTIPART-ATTACK.conf
index c65bcbc..2b192b0 100644
--- a/wasmplugin/rules/crs/REQUEST-922-MULTIPART-ATTACK.conf
+++ b/wasmplugin/rules/crs/REQUEST-922-MULTIPART-ATTACK.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -37,8 +37,9 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
     tag:'attack-multipart-header',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/1000/255/153',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.922100_charset=|%{ARGS._charset_}|',\
     chain"
@@ -65,11 +66,13 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'attack-multipart-header',\
     tag:'attack-protocol',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/272/220',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule TX:1 "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
@@ -88,10 +91,36 @@ SecRule MULTIPART_PART_HEADERS "@rx content-transfer-encoding:(.*)" \
     tag:'application-multi',\
     tag:'language-multi',\
     tag:'platform-multi',\
+    tag:'attack-multipart-header',\
     tag:'attack-deprecated-header',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
+    tag:'capec/272/220',\
+    ver:'OWASP_CRS/4.14.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# Multipart header names can't contain any characters outside of range 33 and 126,
+# excluding 58 (':') which is the separator.
+# RFC 2045 refers RFC 822 about the header syntax.
+# Note: this is in phase:2 because these are headers that come in the body
+SecRule MULTIPART_PART_HEADERS "@rx [^\x21-\x7E][\x21-\x39\x3B-\x7E]*:" \
+    "id:922130,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:lowercase,\
+    msg:'Multipart header contains characters outside of valid range',\
+    logdata:'Matched Data: %{TX.0}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-multipart-header',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/MULTIPART-ATTACK',\
     tag:'capec/272/220',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
diff --git a/wasmplugin/rules/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf b/wasmplugin/rules/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
index 6fc437d..5fcaa92 100644
--- a/wasmplugin/rules/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
+++ b/wasmplugin/rules/crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:930012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -46,8 +46,9 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}'"
@@ -64,7 +65,7 @@ SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:
 #
 # Semicolon added to prevent path traversal via reverse proxy mapping '/..;/' (Tomcat)
 #
-SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}(?:[\x5c/;]|$))" \
+SecRule REQUEST_URI_RAW|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "@rx (?:(?:^|[\x5c/;])\.{2,3}[\x5c/;]|[\x5c/;]\.{2,3}[\x5c/;])" \
     "id:930110,\
     phase:2,\
     block,\
@@ -78,8 +79,9 @@ SecRule REQUEST_URI|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer|FILES|XML:/* "
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -108,9 +110,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -135,17 +138,18 @@ SecRule REQUEST_FILENAME "@pmFromFile restricted-files.data" \
     tag:'attack-lfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:930014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -173,24 +177,25 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@pmFromFile lfi-os-f
     tag:'attack-lfi',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-LFI',\
     tag:'capec/1000/255/153/126',\
     tag:'PCI/6.5.4',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.lfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:930016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:930018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/wasmplugin/rules/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
index b1780e4..4f5147a 100644
--- a/wasmplugin/rules/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+++ b/wasmplugin/rules/crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -17,8 +17,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:931012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -48,8 +48,9 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?)://(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3
     tag:'attack-rfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -68,8 +69,9 @@ SecRule QUERY_STRING|REQUEST_BODY "@rx (?i)(?:\binclude\s*\([^)]*|mosConfig_abso
     tag:'attack-rfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -88,16 +90,17 @@ SecRule ARGS "@rx ^(?i:file|ftps?|https?).*?\?+$" \
     tag:'attack-rfi',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:931014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -127,8 +130,9 @@ SecRule ARGS "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|it
     tag:'attack-rfi',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
     chain"
@@ -157,8 +161,9 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
     tag:'attack-rfi',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RFI',\
     tag:'capec/1000/152/175/253',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rfi_parameter_%{MATCHED_VAR_NAME}=.%{tx.1}',\
     chain"
@@ -167,16 +172,16 @@ SecRule REQUEST_FILENAME "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:931016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:931018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/wasmplugin/rules/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
index b87f0b0..13a1cc7 100644
--- a/wasmplugin/rules/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
+++ b/wasmplugin/rules/crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -119,7 +119,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:932012,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932230
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|(?:(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|x)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|[ckz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dg]|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[&,<>\|]|(?:[\-\.0-9A-Z_a-z][\"'\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\*\-0-9\?@_a-\{]*)?\x5c?)+[\s\x0b&,<>\|]).*|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4|[\s\x0b&\),<>\|].*))|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|(?:e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[arx][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?|(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:4[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?)(?:[\s\x0b&\),<>\|]|$).*|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[&\),<>\|]|$){1,10}|(?:[\-\.0-9A-Z_a-z][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?){1,10}(?:[\s\x0b&\),<>\|]|$){1,10})|(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|[hr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*))\b" \
     "id:932230,\
     phase:2,\
     block,\
@@ -133,9 +133,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -179,7 +180,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932235
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[\s\x0b&\)<>\|]|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|nsible|pt(?:-get|itude[\s\x0b&\)<>\|])|r(?:ch[\s\x0b&\)<>\|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm)|b(?:a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[\s\x0b&\)<>\|]|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|p(?:an|io|ulimit)|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab))|s(?:cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:psfilter|rl[\s\x0b&\)<>\|]))|d(?:(?:a(?:sh|te)|i(?:alog|ff))[\s\x0b&\)<>\|]|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:2fsck|(?:asy_instal|va)l|cho[\s\x0b&\)<>\|]|fax|grep|macs|n(?:d(?:if|sw)|v-update)|sac|x(?:ec[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r)))|f(?:acter|(?:etch|lock|unction)[\s\x0b&\)<>\|]|grep|i(?:le(?:[\s\x0b&\)<>\|]|test)|(?:n(?:d|ger)|sh)[\s\x0b&\)<>\|])|o(?:ld[\s\x0b&\)<>\|]|reach)|ping|tp(?:stats|who))|g(?:awk[\s\x0b&\)<>\|]|core|e(?:ni(?:e[\s\x0b&\)<>\|]|soimage)|tfacl[\s\x0b&\)<>\|])|hci|i(?:mp[\s\x0b&\)<>\|]|nsh)|r(?:ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|p(?:6?tables|config)|spell)|j(?:ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|]|sshell)|l(?:a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|dconfig|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|(?:inks|ynx)[\s\x0b&\)<>\|]|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ke[\s\x0b&\)<>\|]|ster\.passwd|wk)|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt[\s\x0b&\)<>\|]|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:a(?:no[\s\x0b&\)<>\|]|sm|wk)|c(?:\.(?:openbsd|traditional)|at)|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|(?:ice|ull)[\s\x0b&\)<>\|]|map|o(?:de[\s\x0b&\)<>\|]|hup)|ping|roff|s(?:enter|lookup|tat))|o(?:ctave[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:f(?:la)?tex|ksh)|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|(?:ft|gre)p|hp(?:-cgi|[57])|i(?:(?:co|ng)[\s\x0b&\)<>\|]|dstat|gz)|k(?:exec|g_?info|ill)|opd|rint(?:env|f[\s\x0b&\)<>\|])|s(?:ed|ftp|ql)|tar(?:diff|grep)?|u(?:ppet[\s\x0b&\)<>\|]|shd)|wd\.db|y(?:thon[^\s\x0b]|3?versions))|r(?:ak(?:e[\s\x0b&\)<>\|]|u)|bash|e(?:a(?:delf|lpath)|(?:dcarpet|name|p(?:eat|lace))[\s\x0b&\)<>\|]|stic)|l(?:ogin|wrap)|m(?:dir[\s\x0b&\)<>\|]|user)|nano|oute[\s\x0b&\)<>\|]|pm(?:db|(?:quer|verif)y)|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|nap)[\s\x0b&\)<>\|]|diff|e(?:(?:lf|rvice)[\s\x0b&\)<>\|]|ndmail|t(?:arch|env|facl[\s\x0b&\)<>\|]|sid))|ftp|h(?:\.distrib|(?:adow|ells)[\s\x0b&\)<>\|]|u(?:f|tdown[\s\x0b&\)<>\|]))|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|udo|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|c(?:l?sh|p(?:dump|ing|traceroute))|elnet|ftp|ime(?:datectl|out[\s\x0b&\)<>\|])|mux|ouch[\s\x0b&\)<>\|]|r(?:aceroute6?|off)|shark)|u(?:limit[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:ew[\s\x0b&\)<>\|]|gr|mdiff|pw|rsh|sudo)|olatility[\s\x0b&\)<>\|])|w(?:a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:args|e(?:la)?tex|mo(?:dmap|re)|pad|term|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|s(?:oelim|td(?:(?:ca|m)t|grep|less)?)|ypper))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:HEAD|POST|y(?:arn|elp))(?:[\s\x0b&\),<>\|]|$)|a(?:dd(?:group|user)|getty|(?:l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|nsible|pt(?:-get|itude(?:[\s\x0b&\),<>\|]|$))|r(?:ch(?:[\s\x0b&\),<>\|]|$)|ia2c|j(?:-register|disp))|s(?:cii(?:-xfr|85)|pell))|b(?:a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|a(?:ncel|psh)(?:[\s\x0b&\),<>\|]|$)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|p(?:(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab))|s(?:cli(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:psfilter|rl(?:[\s\x0b&\),<>\|]|$)))|d(?:(?:ash|i(?:alog|ff)|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|asy_install|(?:cho|fax|grep|macs|sac|val)(?:[\s\x0b&\),<>\|]|$)|n(?:d(?:if|sw)(?:[\s\x0b&\),<>\|]|$)|v-update)|x(?:(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool))|f(?:acter|d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|(?:etch|grep|lock|unction)(?:[\s\x0b&\),<>\|]|$)|i(?:le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:awk|core|i(?:mp|nsh)|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage)|tfacl(?:[\s\x0b&\),<>\|]|$))|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|tester|unzip)|h(?:(?:ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:conv|nstall)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|p(?:6?tables|config|p(?:eveprinter|find|tool))|spell)|j(?:(?:ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:in(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$)|sshell)|l(?:a(?:st(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|dconfig|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:cate|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|trace|ua(?:la)?tex|wp-(?:d(?:ownload|ump)|mirror|request)|ynx(?:[\s\x0b&\),<>\|]|$)|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|(?:ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|utt(?:[\s\x0b&\),<>\|]|$)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:no|sm|wk)|ice|map|o(?:de|hup)|ping|roff|ull)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:ofetch|t(?:(?:c|st)at|kit-ftp|plan))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:ctave(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|(?:(?:ft|gre)p|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:(?:co|gz|ng)(?:[\s\x0b&\),<>\|]|$)|dstat)|k(?:exec|g_?info|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:ak[eu]|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:a(?:delf|lpath)|(?:(?:boo|dcarpe)t|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|stic)|l(?:ogin|wrap)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:ash|c(?:hed|r(?:een|ipt))|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:lf|rvice)(?:[\s\x0b&\),<>\|]|$)|ndmail|t(?:arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid))|h(?:\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|mbclient|o(?:(?:ca|r)t(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|sh(?:-key(?:ge|sca)n|pass)|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|udo(?:[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:dump|ing|traceroute))|elnet|(?:ftp|mux|ouch)(?:[\s\x0b&\),<>\|]|$)|ime(?:datectl|out(?:[\s\x0b&\),<>\|]|$))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:limit(?:[\s\x0b&\),<>\|]|$)|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:algrind|i(?:(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|mdiff|sudo)|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:all|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|o(?:ami|is(?:[\s\x0b&\),<>\|]|$)))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:args|pad|term)(?:[\s\x0b&\),<>\|]|$)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$))|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|ypper))" \
     "id:932235,\
     phase:2,\
     block,\
@@ -193,9 +194,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -226,9 +228,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -246,7 +249,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932125
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:a[\"\^]*n|[dipv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[civ]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:(?:a[\"\^]*(?:c|s[\"\^]*n[\"\^]*p)|e[\"\^]*(?:b[\"\^]*p|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|s[\"\^]*n)|[tx][\"\^]*s[\"\^]*n)|f[\"\^]*(?:[cltw]|o[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*c[\"\^]*h)|i[\"\^]*(?:[cr][\"\^]*m|e[\"\^]*x|h[\"\^]*y|i|p[\"\^]*(?:a[\"\^]*l|c[\"\^]*s[\"\^]*v|m[\"\^]*o|s[\"\^]*n)|s[\"\^]*e|w[\"\^]*(?:m[\"\^]*i|r))|m[\"\^]*(?:[dpv]|o[\"\^]*u[\"\^]*n[\"\^]*t)|o[\"\^]*g[\"\^]*v|p[\"\^]*(?:o[\"\^]*p|u[\"\^]*s[\"\^]*h)[\"\^]*d|t[\"\^]*r[\"\^]*c[\"\^]*m|w[\"\^]*j[\"\^]*b)[\"\^]*[\s\x0b,\./;<>].*|c[\"\^]*(?:(?:(?:d|h[\"\^]*d[\"\^]*i[\"\^]*r|v[\"\^]*p[\"\^]*a)[\"\^]*|p[\"\^]*(?:[ip][\"\^]*)?)[\s\x0b,\./;<>].*|l[\"\^]*(?:(?:[cipv]|h[\"\^]*y)[\"\^]*[\s\x0b,\./;<>].*|s)|n[\"\^]*s[\"\^]*n)|d[\"\^]*(?:(?:b[\"\^]*p|e[\"\^]*l|i[\"\^]*(?:f[\"\^]*f|r))[\"\^]*[\s\x0b,\./;<>].*|n[\"\^]*s[\"\^]*n)|g[\"\^]*(?:(?:(?:(?:a[\"\^]*)?l|b[\"\^]*p|d[\"\^]*r|h[\"\^]*y|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|[uv])[\"\^]*|c[\"\^]*(?:[ims][\"\^]*)?|m[\"\^]*(?:o[\"\^]*)?|s[\"\^]*(?:n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*))[\s\x0b,\./;<>].*|e[\"\^]*r[\"\^]*r|p[\"\^]*(?:(?:s[\"\^]*)?[\s\x0b,\./;<>].*|v))|l[\"\^]*s|n[\"\^]*(?:(?:a[\"\^]*l|d[\"\^]*r|[iv]|m[\"\^]*o|s[\"\^]*n)[\"\^]*[\s\x0b,\./;<>].*|p[\"\^]*s[\"\^]*s[\"\^]*c)|r[\"\^]*(?:(?:(?:(?:b[\"\^]*)?p|e[\"\^]*n|(?:w[\"\^]*m[\"\^]*)?i|j[\"\^]*b|n[\"\^]*[ip])[\"\^]*|d[\"\^]*(?:r[\"\^]*)?|m[\"\^]*(?:(?:d[\"\^]*i[\"\^]*r|o)[\"\^]*)?|s[\"\^]*n[\"\^]*(?:p[\"\^]*)?|v[\"\^]*(?:p[\"\^]*a[\"\^]*)?)[\s\x0b,\./;<>].*|c[\"\^]*(?:j[\"\^]*b[\"\^]*[\s\x0b,\./;<>].*|s[\"\^]*n)|u[\"\^]*j[\"\^]*b)|s[\"\^]*(?:(?:(?:a[\"\^]*(?:j[\"\^]*b|l|p[\"\^]*s|s[\"\^]*v)|b[\"\^]*p|[cv]|w[\"\^]*m[\"\^]*i)[\"\^]*|l[\"\^]*(?:s[\"\^]*)?|p[\"\^]*(?:(?:j[\"\^]*b|p[\"\^]*s|s[\"\^]*v)[\"\^]*)?)[\s\x0b,\./;<>].*|h[\"\^]*c[\"\^]*m|u[\"\^]*j[\"\^]*b))(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
     "id:932125,\
     phase:2,\
     block,\
@@ -260,9 +263,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -304,9 +308,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -351,9 +356,50 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
+# [ Unix shell expressions - Bash Tilde expansion ]
+# This rule has a stricter sibling: 932271
+#
+# Detects the following patterns which are common in Unix shell scripts
+# and one-liners:
+#
+# ~+    $PWD
+# ~-    $OLDPWD
+# ~-2   second directory entry on the stack from the top
+# ~+2   second directory entry on the stack from the bottom
+#
+# Reference - https://linuxsimply.com/bash-scripting-tutorial/expansion/tilde-expansion/
+#
+# Regular expression generated from regex-assembly/932270.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 932270
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[\+\-](?:$|[0-9]+)" \
+    "id:932270,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:cmdLine,\
+    msg:'Remote Command Execution: Unix Shell Expression Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-shell',\
+    tag:'platform-unix',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
+    tag:'capec/1000/152/248/88',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -418,7 +464,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932250
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|(?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|x)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|[ckz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dg]|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)[\s\x0b&\)<>\|]" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?j|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?f|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dg]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|[kz][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:s|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)(?:[\s\x0b&\),<>\|]|$)" \
     "id:932250,\
     phase:2,\
     block,\
@@ -432,9 +478,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -477,7 +524,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932260
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|(?:ron|scli)[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw|sudo)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:a(?:ddgroup|nsible|rj(?:-register|disp)|tobm(?:[\s\x0b&\),<>\|]|$))|b(?:ase(?:32|64|nc)|(?:lkid|yobu)(?:[\s\x0b&\),<>\|]|$)|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more))|c(?:[89]9-gcc|h(?:(?:attr|mod|o(?:om|wn)|sh)(?:[\s\x0b&\),<>\|]|$)|ef-|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$))|pass)|lang\+\+|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|mm(?:[\s\x0b&\),<>\|]|$)|proc)|(?:p(?:an|io)|scli)(?:[\s\x0b&\),<>\|]|$))|d(?:(?:iff|mesg|vips)(?:[\s\x0b&\),<>\|]|$)|o(?:as(?:[\s\x0b&\),<>\|]|$)|cker-)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:2fsck|(?:fax|grep|macs|nd(?:if|sw)|sac|xpr)(?:[\s\x0b&\),<>\|]|$))|f(?:d(?:(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|grep(?:[\s\x0b&\),<>\|]|$)|iletest|ping(?:[\s\x0b&\),6<>\|]|$)|tp(?:stats|who))|g(?:(?:core|insh|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|hc(?:-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:(?:cat|ep)(?:[\s\x0b&\),<>\|]|$)|oupmod)|unzip)|(?:htop|jexec)(?:[\s\x0b&\),<>\|]|$)|i(?:(?:conv|ftop)(?:[\s\x0b&\),<>\|]|$)|pp(?:eveprinter|find|tool))|l(?:ast(?:comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|osetup|s(?:(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|wp-download|z(?:4c(?:[\s\x0b&\),<>\|]|$|at)|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore)))|m(?:a(?:(?:ilq|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|k(?:fifo|nod(?:[\s\x0b&\),<>\|]|$)|temp)|locate|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:(?:a(?:sm|wk)|(?:ma|ohu)p|ping|roff|stat)(?:[\s\x0b&\),<>\|]|$)|c(?:\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|et(?:(?:c|st)at|kit-ftp|plan))|o(?:nintr|pkg(?:[\s\x0b&\),<>\|]|$))|p(?:d(?:b(?:2mb|3(?:[\s\x0b&\),\.<>\|]|$))|ksh(?:[\s\x0b&\),<>\|]|$))|(?:er(?:f|l5?)|(?:ft|gre)p|igz|(?:op|ush)d|s(?:ed|ql))(?:[\s\x0b&\),<>\|]|$)|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|k(?:exec|ill(?:[\s\x0b&\),<>\|]|$))|rint(?:env|f(?:[\s\x0b&\),<>\|]|$))|tar(?:[\s\x0b&\),<>\|]|$|diff|grep)|wd\.db|y(?:3?versions|thon[23]))|r(?:(?:aku|bash|nano|pmdb|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|e(?:boot(?:[\s\x0b&\),<>\|]|$)|alpath)|m(?:dir(?:[\s\x0b&\),<>\|]|$)|user)|sync(?:-ssl|[\s\x0b&\),<>\|]|$))|s(?:(?:diff|ftp|lsh|ocat)(?:[\s\x0b&\),<>\|]|$)|e(?:ndmail|t(?:env|sid))|h(?:\.distrib|uf(?:[\s\x0b&\),<>\|]|$))|pwd\.db|td(?:err|in(?:[\s\x0b&\),<>\|]|$)|out)|udo(?:[\s\x0b&\),<>_\|]|$|edit|replay)|vn(?:a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|ysctl)|t(?:(?:ailf|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:l?sh(?:[\s\x0b&\),<>\|]|$)|p(?:ing|traceroute))|elnet|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$)))|u(?:n(?:(?:iq|rar|xz)(?:[\s\x0b&\),<>\|]|$)|lz(?:4(?:[\s\x0b&\),<>\|]|$)|ma)|pigz|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|w(?:get(?:[\s\x0b&\),<>\|]|$)|hoami)|x(?:(?:args|etex|more|pad|term)(?:[\s\x0b&\),<>\|]|$)|z(?:c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more))|z(?:(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|[ef]grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|std(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less)))" \
     "id:932260,\
     phase:2,\
     block,\
@@ -491,9 +538,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -527,9 +575,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -568,9 +617,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -599,9 +649,10 @@ SecRule REQUEST_HEADERS|REQUEST_LINE "@rx ^\(\s*\)\s+{" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -620,9 +671,10 @@ SecRule ARGS_NAMES|ARGS|FILES_NAMES "@rx ^\(\s*\)\s+{" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -662,9 +714,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -696,9 +749,10 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -790,9 +844,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -813,7 +868,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932380
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r(?:[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)?|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|f|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*(?:o[\"\^]*l|s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*(?:e[\"\^]*r[\"\^]*e|o[\"\^]*a[\"\^]*m[\"\^]*i)|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:[\n\r;`\{]|\|\|?|&&?)[\s\x0b]*[\s\x0b\"'\(,@]*(?:[\"'\.-9A-Z_a-z]+/|(?:[\"'\x5c\^]*[0-9A-Z_a-z][\"'\x5c\^]*:.*|[ \"'\.-9A-Z\x5c\^_a-z]*)\x5c)?[\"\^]*(?:a[\"\^]*(?:s[\"\^]*s[\"\^]*o[\"\^]*c|t[\"\^]*(?:m[\"\^]*a[\"\^]*d[\"\^]*m|t[\"\^]*r[\"\^]*i[\"\^]*b)|u[\"\^]*(?:d[\"\^]*i[\"\^]*t[\"\^]*p[\"\^]*o[\"\^]*l|t[\"\^]*o[\"\^]*(?:c[\"\^]*(?:h[\"\^]*k|o[\"\^]*n[\"\^]*v)|(?:f[\"\^]*m|m[\"\^]*o[\"\^]*u[\"\^]*n)[\"\^]*t)))|b[\"\^]*(?:c[\"\^]*d[\"\^]*(?:b[\"\^]*o[\"\^]*o|e[\"\^]*d[\"\^]*i)[\"\^]*t|(?:d[\"\^]*e[\"\^]*h[\"\^]*d|o[\"\^]*o[\"\^]*t)[\"\^]*c[\"\^]*f[\"\^]*g|i[\"\^]*t[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|c[\"\^]*(?:a[\"\^]*c[\"\^]*l[\"\^]*s|e[\"\^]*r[\"\^]*t[\"\^]*(?:r[\"\^]*e[\"\^]*q|u[\"\^]*t[\"\^]*i[\"\^]*l)|h[\"\^]*(?:c[\"\^]*p|d[\"\^]*i[\"\^]*r|g[\"\^]*(?:l[\"\^]*o[\"\^]*g[\"\^]*o[\"\^]*n|p[\"\^]*o[\"\^]*r[\"\^]*t|u[\"\^]*s[\"\^]*r)|k[\"\^]*(?:d[\"\^]*s[\"\^]*k|n[\"\^]*t[\"\^]*f[\"\^]*s))|l[\"\^]*e[\"\^]*a[\"\^]*n[\"\^]*m[\"\^]*g[\"\^]*r|m[\"\^]*(?:d(?:[\"\^]*k[\"\^]*e[\"\^]*y)?|s[\"\^]*t[\"\^]*p)|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|d[\"\^]*(?:c[\"\^]*(?:d[\"\^]*i[\"\^]*a[\"\^]*g|g[\"\^]*p[\"\^]*o[\"\^]*f[\"\^]*i[\"\^]*x)|e[\"\^]*(?:f[\"\^]*r[\"\^]*a[\"\^]*g|l)|f[\"\^]*s[\"\^]*(?:d[\"\^]*i[\"\^]*a|r[\"\^]*m[\"\^]*i)[\"\^]*g|i[\"\^]*(?:a[\"\^]*n[\"\^]*t[\"\^]*z|r|s[\"\^]*(?:k[\"\^]*(?:c[\"\^]*o[\"\^]*(?:m[\"\^]*p|p[\"\^]*y)|p[\"\^]*(?:a[\"\^]*r[\"\^]*t|e[\"\^]*r[\"\^]*f)|r[\"\^]*a[\"\^]*i[\"\^]*d|s[\"\^]*h[\"\^]*a[\"\^]*d[\"\^]*o[\"\^]*w)|p[\"\^]*d[\"\^]*i[\"\^]*a[\"\^]*g))|n[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*d|(?:o[\"\^]*s[\"\^]*k[\"\^]*e|r[\"\^]*i[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*r)[\"\^]*y)|e[\"\^]*(?:n[\"\^]*d[\"\^]*l[\"\^]*o[\"\^]*c[\"\^]*a[\"\^]*l|v[\"\^]*e[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*r[\"\^]*e[\"\^]*a[\"\^]*t[\"\^]*e)|E[\"\^]*v[\"\^]*n[\"\^]*t[\"\^]*c[\"\^]*m[\"\^]*d|f[\"\^]*(?:c|i[\"\^]*(?:l[\"\^]*e[\"\^]*s[\"\^]*y[\"\^]*s[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*s|n[\"\^]*d[\"\^]*s[\"\^]*t[\"\^]*r)|l[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*m[\"\^]*p|o[\"\^]*r[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s|r[\"\^]*e[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*s[\"\^]*k|s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|(?:t[\"\^]*y[\"\^]*p|v[\"\^]*e[\"\^]*u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t)[\"\^]*e)|g[\"\^]*(?:e[\"\^]*t[\"\^]*(?:m[\"\^]*a[\"\^]*c|t[\"\^]*y[\"\^]*p[\"\^]*e)|o[\"\^]*t[\"\^]*o|p[\"\^]*(?:f[\"\^]*i[\"\^]*x[\"\^]*u[\"\^]*p|(?:r[\"\^]*e[\"\^]*s[\"\^]*u[\"\^]*l[\"\^]*)?t|u[\"\^]*p[\"\^]*d[\"\^]*a[\"\^]*t[\"\^]*e)|r[\"\^]*a[\"\^]*f[\"\^]*t[\"\^]*a[\"\^]*b[\"\^]*l)|h[\"\^]*(?:e[\"\^]*l[\"\^]*p[\"\^]*c[\"\^]*t[\"\^]*r|o[\"\^]*s[\"\^]*t[\"\^]*n[\"\^]*a[\"\^]*m[\"\^]*e)|i[\"\^]*(?:c[\"\^]*a[\"\^]*c[\"\^]*l[\"\^]*s|p[\"\^]*(?:c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*g|x[\"\^]*r[\"\^]*o[\"\^]*u[\"\^]*t[\"\^]*e)|r[\"\^]*f[\"\^]*t[\"\^]*p)|j[\"\^]*e[\"\^]*t[\"\^]*p[\"\^]*a[\"\^]*c[\"\^]*k|k[\"\^]*(?:l[\"\^]*i[\"\^]*s[\"\^]*t|s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|t[\"\^]*(?:m[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|p[\"\^]*a[\"\^]*s[\"\^]*s))|l[\"\^]*(?:o[\"\^]*(?:d[\"\^]*c[\"\^]*t[\"\^]*r|g[\"\^]*(?:m[\"\^]*a[\"\^]*n|o[\"\^]*f[\"\^]*f))|p[\"\^]*[qr])|m[\"\^]*(?:a[\"\^]*(?:c[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e|k[\"\^]*e[\"\^]*c[\"\^]*a[\"\^]*b|p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n)|k[\"\^]*(?:d[\"\^]*i[\"\^]*r|l[\"\^]*i[\"\^]*n[\"\^]*k)|m[\"\^]*c|o[\"\^]*u[\"\^]*n[\"\^]*t[\"\^]*v[\"\^]*o[\"\^]*l|q[\"\^]*(?:b[\"\^]*k[\"\^]*u[\"\^]*p|(?:t[\"\^]*g[\"\^]*)?s[\"\^]*v[\"\^]*c)|s[\"\^]*(?:d[\"\^]*t|i[\"\^]*(?:e[\"\^]*x[\"\^]*e[\"\^]*c|n[\"\^]*f[\"\^]*o[\"\^]*3[\"\^]*2)|t[\"\^]*s[\"\^]*c))|n[\"\^]*(?:b[\"\^]*t[\"\^]*s[\"\^]*t[\"\^]*a[\"\^]*t|e[\"\^]*t[\"\^]*(?:c[\"\^]*f[\"\^]*g|d[\"\^]*o[\"\^]*m|s[\"\^]*(?:h|t[\"\^]*a[\"\^]*t))|f[\"\^]*s[\"\^]*(?:a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|s[\"\^]*(?:h[\"\^]*a[\"\^]*r[\"\^]*e|t[\"\^]*a[\"\^]*t))|l[\"\^]*(?:b[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*s[\"\^]*t)|s[\"\^]*l[\"\^]*o[\"\^]*o[\"\^]*k[\"\^]*u[\"\^]*p|t[\"\^]*(?:b[\"\^]*a[\"\^]*c[\"\^]*k[\"\^]*u[\"\^]*p|c[\"\^]*m[\"\^]*d[\"\^]*p[\"\^]*r[\"\^]*o[\"\^]*m[\"\^]*p[\"\^]*t|f[\"\^]*r[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*l))|o[\"\^]*(?:f[\"\^]*f[\"\^]*l[\"\^]*i[\"\^]*n[\"\^]*e|p[\"\^]*e[\"\^]*n[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*s)|p[\"\^]*(?:a[\"\^]*(?:g[\"\^]*e[\"\^]*f[\"\^]*i[\"\^]*l[\"\^]*e[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*f[\"\^]*i|t[\"\^]*h[\"\^]*p[\"\^]*i[\"\^]*n)[\"\^]*g|(?:b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|k[\"\^]*t[\"\^]*m[\"\^]*o)[\"\^]*n|e[\"\^]*(?:n[\"\^]*t[\"\^]*n[\"\^]*t|r[\"\^]*f[\"\^]*m[\"\^]*o[\"\^]*n)|n[\"\^]*p[\"\^]*u[\"\^]*(?:n[\"\^]*a[\"\^]*t[\"\^]*t[\"\^]*e[\"\^]*n[\"\^]*d|t[\"\^]*i[\"\^]*l)|o[\"\^]*(?:p[\"\^]*d|w[\"\^]*e[\"\^]*r[\"\^]*s[\"\^]*h[\"\^]*e[\"\^]*l[\"\^]*l)|r[\"\^]*n[\"\^]*(?:c[\"\^]*n[\"\^]*f[\"\^]*g|(?:d[\"\^]*r[\"\^]*v|m[\"\^]*n[\"\^]*g)[\"\^]*r|j[\"\^]*o[\"\^]*b[\"\^]*s|p[\"\^]*o[\"\^]*r[\"\^]*t|q[\"\^]*c[\"\^]*t[\"\^]*l)|u[\"\^]*(?:b[\"\^]*p[\"\^]*r[\"\^]*n|s[\"\^]*h[\"\^]*(?:d|p[\"\^]*r[\"\^]*i[\"\^]*n[\"\^]*t[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*o[\"\^]*n[\"\^]*n[\"\^]*e[\"\^]*c[\"\^]*t[\"\^]*i[\"\^]*o[\"\^]*n[\"\^]*s))|w[\"\^]*(?:l[\"\^]*a[\"\^]*u[\"\^]*n[\"\^]*c[\"\^]*h[\"\^]*e[\"\^]*r|s[\"\^]*h))|q[\"\^]*(?:a[\"\^]*p[\"\^]*p[\"\^]*s[\"\^]*r[\"\^]*v|p[\"\^]*r[\"\^]*o[\"\^]*c[\"\^]*e[\"\^]*s[\"\^]*s|u[\"\^]*s[\"\^]*e[\"\^]*r|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|r[\"\^]*(?:d(?:[\"\^]*p[\"\^]*s[\"\^]*i[\"\^]*g[\"\^]*n)?|e[\"\^]*(?:f[\"\^]*s[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|g(?:[\"\^]*(?:i[\"\^]*n[\"\^]*i|s[\"\^]*v[\"\^]*r[\"\^]*3[\"\^]*2))?|l[\"\^]*o[\"\^]*g|(?:(?:p[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i|s[\"\^]*c[\"\^]*a)[\"\^]*)?n|x[\"\^]*e[\"\^]*c)|i[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u[\"\^]*p|m[\"\^]*d[\"\^]*i[\"\^]*r|o[\"\^]*b[\"\^]*o[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y|p[\"\^]*c[\"\^]*(?:i[\"\^]*n[\"\^]*f[\"\^]*o|p[\"\^]*i[\"\^]*n[\"\^]*g)|s[\"\^]*h|u[\"\^]*n[\"\^]*d[\"\^]*l[\"\^]*l[\"\^]*3[\"\^]*2|w[\"\^]*i[\"\^]*n[\"\^]*s[\"\^]*t[\"\^]*a)|s[\"\^]*(?:a[\"\^]*n|c[\"\^]*(?:h[\"\^]*t[\"\^]*a[\"\^]*s[\"\^]*k[\"\^]*s|w[\"\^]*c[\"\^]*m[\"\^]*d)|e[\"\^]*(?:c[\"\^]*e[\"\^]*d[\"\^]*i[\"\^]*t|r[\"\^]*v[\"\^]*e[\"\^]*r[\"\^]*(?:(?:c[\"\^]*e[\"\^]*i[\"\^]*p|w[\"\^]*e[\"\^]*r)[\"\^]*o[\"\^]*p[\"\^]*t[\"\^]*i[\"\^]*n|m[\"\^]*a[\"\^]*n[\"\^]*a[\"\^]*g[\"\^]*e[\"\^]*r[\"\^]*c[\"\^]*m[\"\^]*d)|t[\"\^]*x)|f[\"\^]*c|(?:h[\"\^]*o[\"\^]*w[\"\^]*m[\"\^]*o[\"\^]*u[\"\^]*n|u[\"\^]*b[\"\^]*s)[\"\^]*t|x[\"\^]*s[\"\^]*t[\"\^]*r[\"\^]*a[\"\^]*c[\"\^]*e|y[\"\^]*s[\"\^]*(?:o[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r|t[\"\^]*e[\"\^]*m[\"\^]*i[\"\^]*n[\"\^]*f[\"\^]*o))|t[\"\^]*(?:a[\"\^]*(?:k[\"\^]*e[\"\^]*o[\"\^]*w[\"\^]*n|p[\"\^]*i[\"\^]*c[\"\^]*f[\"\^]*g|s[\"\^]*k[\"\^]*(?:k[\"\^]*i[\"\^]*l[\"\^]*l|l[\"\^]*i[\"\^]*s[\"\^]*t))|(?:c[\"\^]*m[\"\^]*s[\"\^]*e[\"\^]*t[\"\^]*u|f[\"\^]*t)[\"\^]*p|(?:(?:e[\"\^]*l[\"\^]*n[\"\^]*e|i[\"\^]*m[\"\^]*e[\"\^]*o[\"\^]*u)[\"\^]*|r[\"\^]*a[\"\^]*c[\"\^]*e[\"\^]*r[\"\^]*(?:p[\"\^]*)?)t|l[\"\^]*n[\"\^]*t[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*n|p[\"\^]*m[\"\^]*(?:t[\"\^]*o[\"\^]*o[\"\^]*l|v[\"\^]*s[\"\^]*c[\"\^]*m[\"\^]*g[\"\^]*r)|s[\"\^]*(?:(?:d[\"\^]*i[\"\^]*s[\"\^]*)?c[\"\^]*o[\"\^]*n|e[\"\^]*c[\"\^]*i[\"\^]*m[\"\^]*p|k[\"\^]*i[\"\^]*l[\"\^]*l|p[\"\^]*r[\"\^]*o[\"\^]*f)|y[\"\^]*p[\"\^]*e[\"\^]*p[\"\^]*e[\"\^]*r[\"\^]*f|z[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l)|u[\"\^]*n[\"\^]*(?:e[\"\^]*x[\"\^]*p[\"\^]*o[\"\^]*s[\"\^]*e|i[\"\^]*q[\"\^]*u[\"\^]*e[\"\^]*i[\"\^]*d|l[\"\^]*o[\"\^]*d[\"\^]*c[\"\^]*t[\"\^]*r)|v[\"\^]*s[\"\^]*s[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|w[\"\^]*(?:a[\"\^]*i[\"\^]*t[\"\^]*f[\"\^]*o[\"\^]*r|b[\"\^]*a[\"\^]*d[\"\^]*m[\"\^]*i[\"\^]*n|(?:d[\"\^]*s|e[\"\^]*(?:c|v[\"\^]*t))[\"\^]*u[\"\^]*t[\"\^]*i[\"\^]*l|h[\"\^]*o[\"\^]*a[\"\^]*m[\"\^]*i|i[\"\^]*n[\"\^]*(?:n[\"\^]*t(?:[\"\^]*3[\"\^]*2)?|r[\"\^]*s)|m[\"\^]*i[\"\^]*c|s[\"\^]*c[\"\^]*r[\"\^]*i[\"\^]*p[\"\^]*t)|x[\"\^]*c[\"\^]*o[\"\^]*p[\"\^]*y)(?:\.[\"\^]*[0-9A-Z_a-z]+)?\b" \
     "id:932380,\
     phase:2,\
     block,\
@@ -827,16 +882,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -879,7 +935,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:932014,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932231
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*\.[\s\x0b].*\b" \
     "id:932231,\
     phase:2,\
     block,\
@@ -893,9 +949,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -926,9 +983,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx \$(?:\((?:.*|\(.
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -975,16 +1033,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.932200_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule MATCHED_VAR "@rx /" \
+    SecRule MATCHED_VARS "@rx /" \
         "t:none,\
         chain"
-        SecRule MATCHED_VAR "@rx \s" \
+        SecRule MATCHED_VARS "@rx \s" \
             "t:none,\
             setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
             setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1017,9 +1076,10 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^#]+" \
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.932205_matched_var_name=%{matched_var_name}',\
     chain"
@@ -1060,16 +1120,17 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.932206_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule MATCHED_VAR "@rx /" \
+    SecRule MATCHED_VARS "@rx /" \
         "t:none,\
         chain"
-        SecRule MATCHED_VAR "@rx \s" \
+        SecRule MATCHED_VARS "@rx \s" \
             "t:none,\
             setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
             setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1079,7 +1140,7 @@ SecRule REQUEST_HEADERS:Referer "@rx ^[^\.]*?(?:['\*\?\x5c`][^\n/]+/|/[^/]+?['\*
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932220
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|G[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?E[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?T|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[gr])|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[bdx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dp]|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|(?:k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?g|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cp]|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[ghu]|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i).\|(?:[\s\x0b]*|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[arx])?|a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:b|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?t|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[jp])?|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ks])|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[89][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?9|[au][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|c|(?:m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[dfu]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[bx]|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|q[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)?)|f[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cdgi]|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|g[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[chr][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|o|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g)|h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:p|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b)|j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:j[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s|q)|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|l[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d)?|[nps]|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a|z(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?4)?)|m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|v)|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[cl]|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[at][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b|f|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cp]|k[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?g|r(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?z)|r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r|c(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p)?|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dv]|(?:p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?m)|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[dt]|[gu]|(?:s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?)?h|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n)|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[cr]|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l|[co][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[ex]|i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c)|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|l)|(?:v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i|y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:3[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m|c)|x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:x[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|z)|z[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h))" \
     "id:932220,\
     phase:2,\
     block,\
@@ -1093,9 +1154,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1156,13 +1218,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|XML:
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.932240_matched_var_name=%{matched_var_name}',\
     chain"
-    SecRule MATCHED_VAR "!@rx [0-9]\s*\'\s*[0-9]" \
+    SecRule MATCHED_VARS "!@rx [0-9]\s*\'\s*[0-9]" \
         "t:none,\
         setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1198,9 +1261,45 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
+# [ Unix shell expressions - Bash Tilde expansion ]
+# This rule is a sibling of rule 932270
+#
+# Detects the following patterns which are common in Unix shell scripts
+# and one-liners:
+#
+# ~4    fourth directory entry on the stack from the top
+#
+# Reference - https://linuxsimply.com/bash-scripting-tutorial/expansion/tilde-expansion/
+#
+# Regular expression generated from regex-assembly/932271.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 932271
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx ~[0-9]+" \
+    "id:932271,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,t:cmdLine,\
+    msg:'Remote Command Execution: Unix Shell Expression Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-shell',\
+    tag:'platform-unix',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/152/248/88',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1227,7 +1326,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932300
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx \r\n.*?\b(?:E(?:HLO [\-\.A-Za-z\x17f\x212a]{1,255}|XPN .{1,64})|HELO [\-\.A-Za-z\x17f\x212a]{1,255}|MAIL FROM:<.{1,64}@.{1,255}>|R(?:CPT TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY .{1,64}(?: <.{1,64}@.{1,255}>|@.{1,255})|AUTH [\-0-9A-Z_a-z\x17f\x212a]{1,20} (?:(?:[\+/-9A-Z_a-z\x17f\x212a]{4})*(?:[\+/-9A-Z_a-z\x17f\x212a]{2}=|[\+/-9A-Z_a-z\x17f\x212a]{3}))?=|STARTTLS\b|NOOP\b(?: .{1,255})?)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\r\n.*?\b(?:E(?:HLO[\s\x0b][\-\.a-z]{1,255}|XPN[\s\x0b].{1,64})|HELO[\s\x0b][\-\.a-z]{1,255}|MAIL[\s\x0b]FROM:<.{1,64}@.{1,255}>|R(?:CPT[\s\x0b]TO:(?:<.{1,64}@.{1,255}>| )?<.{1,64}>|SET\b)|VRFY[\s\x0b].{1,64}(?:[\s\x0b]<.{1,64}@.{1,255}>|@.{1,255})|AUTH[\s\x0b][\-0-9_a-z]{1,20}[\s\x0b](?:(?:[\+/-9A-Z_a-z]{4})*(?:[\+/-9A-Z_a-z]{2}=|[\+/-9A-Z_a-z]{3}))?=|STARTTLS\b|NOOP\b(?:[\s\x0b].{1,255})?)" \
     "id:932300,\
     phase:2,\
     block,\
@@ -1240,9 +1339,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1272,9 +1372,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1306,9 +1407,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1354,7 +1456,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932236
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|an|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:(?:t|rl)[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|inks|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[^\s\x0b]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash|nap)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:3m|c|a(?:ll|tch)[\s\x0b&\)<>\|]|get|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|(?:an|io)(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:(?:t|rl)(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|inks|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon(?:[23]|[^\s\x0b]{1,10}\b)))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|(?:ft|na)p|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|lf|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid)|ndmail)|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:3m|c|atch|get)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ypper))" \
     "id:932236,\
     phase:2,\
     block,\
@@ -1368,9 +1470,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1416,7 +1519,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932239
 #
-SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible|tobm)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:squitto|unt[\s\x0b&\)<>\|])|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|s(?:ed|ftp|ql)|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:datectl|out[\s\x0b&\)<>\|]))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\)<>\|]|diff)|ew[\s\x0b&\)<>\|]|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:c|a(?:ll|tch)[\s\x0b&\)<>\|]|h(?:iptail[\s\x0b&\)<>\|]|o(?:ami|is))|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))" \
+SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|a(?:(?:b|w[ks]|l(?:ias|pine)|tobm|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get)|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|ontab))|d(?:(?:[dfu]|i(?:(?:alo)?g|ff)|ash|vips)(?:[\s\x0b&\),<>\|]|$)|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:b|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|letest|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|(?:rb|conv)(?:[\s\x0b&\),<>\|]|$)|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|il[qx]|ke|wk)(?:[\s\x0b&\),<>\|]|$)|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:squitto|unt(?:[\s\x0b&\),<>\|]|$))|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|grep|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|hp(?:-cgi|[57](?:[\s\x0b&\),<>\|]|$))|s(?:(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|place)(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|ript)|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|lf|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid)|ndmail)|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|sh(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass)|u(?:[\s\x0b&\),<>\|]|$|do(?:[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:cat(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|skset)|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|medatectl)|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|pdate-alternatives|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:m(?:[\s\x0b&\),<>\|]|$|diff)|(?:gr|pw|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:(?:c|atch)(?:[\s\x0b&\),<>\|]|$)|h(?:iptail(?:[\s\x0b&\),<>\|]|$)|oami)|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|y(?:um|arn|elp)(?:[\s\x0b&\),<>\|]|$)|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ypper))" \
     "id:932239,\
     phase:1,\
     block,\
@@ -1430,9 +1533,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)(?:^|b[\"'\)
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1465,16 +1569,17 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@pmFromFile unix-she
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1517,7 +1622,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:932016,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932232
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|s)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&\),<>\|].*))\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))\b" \
     "id:932232,\
     phase:2,\
     block,\
@@ -1531,9 +1636,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1574,7 +1680,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932237
 #
-SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]?|(?:(?:GE|POS)T|HEAD)[\s\x0b&\)<>\|]|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)[\s\x0b&\)<>\|]|pt(?:(?:itude)?[\s\x0b&\)<>\|]|-get)|r(?:[\s\x0b&\)<>j\|]|(?:p|ch)[\s\x0b&\)<>\|]|ia2c)|s(?:h?[\s\x0b&\)<>\|]|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\)<>\|]|obm)|dd(?:group|user)|getty|nsible)|b(?:z(?:z[\s\x0b&\)<>\|]|c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more)|a(?:s(?:e(?:32|64|n(?:ame[\s\x0b&\)<>\|]|c))|h[\s\x0b&\)<>\|])|tch[\s\x0b&\)<>\|])|lkid|pftrace|r(?:eaksw|idge[\s\x0b&\)<>\|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[\s\x0b&\)<>\|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu))|c(?:[89]9|(?:a(?:t|ncel|psh)|c)[\s\x0b&\)<>\|]|mp|p(?:[\s\x0b&\)<>\|]|io|ulimit)|s(?:h|cli[\s\x0b&\)<>\|]|plit|vtool)|u(?:t[\s\x0b&\)<>\|]|psfilter)|ertbot|h(?:attr|(?:dir|root)[\s\x0b&\)<>\|]|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f[\s\x0b&\)\-<>\|])|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[\s\x0b&\)<>\|]|\+\+)|o(?:(?:b|pro)c|(?:lumn|m(?:m(?:and)?|p(?:oser|ress)))[\s\x0b&\)<>\|]|w(?:say|think))|r(?:ash[\s\x0b&\)<>\|]|on(?:[\s\x0b&\)<>\|]|tab)))|d(?:(?:[du]|i(?:(?:alo)?g|r|ff)|a(?:sh|te))[\s\x0b&\)<>\|]|n?f|hclient|m(?:esg|idecode|setup)|o(?:as|(?:cker|ne)[\s\x0b&\)<>\|]|sbox)|pkg|vips)|e(?:(?:[bd]|cho)[\s\x0b&\)<>\|]|n(?:v(?:[\s\x0b&\)<>\|]|-update)|d(?:if|sw))|qn|s(?:[\s\x0b&\)<>h\|]|ac)|x(?:(?:ec)?[\s\x0b&\)<>\|]|iftool|p(?:(?:and|(?:ec|or)t)[\s\x0b&\)<>\|]|r))|2fsck|(?:asy_instal|va)l|fax|grep|macs)|f(?:(?:c|etch|lock|unction)[\s\x0b&\)<>\|]|d|g(?:rep)?|i(?:(?:n(?:d|ger)|sh)?[\s\x0b&\)<>\|]|le(?:[\s\x0b&\)<>\|]|test))|mt|tp(?:[\s\x0b&\)<>\|]|stats|who)|acter|o(?:ld[\s\x0b&\)<>\|]|reach)|ping)|g(?:c(?:c[^\s\x0b]|ore)|db|e(?:(?:m|tfacl)[\s\x0b&\)<>\|]|ni(?:e[\s\x0b&\)<>\|]|soimage))|hci?|i(?:(?:t|mp)[\s\x0b&\)<>\|]|nsh)|(?:o|awk)[\s\x0b&\)<>\|]|pg|r(?:c|ep[\s\x0b&\)<>\|]|oup(?:[\s\x0b&\)<>\|]|mod))|tester|unzip|z(?:cat|exe|ip))|h(?:(?:d|up|ash|i(?:ghlight|story))[\s\x0b&\)<>\|]|e(?:ad[\s\x0b&\)<>\|]|xdump)|ost(?:id|name)|ping3|t(?:digest|op|passwd))|i(?:d|p(?:6?tables|config)?|rb|conv|f(?:config|top)|nstall[\s\x0b&\)<>\|]|onice|spell)|j(?:js|q|ava[\s\x0b&\)<>\|]|exec|o(?:(?:bs|in)[\s\x0b&\)<>\|]|urnalctl)|runscript)|k(?:s(?:h|shell)|ill(?:[\s\x0b&\)<>\|]|all)|nife[\s\x0b&\)<>\|])|l(?:d(?:d?[\s\x0b&\)<>\|]|config)|(?:[np]|ynx)[\s\x0b&\)<>\|]|s(?:-F|b_release|cpu|hw|mod|of|pci|usb)?|ua(?:[\s\x0b&\)<>\|]|(?:la)?tex)|z(?:[\s\x0b&\)4<>\|]|4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore))|a(?:st(?:[\s\x0b&\)<>\|]|comm|log(?:in)?)|tex[\s\x0b&\)<>\|])|ess(?:[\s\x0b&\)<>\|]|echo|(?:fil|pip)e)|ftp(?:get)?|o(?:(?:ca(?:l|te)|ok)[\s\x0b&\)<>\|]|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke)[\s\x0b&\)<>\|]|il(?:[\s\x0b&\)<>q\|]|x[\s\x0b&\)<>\|])|ster\.passwd|wk)|tr|(?:v|utt)[\s\x0b&\)<>\|]|k(?:dir[\s\x0b&\)<>\|]|fifo|nod|temp)|locate|o(?:(?:re|unt)[\s\x0b&\)<>\|]|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:admin|dump(?:slow)?|hotcopy|show)?)|n(?:c(?:[\s\x0b&\)<>\|]|\.(?:openbsd|traditional)|at)|e(?:t(?:[\s\x0b&\)<>\|]|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|ice)[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|ap)|p(?:m[\s\x0b&\)<>\|]|ing)|a(?:no[\s\x0b&\)<>\|]|sm|wk)|o(?:de[\s\x0b&\)<>\|]|hup)|roff|s(?:enter|lookup|tat))|o(?:(?:d|ctave)[\s\x0b&\)<>\|]|nintr|p(?:en(?:ssl|v(?:pn|t))|kg))|p(?:a(?:(?:x|cman|rted|tch)[\s\x0b&\)<>\|]|s(?:swd|te[\s\x0b&\)<>\|]))|d(?:b|f(?:la)?tex|ksh)|f(?:[\s\x0b&\)<>\|]|tp)|g(?:rep)?|hp(?:[\s\x0b&\)57<>\|]|-cgi)|i(?:(?:co?|ng)[\s\x0b&\)<>\|]|p[^\s\x0b]|dstat|gz)|k(?:g(?:_?info)?|exec|ill)|r(?:y?[\s\x0b&\)<>\|]|int(?:env|f[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|ed|ftp|ql)?|t(?:x|ar(?:diff|grep)?)|wd(?:\.db)?|xz|er(?:(?:f|ms)[\s\x0b&\)<>\|]|l(?:[\s\x0b&\)5<>\|]|sh))|opd|u(?:ppet[\s\x0b&\)<>\|]|shd)|y(?:thon[23]|3?versions))|r(?:a(?:r[\s\x0b&\)<>\|]|k(?:e[\s\x0b&\)<>\|]|u))|c(?:p[\s\x0b&\)<>\|])?|e(?:(?:d(?:carpet)?|v|name|p(?:eat|lace))[\s\x0b&\)<>\|]|a(?:delf|lpath)|stic)|m(?:(?:dir)?[\s\x0b&\)<>\|]|user)|pm(?:[\s\x0b&\)<>\|]|db|(?:quer|verif)y)|bash|l(?:ogin|wrap)|nano|oute[\s\x0b&\)<>\|]|sync|u(?:by[^\s\x0b]|n-(?:mailcap|parts))|vi(?:ew|m))|s(?:c(?:p|(?:hed|r(?:een|ipt))[\s\x0b&\)<>\|])|e(?:(?:d|lf|rvice)[\s\x0b&\)<>\|]|t(?:(?:facl)?[\s\x0b&\)<>\|]|arch|env|sid)|ndmail)|(?:g|ash)[\s\x0b&\)<>\|]|h(?:(?:adow|ells)?[\s\x0b&\)<>\|]|\.distrib|u(?:f|tdown[\s\x0b&\)<>\|]))|s(?:[\s\x0b&\)<>\|]|h(?:[\s\x0b&\)<>\|]|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\)<>\|]|do)|vn|diff|ftp|l(?:eep[\s\x0b&\)<>\|]|sh)|mbclient|o(?:cat|elim|(?:rt|urce)[\s\x0b&\)<>\|])|p(?:lit[\s\x0b&\)<>\|]|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in|out)|r(?:ace|ings[\s\x0b&\)<>\|]))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:c|r[\s\x0b&\)<>\|]|il[\s\x0b&\)<>f\|]|sk(?:[\s\x0b&\)<>\|]|set))|bl|c(?:p(?:[\s\x0b&\)<>\|]|dump|ing|traceroute)|l?sh)|e(?:[ex][\s\x0b&\)<>\|]|lnet)|i(?:c[\s\x0b&\)<>\|]|me(?:(?:out)?[\s\x0b&\)<>\|]|datectl))|o(?:p|uch[\s\x0b&\)<>\|])|ftp|mux|r(?:aceroute6?|off)|shark)|u(?:dp|l(?:imit)?[\s\x0b&\)<>\|]|n(?:ame|(?:compress|s(?:et|hare))[\s\x0b&\)<>\|]|expand|iq|l(?:ink[\s\x0b&\)<>\|]|z(?:4|ma))|(?:pig|x)z|rar|z(?:ip[\s\x0b&\)<>\|]|std))|p(?:2date[\s\x0b&\)<>\|]|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:(?:ew)?[\s\x0b&\)<>\|]|m(?:[\s\x0b&\)<>\|]|diff)|gr|pw|rsh|sudo)|algrind|olatility[\s\x0b&\)<>\|])|w(?:[\s\x0b&\)<>c\|]|h(?:o(?:[\s\x0b&\)<>\|]|ami|is)?|iptail[\s\x0b&\)<>\|])|a(?:ll|tch)[\s\x0b&\)<>\|]|i(?:reshark|sh[\s\x0b&\)<>\|]))|x(?:(?:x|pa)d|z(?:[\s\x0b&\)<>\|]|c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more)|args|e(?:la)?tex|mo(?:dmap|re)|term)|y(?:(?:e(?:s|lp)|arn)[\s\x0b&\)<>\|]|um)|z(?:ip(?:[\s\x0b&\)<>\|]|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h|oelim|td(?:(?:ca|m)t|grep|less)?)|athura|c(?:at|mp)|diff|e(?:grep|ro[\s\x0b&\)<>\|])|f?grep|less|more|run|ypper))(?:\b|[^0-9A-Z_a-z])" \
+SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z(?:[\s\x0b&\),<>\|]|$|[arx](?:[\s\x0b&\),<>\|]|$))|(?:(?:GE|POS)T|y(?:e(?:s|lp)|um|arn)|HEAD)(?:[\s\x0b&\),<>\|]|$)|a(?:(?:b|w[ks]|l(?:ias|pine)|xel)(?:[\s\x0b&\),<>\|]|$)|pt(?:[\s\x0b&\),<>\|]|$|-get|itude(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|j(?:[\s\x0b&\),<>\|]|$|-register|disp)|(?:p|ch)(?:[\s\x0b&\),<>\|]|$)|ia2c)|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$)|cii(?:-xfr|85)|pell)|t(?:[\s\x0b&\),<>\|]|$|obm(?:[\s\x0b&\),<>\|]|$))|dd(?:group|user)|getty|nsible)|b(?:z(?:(?:z|c(?:at|mp))(?:[\s\x0b&\),<>\|]|$)|diff|e(?:grep|xe(?:[\s\x0b&\),<>\|]|$))|f?grep|ip2(?:[\s\x0b&\),<>\|]|$|recover)|less|more)|a(?:s(?:e(?:32|64|n(?:ame(?:[\s\x0b&\),<>\|]|$)|c))|h(?:[\s\x0b&\),<>\|]|$))|tch(?:[\s\x0b&\),<>\|]|$))|lkid(?:[\s\x0b&\),<>\|]|$)|pftrace|r(?:eaksw|idge(?:[\s\x0b&\),<>\|]|$))|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler(?:[\s\x0b&\),<>\|]|$)|zip2)|s(?:ctl|ybox))|y(?:ebug|obu(?:[\s\x0b&\),<>\|]|$)))|c(?:[89]9(?:[\s\x0b&\),<>\|]|$|-gcc)|(?:a(?:t|ncel|psh)|c|mp)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|io(?:[\s\x0b&\),<>\|]|$)|ulimit)|s(?:(?:h|cli)(?:[\s\x0b&\),<>\|]|$)|plit|vtool)|u(?:t(?:[\s\x0b&\),<>\|]|$)|psfilter)|ertbot|h(?:(?:(?:att|di)r|mod|o(?:om|wn)|root|sh)(?:[\s\x0b&\),<>\|]|$)|e(?:ck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|f(?:[\s\x0b&\),\-<>\|]|$))|(?:flag|pas)s|g(?:passwd|rp(?:[\s\x0b&\),<>\|]|$)))|lang(?:[\s\x0b&\),<>\|]|$|\+\+)|o(?:bc(?:[\s\x0b&\),<>\|]|$|run)|lumn(?:[\s\x0b&\),<>\|]|$)|m(?:m(?:[\s\x0b&\),<>\|]|$|and(?:[\s\x0b&\),<>\|]|$))|p(?:oser|ress)(?:[\s\x0b&\),<>\|]|$))|proc|w(?:say|think))|r(?:ash(?:[\s\x0b&\),<>\|]|$)|on(?:[\s\x0b&\),<>\|]|$|tab)))|d(?:(?:[dfu]|i(?:(?:alo)?g|r|ff)|a(?:sh|te)|vips)(?:[\s\x0b&\),<>\|]|$)|nf(?:[\s\x0b&\),<>\|]|$)?|hclient|m(?:esg(?:[\s\x0b&\),<>\|]|$)|idecode|setup)|o(?:(?:as|ne)(?:[\s\x0b&\),<>\|]|$)|cker(?:[\s\x0b&\),\-<>\|]|$)|sbox)|pkg(?:[\s\x0b&\),\-<>\|]|$))|e(?:(?:[bd]|qn|cho|fax|grep|macs|val)(?:[\s\x0b&\),<>\|]|$)|n(?:v(?:[\s\x0b&\),<>\|]|$|-update)|d(?:if|sw)(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|(?:h|ac)(?:[\s\x0b&\),<>\|]|$))|x(?:[\s\x0b&\),<>\|]|$|(?:ec|p(?:and|(?:ec|or)t|r))(?:[\s\x0b&\),<>\|]|$)|iftool)|2fsck|asy_install)|f(?:(?:c|mt|etch|lock|unction)(?:[\s\x0b&\),<>\|]|$)|d(?:[\s\x0b&\),<>\|]|$|(?:find|isk)(?:[\s\x0b&\),<>\|]|$)|u?mount)|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|i(?:[\s\x0b&\),<>\|]|$|le(?:[\s\x0b&\),<>\|]|$|test)|(?:n(?:d|ger)|sh)(?:[\s\x0b&\),<>\|]|$))|tp(?:[\s\x0b&\),<>\|]|$|stats|who)|acter|o(?:ld(?:[\s\x0b&\),<>\|]|$)|reach)|ping(?:[\s\x0b&\),6<>\|]|$))|g(?:c(?:c[^\s\x0b]{1,10}\b|ore(?:[\s\x0b&\),<>\|]|$))|(?:db|i(?:t|mp|nsh)|o|pg|awk|z(?:cat|exe|ip))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:m|tfacl)(?:[\s\x0b&\),<>\|]|$)|ni(?:e(?:[\s\x0b&\),<>\|]|$)|soimage))|hc(?:[\s\x0b&\),<>\|]|$|-(?:[\s\x0b&\),<>\|]|$)|i(?:[\s\x0b&\),\-<>\|]|$))|r(?:c(?:[\s\x0b&\),<>\|]|$|at(?:[\s\x0b&\),<>\|]|$))|ep(?:[\s\x0b&\),<>\|]|$)|oup(?:[\s\x0b&\),<>\|]|$|mod))|tester|unzip)|h(?:(?:d|up|ash|i(?:ghlight|story))(?:[\s\x0b&\),<>\|]|$)|e(?:ad(?:[\s\x0b&\),<>\|]|$)|xdump)|ost(?:id|name)|ping3|t(?:digest|op(?:[\s\x0b&\),<>\|]|$)|passwd))|i(?:(?:d|rb|conv|nstall)(?:[\s\x0b&\),<>\|]|$)|p(?:[\s\x0b&\),<>\|]|$|6?tables|config|p(?:eveprinter|find|tool))|f(?:config|top(?:[\s\x0b&\),<>\|]|$))|onice|spell)|j(?:(?:js|q|ava|exec)(?:[\s\x0b&\),<>\|]|$)|o(?:(?:bs|in)(?:[\s\x0b&\),<>\|]|$)|urnalctl)|runscript)|k(?:s(?:h(?:[\s\x0b&\),<>\|]|$)|shell)|ill(?:[\s\x0b&\),<>\|]|$|all)|nife(?:[\s\x0b&\),<>\|]|$))|l(?:d(?:[\s\x0b&\),<>\|]|$|d(?:[\s\x0b&\),<>\|]|$)|config)|(?:[np]|ynx)(?:[\s\x0b&\),<>\|]|$)|s(?:[\s\x0b&\),<>\|]|$|(?:-F|cpu|hw|mod|of|pci|usb)(?:[\s\x0b&\),<>\|]|$)|b_release)|ua(?:[\s\x0b&\),<>\|]|$|(?:la)?tex)|z(?:4(?:[\s\x0b&\),<>\|]|$|c(?:[\s\x0b&\),<>\|]|$|at))|(?:c(?:at|mp))?(?:[\s\x0b&\),<>\|]|$)|diff|[ef]?grep|less|m(?:a(?:[\s\x0b&\),<>\|]|$|dec|info)|ore))|a(?:st(?:[\s\x0b&\),<>\|]|$|comm(?:[\s\x0b&\),<>\|]|$)|log(?:in)?)|tex(?:[\s\x0b&\),<>\|]|$))|ess(?:[\s\x0b&\),<>\|]|$|echo|(?:fil|pip)e)|ftp(?:[\s\x0b&\),<>\|]|$|get)|o(?:(?:ca(?:l|te)|ok)(?:[\s\x0b&\),<>\|]|$)|g(?:inctl|(?:nam|sav)e)|setup)|trace|wp-(?:d(?:ownload|ump)|mirror|request))|m(?:a(?:(?:n|ke|wk)(?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|[qx](?:[\s\x0b&\),<>\|]|$))|ster\.passwd)|(?:tr|v|utt)(?:[\s\x0b&\),<>\|]|$)|k(?:(?:dir|nod)(?:[\s\x0b&\),<>\|]|$)|fifo|temp)|locate|o(?:(?:re|unt)(?:[\s\x0b&\),<>\|]|$)|squitto)|sg(?:attrib|c(?:at|onv)|filter|merge|uniq)|ysql(?:[\s\x0b&\),<>\|]|$|admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:[\s\x0b&\),<>\|]|$|\.(?:openbsd|traditional)|at(?:[\s\x0b&\),<>\|]|$))|e(?:t(?:[\s\x0b&\),<>\|]|$|(?:c|st)at|kit-ftp|plan)|ofetch)|(?:(?:ul)?l|p(?:m|ing)|a(?:no|sm|wk)|ice|o(?:de|hup)|roff)(?:[\s\x0b&\),<>\|]|$)|m(?:[\s\x0b&\),<>\|]|$|ap(?:[\s\x0b&\),<>\|]|$))|s(?:enter|lookup|tat(?:[\s\x0b&\),<>\|]|$)))|o(?:(?:d|ctave)(?:[\s\x0b&\),<>\|]|$)|nintr|p(?:en(?:ssl|v(?:pn|t))|kg(?:[\s\x0b&\),<>\|]|$)))|p(?:a(?:(?:x|cman|rted|tch)(?:[\s\x0b&\),<>\|]|$)|s(?:swd|te(?:[\s\x0b&\),<>\|]|$)))|d(?:b(?:[\s\x0b&\),<>\|]|$|2mb|3(?:[\s\x0b&\),\.<>\|]|$))|f(?:la)?tex|ksh(?:[\s\x0b&\),<>\|]|$))|f(?:[\s\x0b&\),<>\|]|$|tp(?:[\s\x0b&\),<>\|]|$))|g(?:[\s\x0b&\),<>\|]|$|rep(?:[\s\x0b&\),<>\|]|$))|hp(?:[\s\x0b&\),<>\|]|$|-cgi|[57](?:[\s\x0b&\),<>\|]|$))|i(?:c(?:[\s\x0b&\),<>\|]|$|o(?:[\s\x0b&\),<>\|]|$))|p[^\s\x0b]{1,10}\b|dstat|(?:gz|ng)(?:[\s\x0b&\),<>\|]|$))|k(?:g(?:[\s\x0b&\),<>\|]|$|_?info)|exec|ill(?:[\s\x0b&\),<>\|]|$))|r(?:[\s\x0b&\),<>\|]|$|y(?:[\s\x0b&\),<>\|]|$)|int(?:env|f(?:[\s\x0b&\),<>\|]|$)))|s(?:[\s\x0b&\),<>\|]|$|(?:ed|ql)(?:[\s\x0b&\),<>\|]|$)|ftp)|t(?:x(?:[\s\x0b&\),<>\|]|$)|ar(?:[\s\x0b&\),<>\|]|$|diff|grep))|wd(?:[\s\x0b&\),<>\|]|$|\.db)|(?:xz|opd|u(?:ppet|shd))(?:[\s\x0b&\),<>\|]|$)|er(?:(?:f|ms)(?:[\s\x0b&\),<>\|]|$)|l(?:5?(?:[\s\x0b&\),<>\|]|$)|sh))|y(?:3?versions|thon[23]))|r(?:(?:a(?:r|k[eu])|bash|nano|oute|vi(?:ew|m))(?:[\s\x0b&\),<>\|]|$)|c(?:[\s\x0b&\),<>\|]|$|p(?:[\s\x0b&\),<>\|]|$))|e(?:d(?:[\s\x0b&\),<>\|]|$|carpet(?:[\s\x0b&\),<>\|]|$))|(?:v|boot|name|p(?:eat|lace))(?:[\s\x0b&\),<>\|]|$)|a(?:delf|lpath)|stic)|m(?:[\s\x0b&\),<>\|]|$|dir(?:[\s\x0b&\),<>\|]|$)|user)|pm(?:[\s\x0b&\),<>\|]|$|db(?:[\s\x0b&\),<>\|]|$)|(?:quer|verif)y)|l(?:ogin|wrap)|sync(?:-ssl|[\s\x0b&\),<>\|]|$)|u(?:by[^\s\x0b]{1,10}\b|n-(?:mailcap|parts)))|s(?:(?:c(?:p|hed|r(?:een|ipt))|g|ash|diff|ftp|l(?:eep|sh))(?:[\s\x0b&\),<>\|]|$)|e(?:(?:d|lf|rvice)(?:[\s\x0b&\),<>\|]|$)|t(?:[\s\x0b&\),<>\|]|$|arch|env|facl(?:[\s\x0b&\),<>\|]|$)|sid)|ndmail)|h(?:[\s\x0b&\),<>\|]|$|\.distrib|(?:adow|ells|u(?:f|tdown))(?:[\s\x0b&\),<>\|]|$))|s(?:[\s\x0b&\),<>\|]|$|h(?:[\s\x0b&\),<>\|]|$|-key(?:ge|sca)n|pass))|u(?:[\s\x0b&\),<>\|]|$|do(?:[\s\x0b&\),<>_\|]|$|edit|replay))|vn(?:[\s\x0b&\),<>\|]|$|a(?:dmin|uthz)|bench|dumpfilter|fsfs|look|mucc|rdump|s(?:erve|ync)|version)|mbclient|o(?:(?:(?:ca|r)t|urce)(?:[\s\x0b&\),<>\|]|$)|elim)|p(?:lit(?:[\s\x0b&\),<>\|]|$)|wd\.db)|qlite3|t(?:art-stop-daemon|d(?:buf|err|in(?:[\s\x0b&\),<>\|]|$)|out)|r(?:ace|ings(?:[\s\x0b&\),<>\|]|$)))|ys(?:ctl|tem(?:ctl|d-resolve)))|t(?:a(?:[cr](?:[\s\x0b&\),<>\|]|$)|il(?:[\s\x0b&\),<>\|]|$|f(?:[\s\x0b&\),<>\|]|$))|sk(?:[\s\x0b&\),<>\|]|$|set))|(?:bl|o(?:p|uch)|ftp|mux)(?:[\s\x0b&\),<>\|]|$)|c(?:p(?:[\s\x0b&\),<>\|]|$|dump|ing|traceroute)|l?sh(?:[\s\x0b&\),<>\|]|$))|e(?:[ex](?:[\s\x0b&\),<>\|]|$)|lnet)|i(?:c(?:[\s\x0b&\),<>\|]|$)|me(?:[\s\x0b&\),<>\|]|$|datectl|out(?:[\s\x0b&\),<>\|]|$)))|r(?:aceroute6?|off(?:[\s\x0b&\),<>\|]|$))|shark)|u(?:dp(?:[\s\x0b&\),<>\|]|$)|l(?:[\s\x0b&\),<>\|]|$|imit(?:[\s\x0b&\),<>\|]|$))|n(?:(?:ame|compress|iq|rar|s(?:et|hare)|xz)(?:[\s\x0b&\),<>\|]|$)|expand|l(?:ink(?:[\s\x0b&\),<>\|]|$)|z(?:4(?:[\s\x0b&\),<>\|]|$)|ma))|pigz|z(?:ip(?:[\s\x0b&\),<>\|]|$)|std))|p(?:2date(?:[\s\x0b&\),<>\|]|$)|date-alternatives)|ser(?:(?:ad|mo)d|del)|u(?:de|en)code)|v(?:i(?:[\s\x0b&\),<>\|]|$|m(?:[\s\x0b&\),<>\|]|$|diff)|(?:[ep]w|gr|rsh)(?:[\s\x0b&\),<>\|]|$)|sudo)|algrind|olatility(?:[\s\x0b&\),<>\|]|$))|w(?:[\s\x0b&\),<>\|]|$|(?:c|a(?:ll|tch))(?:[\s\x0b&\),<>\|]|$)|h(?:o(?:[\s\x0b&\),<>\|]|$|ami|is(?:[\s\x0b&\),<>\|]|$))?|iptail(?:[\s\x0b&\),<>\|]|$))|i(?:reshark|sh(?:[\s\x0b&\),<>\|]|$)))|x(?:(?:(?:x|pa)d|args|term)(?:[\s\x0b&\),<>\|]|$)|z(?:[\s\x0b&\),<>\|]|$|c(?:at|mp)(?:[\s\x0b&\),<>\|]|$)|d(?:ec(?:[\s\x0b&\),<>\|]|$)|iff)|[ef]?grep|less|more)|e(?:latex|tex(?:[\s\x0b&\),<>\|]|$))|mo(?:dmap|re(?:[\s\x0b&\),<>\|]|$)))|z(?:ip(?:[\s\x0b&\),<>\|]|$|c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|s(?:h(?:[\s\x0b&\),<>\|]|$)|oelim|td(?:[\s\x0b&\),<>\|]|$|(?:ca|m)t|grep|less))|athura|(?:c(?:at|mp)|diff|grep|less|more|run)(?:[\s\x0b&\),<>\|]|$)|e(?:grep|ro(?:[\s\x0b&\),<>\|]|$))|fgrep|ypper))(?:\b|[^0-9A-Z_a-z])" \
     "id:932237,\
     phase:1,\
     block,\
@@ -1588,9 +1694,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1631,7 +1738,7 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer "@rx (?i)\b(?:7z[arx]
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 932238
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e(?:[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)?|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?[\s\x0b&\),<>\|].*|s)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|[\s\x0b&\),<>\|].*))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*|REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)(?:^|b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?s[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?y[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?b[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?x|(?:c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?v|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?l)|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|[ls][\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?r[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p|t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:(?:[\s\x0b&\),<>\|]|$).*|o[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)|[\n\r;=`\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]*\))[\s\x0b]*(?:[\$\{]|(?:[\s\x0b]*\(|!)[\s\x0b]*|[0-9A-Z_a-z]+=(?:[^\s\x0b]*|\$(?:.*|.*)|[<>].*|'.*'|\".*\")[\s\x0b]+)*[\s\x0b]*[\"']*(?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c]*(?:(?:(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d|u[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?2[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?t)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?e|p[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?c[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?m[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?a[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n|s)|v[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?i)[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:[\s\x0b&\),<>\|]|$).*|d[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?n[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?f|w[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?(?:h[\"'\)\[\x5c]*(?:(?:(?:\|\||&&)[\s\x0b]*)?\$[!#\(\*\-0-9\?@_a-\{]*)?\x5c?o|(?:[\s\x0b&\),<>\|]|$).*))" \
     "id:932238,\
     phase:2,\
     block,\
@@ -1645,9 +1752,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1672,7 +1780,7 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,t:normalizePath,t:cmdLine,\
+    t:none,t:normalizePath,t:cmdLine,\
     msg:'Remote Command Execution: Wildcard bypass technique attempt',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -1681,9 +1789,10 @@ SecRule ARGS "@rx /(?:[?*]+[a-z/]+|[a-z/]+[?*]+)" \
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1715,9 +1824,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1748,9 +1858,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1781,9 +1892,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/137/134',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1814,16 +1926,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-RCE',\
     tag:'capec/1000/152/248/88',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:932018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/wasmplugin/rules/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
index afa95a1..adc36f7 100644
--- a/wasmplugin/rules/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
+++ b/wasmplugin/rules/crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:933012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -58,8 +58,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -99,8 +100,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -123,13 +125,14 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.933120_matched_var=%{MATCHED_VAR}',\
     setvar:'tx.933120_matched_var_name=%{MATCHED_VAR_NAME}',\
     chain"
-    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=" \
+    SecRule MATCHED_VARS "@rx \b([^\s]+)\s*=[^=]" \
         "capture,\
         chain"
         SecRule TX:1 "@pmFromFile php-config-directives.data" \
@@ -154,13 +157,46 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
+#
+# [ PHP Variables ]
+#
+# Prevent accessing PHP variables using these methods:
+# ${'VARIABLE_NAME'}
+# $ {"VARIABLE_NAME"}
+# $ {'_VAR'.'IABLE_NAME'}
+# $     {   $var}
+# $     {   CONSTANT   }
+#
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx \$\s*\{\s*\S[^\{\}]*\}" \
+    "id:933135,\
+    phase:2,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Injection Attack: Variable Access Found',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-injection-php',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
+    tag:'capec/1000/152/242',\
+    ver:'OWASP_CRS/4.14.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+
 #
 # [ PHP I/O Streams ]
 #
@@ -190,8 +226,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -226,8 +263,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -293,8 +331,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -331,7 +370,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 933160
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|file(?:group)?|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\(.*\)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b\(?[\"']*(?:assert(?:_options)?|c(?:hr|reate_function)|e(?:val|x(?:ec|p))|f(?:ile(?:group)?|open)|glob|i(?:mage(?:gif|(?:jpe|pn)g|wbmp|xbm)|s_a)|md5|o(?:pendir|rd)|p(?:assthru|open|rev)|(?:read|tmp)file|un(?:pac|lin)k|s(?:tat|ubstr|ystem))(?:/(?:\*.*\*/|/.*)|#.*|[\s\x0b\"])*[\"']*\)?[\s\x0b]*\([^\)]*\)" \
     "id:933160,\
     phase:2,\
     block,\
@@ -345,8 +384,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -400,8 +440,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -455,8 +496,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -502,14 +544,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:933014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -545,8 +588,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.933151_matched_var=%{MATCHED_VAR}',\
     setvar:'tx.933151_matched_var_name=%{MATCHED_VAR_NAME}',\
@@ -561,8 +605,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:933016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -603,8 +647,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -647,8 +692,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -689,8 +735,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -718,8 +765,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -753,15 +801,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-injection-php',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-PHP',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.php_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:933018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf b/wasmplugin/rules/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
index 2fa8260..0b56c46 100644
--- a/wasmplugin/rules/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
+++ b/wasmplugin/rules/crs/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:934012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -64,8 +64,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -99,8 +100,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-ssrf',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/225/664',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -117,9 +119,8 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # See also: https://cwe.mitre.org/data/definitions/1321.html
 #
 # Note: only server-based (not DOM-based) attacks are covered here.
-# Stricter sibling: 934131
 
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\[)\s*prototype)" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?:__proto__|constructor\s*(?:\.|\]?\[)\s*prototype)" \
     "id:934130,\
     phase:2,\
     block,\
@@ -134,8 +135,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1/180/77',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -166,8 +168,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -197,8 +200,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-injection-generic',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -227,14 +231,15 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-ssrf',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:934014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -255,8 +260,9 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-injection-generic',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
@@ -293,7 +299,7 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 934120
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)((?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\xe2(?:\x91[\xa0-\xbf]|\x92[\x80-\xbf]|\x93[\x80-\xa9\xab-\xbf])|\xe3\x80\x82)+))" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "@rx (?i)(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:\+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[0-9]{10}|(?:0x[0-9a-f]{2}\.){3}0x[0-9a-f]{2}|0x(?:[0-9a-f]{8}|[0-9a-f]{16})|(?:0{1,4}[0-9]{1,3}\.){3}0{1,4}[0-9]{1,3}|[0-9]{1,3}\.(?:[0-9]{1,3}\.[0-9]{5}|[0-9]{8})|(?:\x5c\x5c[\-0-9a-z]\.?_?)+|\[[0-:a-f]+(?:[\.0-9]+|%[0-9A-Z_a-z]+)?\]|[a-z][\-\.0-9A-Z_a-z]{1,255}:[0-9]{1,5}(?:#?[\s\x0b]*&?@(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}|[a-z][\-\.0-9A-Z_a-z]{1,255}):[0-9]{1,5}/?)+|[\.0-9]{0,11}(?:\x{e2}(?:\x91[\xa0-\x{bf}]|\x92[\x80-\x{bf}]|\x93[\x80-\x{a9}\x{ab}-\x{bf}])|\x{e3}\x80\x82)+)" \
     "id:934120,\
     phase:2,\
     block,\
@@ -307,8 +313,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'attack-ssrf',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/225/664',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -339,21 +346,22 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-injection-generic',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-GENERIC',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:934016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:934018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-934-APPLICATION-ATTACK-GENERIC"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/wasmplugin/rules/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index 0401746..3341e6b 100644
--- a/wasmplugin/rules/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/wasmplugin/rules/crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:941012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -61,8 +61,9 @@ SecRule REQUEST_FILENAME "!@validateByteRange 20, 45-47, 48-57, 65-90, 95, 97-12
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     ctl:ruleRemoveTargetByTag=xss-perf-disable;REQUEST_FILENAME,\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
 
 #
@@ -93,8 +94,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -120,8 +122,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -135,7 +138,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_F
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 941130
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:x(?:link:href|html|mlns)|data:text/html|formaction|pattern\b.*?=)|!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i).(?:\b(?:(?:x(?:link:href|html|mlns)|data:text/html|formaction)\b|pattern[\s\x0b]*=)|(?:!ENTITY[\s\x0b]+(?:%[\s\x0b]+)?[^\s\x0b]+[\s\x0b]+(?:SYSTEM|PUBLIC)|@import|;base64)\b)" \
     "id:941130,\
     phase:2,\
     block,\
@@ -150,8 +153,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -179,8 +183,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -197,7 +202,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 941160
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|transitionend)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)<[^0-9<>A-Z_a-z]*(?:[^\s\x0b\"'<>]*:)?[^0-9<>A-Z_a-z]*[^0-9A-Z_a-z]*?(?:s[^0-9A-Z_a-z]*?(?:c[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?t|t[^0-9A-Z_a-z]*?y[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e|v[^0-9A-Z_a-z]*?g|e[^0-9A-Z_a-z]*?t[^0-9>A-Z_a-z])|f[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?m|d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?o[^0-9A-Z_a-z]*?g|m[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?q[^0-9A-Z_a-z]*?u[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?e|e[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?a[^0-9>A-Z_a-z])|(?:l[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?k|o[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?j[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?c[^0-9A-Z_a-z]*?t|e[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?b[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?d|a[^0-9A-Z_a-z]*?(?:p[^0-9A-Z_a-z]*?p[^0-9A-Z_a-z]*?l[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?t|u[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?o|n[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?t[^0-9A-Z_a-z]*?e)|p[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m|i?[^0-9A-Z_a-z]*?f[^0-9A-Z_a-z]*?r[^0-9A-Z_a-z]*?a[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?e|b[^0-9A-Z_a-z]*?(?:a[^0-9A-Z_a-z]*?s[^0-9A-Z_a-z]*?e|o[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?y|i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?n[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?s)|i[^0-9A-Z_a-z]*?m[^0-9A-Z_a-z]*?a?[^0-9A-Z_a-z]*?g[^0-9A-Z_a-z]*?e?|v[^0-9A-Z_a-z]*?i[^0-9A-Z_a-z]*?d[^0-9A-Z_a-z]*?e[^0-9A-Z_a-z]*?o)[^0-9>A-Z_a-z])|(?:<[0-9A-Z_a-z].*[\s\x0b/]|[\"'](?:.*[\s\x0b/])?)(?:background|formaction|lowsrc|on(?:a(?:bort|ctivate|d(?:apteradded|dtrack)|fter(?:print|(?:scriptexecu|upda)te)|lerting|n(?:imation(?:cancel|end|iteration|start)|tennastatechange)|ppcommand|u(?:dio(?:end|process|start)|xclick))|b(?:e(?:fore(?:(?:(?:(?:de)?activa|scriptexecu)t|toggl)e|c(?:opy|ut)|editfocus|input|p(?:aste|rint)|u(?:nload|pdate))|gin(?:Event)?)|l(?:ocked|ur)|oun(?:ce|dary)|roadcast|usy)|c(?:a(?:(?:ch|llschang)ed|nplay(?:through)?|rdstatechange)|(?:ell|fstate)change|h(?:a(?:rging(?:time)?cha)?nge|ecking)|l(?:ick|ose)|o(?:m(?:mand(?:update)?|p(?:lete|osition(?:end|start|update)))|n(?:nect(?:ed|ing)|t(?:extmenu|rolselect))|py)|u(?:echange|t))|d(?:ata(?:(?:availabl|chang)e|error|setc(?:hanged|omplete))|blclick|e(?:activate|livery(?:error|success)|vice(?:found|light|(?:mo|orienta)tion|proximity))|i(?:aling|s(?:abled|c(?:hargingtimechange|onnect(?:ed|ing))))|o(?:m(?:a(?:ctivate|ttrmodified)|(?:characterdata|subtree)modified|focus(?:in|out)|mousescroll|node(?:inserted(?:intodocument)?|removed(?:fromdocument)?))|wnloading)|r(?:ag(?:drop|e(?:n(?:d|ter)|xit)|(?:gestur|leav)e|over|start)|op)|urationchange)|e(?:mptied|n(?:abled|d(?:ed|Event)?|ter)|rror(?:update)?|xit)|f(?:ailed|i(?:lterchange|nish)|o(?:cus(?:in|out)?|rm(?:change|input))|ullscreenchange)|g(?:amepad(?:axismove|button(?:down|up)|(?:dis)?connected)|et)|h(?:ashchange|e(?:adphoneschange|l[dp])|olding)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|put|valid))|key(?:down|press|up)|l(?:evelchange|o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|y)|m(?:ark|essage|o(?:use(?:down|enter|(?:lea|mo)ve|o(?:ut|ver)|up|wheel)|ve(?:end|start)?|z(?:a(?:fterpaint|udioavailable)|(?:beforeresiz|orientationchang|t(?:apgestur|imechang))e|(?:edgeui(?:c(?:ancel|omplet)|start)e|network(?:down|up)loa)d|fullscreen(?:change|error)|m(?:agnifygesture(?:start|update)?|ouse(?:hittest|pixelscroll))|p(?:ointerlock(?:change|error)|resstapgesture)|rotategesture(?:start|update)?|s(?:crolledareachanged|wipegesture(?:end|start|update)?))))|no(?:match|update)|o(?:(?:bsolet|(?:ff|n)lin)e|pen|verflow(?:changed)?)|p(?:a(?:ge(?:hide|show)|int|(?:st|us)e)|lay(?:ing)?|o(?:inter(?:down|enter|(?:(?:lea|mo)v|rawupdat)e|o(?:ut|ver)|up)|p(?:state|up(?:hid(?:den|ing)|show(?:ing|n))))|ro(?:gress|pertychange))|r(?:atechange|e(?:adystatechange|ceived|movetrack|peat(?:Event)?|quest|s(?:et|ize|u(?:lt|m(?:e|ing)))|trieving)|ow(?:e(?:nter|xit)|s(?:delete|inserted)))|s(?:croll(?:end)?|e(?:arch|ek(?:complete|ed|ing)|lect(?:ionchange|start)?|n(?:ding|t)|t)|how|(?:ound|peech)(?:end|start)|t(?:a(?:lled|rt|t(?:echange|uschanged))|k(?:comma|sessione)nd|op)|u(?:bmit|ccess|spend)|vg(?:abort|error|(?:un)?load|resize|scroll|zoom))|t(?:ext|ime(?:out|update)|o(?:ggle|uch(?:cancel|en(?:d|ter)|(?:lea|mo)ve|start))|ransition(?:cancel|end|run|start))|u(?:n(?:derflow|handledrejection|load)|p(?:dateready|gradeneeded)|s(?:erproximity|sdreceived))|v(?:ersion|o(?:ic|lum)e)change|w(?:a(?:it|rn)ing|ebkit(?:animation(?:end|iteration|start)|(?:playbacktargetavailabilitychange|transitionen)d)|heel)|zoom)|ping|s(?:rc|tyle))[\x08-\n\f\r ]*?=" \
     "id:941160,\
     phase:2,\
     block,\
@@ -212,8 +217,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -237,8 +243,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -249,7 +256,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
 # https://github.com/validatorjs/validator.js/
 # This rule has a stricter sibling 941181 (PL2) that covers the additional payload "-->"
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@pm document.cookie document.domain document.querySelector document.body.appendChild document.write .parentnode .innerhtml window.location -moz-binding <!-- <![cdata[" \
     "id:941180,\
     phase:2,\
     block,\
@@ -264,8 +271,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -291,8 +299,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -313,20 +322,23 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
+# This rule tries to match all the possible ways to write 'javascript' using
+# html entities, and javascript escape sequences.
 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)(?:j|&#(?:0*(?:74|106)|x0*[46]A);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:v|&#(?:0*(?:86|118)|x0*[57]6);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:a|&#(?:0*(?:65|97)|x0*[46]1);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:s|&#(?:0*(?:115|83)|x0*[57]3);)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:c|&#(?:x0*[46]3|0*(?:99|67));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:r|&#(?:x0*[57]2|0*(?:114|82));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:i|&#(?:x0*[46]9|0*(?:105|73));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:p|&#(?:x0*[57]0|0*(?:112|80));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?:t|&#(?:x0*[57]4|0*(?:116|84));)(?:[\t\n\r]|&(?:#(?:0*(?:9|1[03])|x0*[AD]);?|(?:tab|newline);))*(?::|&(?:#(?:0*58|x0*3A);?|colon;))." \
     "id:941210,\
     phase:2,\
     block,\
     capture,\
     t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
-    msg:'IE XSS Filters - Attack Detected',\
+    msg:'Javascript Word Detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
     tag:'language-multi',\
@@ -335,8 +347,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -357,8 +370,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -379,8 +393,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -401,8 +416,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -423,8 +439,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -445,8 +462,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -467,8 +485,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -489,8 +508,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -511,8 +531,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -533,8 +554,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -593,8 +615,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:\xbc\s*/\s*[^\xbe>]*[\xbe>])|(?:<\s*/\s*[^\xbe]*\xbe)" \
@@ -622,8 +645,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -664,8 +688,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -692,8 +717,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -710,7 +736,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS|REQU
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 941390
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|prompt|confirm)[\s\x0b]*\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)\b(?:eval|set(?:timeout|interval)|new[\s\x0b]+Function|a(?:lert|tob)|btoa|(?:promp|impor)t|con(?:firm|sole\.(?:log|dir))|fetch)[\s\x0b]*[\(\{]" \
     "id:941390,\
     phase:2,\
     block,\
@@ -724,8 +750,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -754,15 +781,16 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:941014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -785,8 +813,9 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -797,14 +826,14 @@ SecRule REQUEST_FILENAME|REQUEST_HEADERS:Referer "@detectXSS" \
 # XSS vectors making use of event handlers like onerror, onload etc, e.g., <body onload="alert(1)">
 #
 # We are not listing all the known event handlers like rule 941160, but we
-# limit the alerts to keywords of 3-25 characters after the prefix ("on").
+# limit the alerts to keywords of 3-50 characters after the prefix ("on").
 #
-# The shortest known event is "onget". The longest known event is "onmozorientationchange"
-# with 23 chars after the prefix. 25 chars adds a little bit of safety.
+# The shortest known event is "onget". The longest known event is "onwebkitplaybacktargetavailabilitychanged"
+# with 39 chars after the prefix. 50 chars adds a little bit of safety.
 #
 # This rule has been moved to PL2 since it has a tendency to trigger on random input.
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,25}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[\s\"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]on[a-zA-Z]{3,50}[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?=[^=]" \
     "id:941120,\
     phase:2,\
     block,\
@@ -819,8 +848,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -845,8 +875,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -873,8 +904,9 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -960,9 +992,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
     tag:'PCI/6.5.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -982,9 +1015,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
     tag:'PCI/6.5.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1007,9 +1041,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242',\
     tag:'PCI/6.5.1',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1041,24 +1076,25 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'xss-perf-disable',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-XSS',\
     tag:'capec/1000/152/242/63',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:941016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:941018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf b/wasmplugin/rules/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
index 590f853..3bd4732 100644
--- a/wasmplugin/rules/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
+++ b/wasmplugin/rules/crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:942012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -57,9 +57,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
@@ -88,9 +89,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -107,7 +109,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942151
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert(?:_tz)?)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|grees|s_(?:de|en)crypt)|ump)|e(?:lt|n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|object(?:_(?:agg|keys))?|e(?:ac|xtract_pat)h(?:_text)?|insert|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|e(?:as|f)t|i(?:kel(?:ihood|y)|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2)|wer)|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:(?:lyg|siti)on|w)|rocedure_analyse)|qu(?:arter|ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|pace|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp)|likely)|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)\b(?:a(?:dd(?:dat|tim)e|es_(?:de|en)crypt|s(?:cii(?:str)?|in)|tan2?)|b(?:enchmark|i(?:n_to_num|t_(?:and|count|length|x?or)))|c(?:har(?:acter)?_length|iel(?:ing)?|o(?:alesce|ercibility|llation|(?:mpres)?s|n(?:cat(?:_ws)?|nection_id|v(?:ert_tz)?)|t)|r32|ur(?:(?:dat|tim)e|rent_(?:date|setting|time(?:stamp)?|user)))|d(?:a(?:t(?:abase(?:_to_xml)?|e(?:_(?:add|format|sub)|diff))|y(?:name|of(?:month|week|year)))|count|e(?:code|s_(?:de|en)crypt)|ump)|e(?:n(?:c(?:ode|rypt)|ds_?with)|x(?:p(?:ort_set)?|tract(?:value)?))|f(?:i(?:el|n)d_in_set|ound_rows|rom_(?:base64|days|unixtime))|g(?:e(?:ometrycollection|t(?:_(?:format|lock)|pgusername))|(?:r(?:eates|oup_conca)|tid_subse)t)|hex(?:toraw)?|i(?:fnull|n(?:et6?_(?:aton|ntoa)|s(?:ert|tr)|terval)|s(?:_(?:(?:free|used)_lock|ipv(?:4(?:_(?:compat|mapped))?|6)|n(?:ot(?:_null)?|ull)|superuser)|null))|json(?:_(?:a(?:gg|rray(?:_(?:elements(?:_text)?|length))?)|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|object(?:_(?:agg|keys))?|populate_record(?:set)?|strip_nulls|t(?:o_record(?:set)?|ypeof))|b(?:_(?:array(?:_(?:elements(?:_text)?|length))?|build_(?:array|object)|e(?:ac|xtract_pat)h(?:_text)?|insert|object(?:_(?:agg|keys))?|p(?:ath_(?:(?:exists|match)(?:_tz)?|query(?:_(?:(?:array|first)(?:_tz)?|tz))?)|opulate_record(?:set)?|retty)|s(?:et(?:_lax)?|trip_nulls)|t(?:o_record(?:set)?|ypeof)))?|path)?|l(?:ast_(?:day|inser_id)|case|east|i(?:kely|nestring)|o(?:_(?:from_bytea|put)|ad_file|ca(?:ltimestamp|te)|g(?:10|2))|pad|trim)|m(?:a(?:ke(?:_set|date)|ster_pos_wait)|d5|i(?:crosecon)?d|onthname|ulti(?:linestring|po(?:int|lygon)))|n(?:ame_const|ot_in|ullif)|o(?:ct(?:et_length)?|(?:ld_passwo)?rd)|p(?:eriod_(?:add|diff)|g_(?:client_encoding|(?:databas|read_fil)e|l(?:argeobject|s_dir)|sleep|user)|o(?:lygon|w)|rocedure_analyse)|qu(?:ery_to_xml|ote)|r(?:a(?:dians|nd|wtohex)|elease_lock|ow_(?:count|to_json)|pad|trim)|s(?:chema|e(?:c_to_time|ssion_user)|ha[12]?|in|oundex|q(?:lite_(?:compileoption_(?:get|used)|source_id)|rt)|t(?:arts_?with|d(?:dev_(?:po|sam)p)?|r(?:_to_date|cmp))|ub(?:(?:dat|tim)e|str(?:ing(?:_index)?)?)|ys(?:date|tem_user))|t(?:ime(?:_(?:format|to_sec)|diff|stamp(?:add|diff)?)|o(?:_(?:base64|jsonb?)|n?char|(?:day|second)s)|r(?:im|uncate))|u(?:case|n(?:compress(?:ed_length)?|hex|i(?:str|x_timestamp))|(?:pdatexm|se_json_nul)l|tc_(?:date|time(?:stamp)?)|uid(?:_short)?)|var(?:_(?:po|sam)p|iance)|we(?:ek(?:day|ofyear)|ight_string)|xmltype|yearweek)[^0-9A-Z_a-z]*\(" \
     "id:942151,\
     phase:2,\
     block,\
@@ -121,9 +123,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -151,12 +154,13 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # A positive side effect is that it prevents certain DoS attacks via the directives
 # described above.
 #
-SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \
+SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i:sleep\(\s*?\d*?\s*?\)|benchmark\(.*?\,.*?\))" \
     "id:942160,\
     phase:2,\
     block,\
     capture,\
     t:none,t:urlDecodeUni,\
+    t:replaceComments,\
     msg:'Detects blind sqli tests using sleep() or benchmark()',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -165,8 +169,9 @@ SecRule REQUEST_BASENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -190,9 +195,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -216,9 +222,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -240,9 +247,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -266,9 +274,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -292,9 +301,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -313,9 +323,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -334,9 +345,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -360,9 +372,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -386,9 +399,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -415,9 +429,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -441,9 +456,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -480,9 +496,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -521,9 +538,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
@@ -557,10 +575,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'platform-multi',\
     tag:'attack-sqli',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'paranoia-level/1',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -587,9 +606,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -616,16 +636,17 @@ SecRule REQUEST_FILENAME|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIE
     tag:'attack-sqli',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -642,7 +663,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:942014,phase:2,pass,nolog,tag:'O
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942120
 #
-SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|=>?|>(?:[\s\x0b]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\x0b]*\()|r(?:egexp|like)[\s\x0b]+binary|not[\s\x0b]+between[\s\x0b]+(?:0[\s\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\s\x0b]+and[\s\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\s\x0b]+null|like[\s\x0b]+(?:null|[0-9A-Z_a-z]+[\s\x0b]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\x0b\+]*\([\s\x0b\"0-9]+[^\(\)]*\)|[!<->]{1,2}[\s\x0b]*all\b" \
+SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)[!=]=|&&|\|\||->|>[=>]|<(?:[<=]|>(?:[\s\x0b]+binary)?)|\b(?:(?:xor|r(?:egexp|like)|i(?:snull|like)|notnull)\b|collate(?:[^0-9A-Z_a-z]*?(?:U&)?[\"'`]|[^0-9A-Z_a-z]+(?:(?:binary|nocase|rtrim)\b|[0-9A-Z_a-z]*?_))|(?:likel(?:ihood|y)|unlikely)[\s\x0b]*\()|r(?:egexp|like)[\s\x0b]+binary|not[\s\x0b]+between[\s\x0b]+(?:0[\s\x0b]+and|(?:'[^']*'|\"[^\"]*\")[\s\x0b]+and[\s\x0b]+(?:'[^']*'|\"[^\"]*\"))|is[\s\x0b]+null|like[\s\x0b]+(?:null|[0-9A-Z_a-z]+[\s\x0b]+escape\b)|(?:^|[^0-9A-Z_a-z])in[\s\x0b\+]*\([\s\x0b\"0-9]+[^\(\)]*\)|[!<->][\s\x0b]*all\b" \
     "id:942120,\
     phase:2,\
     block,\
@@ -656,9 +677,10 @@ SecRule ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx (?i)!=|&&|\|\||>[=>]|<(?:<|
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -697,9 +719,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.942130_matched_var_name=%{matched_var_name}',\
     chain"
@@ -733,9 +756,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s\x0b\"'-\)`]*?\b([0-9A-Z_a-z]+)\b[\s\
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     multiMatch,\
     setvar:'tx.942131_matched_var_name=%{matched_var_name}',\
@@ -770,9 +794,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -813,9 +838,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -842,9 +868,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -871,9 +898,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -897,9 +925,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -923,9 +952,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -949,9 +979,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -983,9 +1014,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1012,9 +1044,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1037,9 +1070,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1067,9 +1101,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1099,9 +1134,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1125,9 +1161,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1151,9 +1188,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1177,9 +1215,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1208,9 +1247,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1237,9 +1277,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1266,9 +1307,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1307,9 +1349,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1323,11 +1366,12 @@ SecRule ARGS_GET:fbclid "@rx [a-zA-Z0-9_-]{61,61}" \
     "id:942441,\
     phase:2,\
     pass,\
-    t:none,t:urlDecodeUni,\
+    t:none,\
     nolog,\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     ctl:ruleRemoveTargetById=942440;ARGS:fbclid,\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
 #
 # -=[ Exclusion rule for 942440 ]=-
@@ -1338,11 +1382,12 @@ SecRule ARGS_GET:gclid "@rx [a-zA-Z0-9_-]{91,91}" \
     "id:942442,\
     phase:2,\
     pass,\
-    t:none,t:urlDecodeUni,\
+    t:none,\
     nolog,\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     ctl:ruleRemoveTargetById=942440;ARGS:gclid,\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
 #
 # -=[ Detect SQL Comment Sequences ]=-
@@ -1394,9 +1439,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "!@rx ^ey[\-0-9A-Z_a-z]+\.ey[\-0-9A-Z_a-z]+\.[\-0-9A-Z_a-z]+$" \
@@ -1425,9 +1471,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1472,9 +1519,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1485,7 +1533,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
 # (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
 #   crs-toolchain regex update 942520
 #
-SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:is[\s\x0b]+not|not[\s\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\x0b]+like)\b|[%&\*\+\-/<->\^\|])" \
+SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\"'`][\s\x0b]*?(?:(?:is[\s\x0b]+not|not[\s\x0b]+(?:like|glob|(?:betwee|i)n|null|regexp|match)|mod|div|sounds[\s\x0b]+like)\b|[%&\*\+\-/<->\^\|]{1,3})" \
     "id:942520,\
     phase:2,\
     block,\
@@ -1499,9 +1547,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1532,9 +1581,10 @@ SecRule REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.942521_matched_var_name=%{matched_var_name}',\
     chain"
@@ -1560,9 +1610,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ^.*?\x5c['\"`](?:.*?['\"`])?\s*(?:and|or)\b"
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1598,9 +1649,10 @@ SecRule REQUEST_BASENAME|REQUEST_FILENAME "@detectSQLi" \
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1630,9 +1682,10 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)\b(?:a(?:dd(
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -1660,17 +1713,18 @@ SecRule REQUEST_HEADERS:Referer|REQUEST_HEADERS:User-Agent "@rx (?i)create[\s\x0
     tag:'attack-sqli',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:942016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -1700,9 +1754,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1724,9 +1779,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1764,9 +1820,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1793,9 +1850,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1814,7 +1872,7 @@ SecRule ARGS "@rx \W{4}" \
     phase:2,\
     block,\
     capture,\
-    t:none,t:urlDecodeUni,\
+    t:none,\
     msg:'Meta-Character Anomaly Detection Alert - Repetitive Non-Word Characters',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
     tag:'application-multi',\
@@ -1823,9 +1881,10 @@ SecRule ARGS "@rx \W{4}" \
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.warning_anomaly_score}'"
@@ -1871,9 +1930,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
@@ -1900,16 +1960,17 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-sqli',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:942018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -1934,9 +1995,10 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|REQU
     tag:'attack-sqli',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
@@ -1963,9 +2025,10 @@ SecRule ARGS_NAMES|ARGS|XML:/* "@rx ((?:[~!@#\$%\^&\*\(\)\-\+=\{\}\[\]\|:;\"'´
     tag:'attack-sqli',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SQLI',\
     tag:'capec/1000/152/248/66',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'WARNING',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.warning_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.warning_anomaly_score}'"
diff --git a/wasmplugin/rules/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf b/wasmplugin/rules/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
index 35ad29d..5bf274d 100644
--- a/wasmplugin/rules/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
+++ b/wasmplugin/rules/crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -14,8 +14,8 @@
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:943012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -42,14 +42,15 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
     tag:'attack-fixation',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.session_fixation_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
+SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\.sid|laravel_session)$" \
     "id:943110,\
     phase:2,\
     block,\
@@ -63,8 +64,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'attack-fixation',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.943110_matched_var_name=%{matched_var_name}',\
     chain"
@@ -76,7 +78,7 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
             setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|cfid|cftoken|cfsid|jservsession|jwsession)$" \
+SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsession|phpsessid|weblogicsession|session_id|session-id|sessionid|cfid|cftoken|cfsid|jservsession|jwsession|_flask_session|_session_id|connect\.sid|laravel_session)$" \
     "id:943120,\
     phase:2,\
     block,\
@@ -90,8 +92,9 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
     tag:'attack-fixation',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-SESSION-FIXATION',\
     tag:'capec/1000/225/21/593/61',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.943120_matched_var_name=%{matched_var_name}',\
     chain"
@@ -102,24 +105,24 @@ SecRule ARGS_NAMES "@rx ^(?:jsessionid|aspsessionid|asp\.net_sessionid|phpsessio
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:943014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:943016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:943018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf b/wasmplugin/rules/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
index 62b0f9c..8a0817e 100644
--- a/wasmplugin/rules/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
+++ b/wasmplugin/rules/crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -13,8 +13,8 @@
 #
 # Many rules check request bodies, use "SecRequestBodyAccess On" to enable it on main modsecurity configuration file.
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:944012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -44,9 +44,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -63,8 +64,7 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
 # java. unmarshaller or base64data to trigger a potential payload execution
 # tested with https://www.exploit-db.com/exploits/42627/ and https://www.exploit-db.com/exploits/43458/
 
-SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
-    "@rx (?:runtime|processbuilder)" \
+SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:runtime|processbuilder)" \
     "id:944110,\
     phase:2,\
     block,\
@@ -77,12 +77,13 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
-    SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* "@rx (?:unmarshaller|base64data|java\.)" \
+    SecRule MATCHED_VARS|XML:/*|XML://@* "@rx (?i)(?:unmarshaller|base64data|java\.)" \
         "setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
         setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -102,9 +103,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     chain"
     SecRule MATCHED_VARS "@rx (?:runtime|processbuilder)" \
@@ -134,9 +136,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -173,8 +176,9 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD
     tag:'attack-injection-java',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/242',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
@@ -220,16 +224,17 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:944014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -258,9 +263,10 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -290,9 +296,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -311,9 +318,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -332,9 +340,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -356,9 +365,10 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
@@ -381,16 +391,17 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:944016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
@@ -415,16 +426,17 @@ SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES
     tag:'attack-rce',\
     tag:'paranoia-level/3',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/248',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:944018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
@@ -451,9 +463,10 @@ SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUE
     tag:'attack-rce',\
     tag:'paranoia-level/4',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/ATTACK-JAVA',\
     tag:'capec/1000/152/137/6',\
     tag:'PCI/6.5.2',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
     setvar:'tx.inbound_anomaly_score_pl4=+%{tx.critical_anomaly_score}'"
diff --git a/wasmplugin/rules/crs/REQUEST-949-BLOCKING-EVALUATION.conf b/wasmplugin/rules/crs/REQUEST-949-BLOCKING-EVALUATION.conf
index 60a6018..0cdf7ec 100644
--- a/wasmplugin/rules/crs/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/wasmplugin/rules/crs/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -24,7 +24,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -34,7 +34,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -44,7 +44,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -54,7 +54,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -64,7 +64,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -74,7 +74,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -84,7 +84,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -94,7 +94,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 # at start of phase 2, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@@ -106,7 +106,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=0'"
 
 SecAction \
@@ -116,7 +116,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=0'"
 
 # Summing up the blocking and detection anomaly scores in phase 2
@@ -128,7 +128,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -138,7 +138,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -148,7 +148,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -158,7 +158,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -168,7 +168,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -178,7 +178,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -188,7 +188,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -198,7 +198,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_inbound_anomaly_score=+%{tx.inbound_anomaly_score_pl4}'"
 
 
@@ -217,7 +217,7 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
     msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     chain"
     SecRule TX:EARLY_BLOCKING "@eq 1"
 
@@ -230,34 +230,34 @@ SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_thresh
     msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:949012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:949014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:949016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:949018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-950-DATA-LEAKAGES.conf b/wasmplugin/rules/crs/RESPONSE-950-DATA-LEAKAGES.conf
index 969bf41..5d27d8a 100644
--- a/wasmplugin/rules/crs/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/wasmplugin/rules/crs/RESPONSE-950-DATA-LEAKAGES.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -21,6 +21,17 @@
 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
 #
 
+# Skip all rules if TX:crs_skip_response_analysis is set.
+SecRule TX:crs_skip_response_analysis "@eq 1" \
+    "id:950021,\
+    phase:3,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
+    ver:'OWASP_CRS/4.14.0',\
+    skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+
 # Skip all rules if RESPONSE_BODY is compressed.
 SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     "id:950010,\
@@ -28,11 +39,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:950012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -54,9 +66,10 @@ SecRule RESPONSE_BODY "@rx (?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Inde
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
     tag:'capec/1000/118/116/54/127',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -86,15 +99,16 @@ SecRule RESPONSE_BODY "@rx ^#\!\s?/" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -116,24 +130,25 @@ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES',\
     tag:'capec/1000/152',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:950016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:950018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-950-DATA-LEAKAGES"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf b/wasmplugin/rules/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
index d46b4e8..56a01af 100644
--- a/wasmplugin/rules/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
+++ b/wasmplugin/rules/crs/RESPONSE-951-DATA-LEAKAGES-SQL.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,11 +19,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -45,8 +46,9 @@ SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
     tag:'platform-multi',\
     tag:'attack-disclosure',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-SQL-ERROR-MATCH-PL1"
 
 SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
@@ -63,8 +65,9 @@ SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Micr
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -88,8 +91,9 @@ SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLEx
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -108,8 +112,9 @@ SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -128,8 +133,9 @@ SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinit
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -148,8 +154,9 @@ SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -168,8 +175,9 @@ SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollba
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -188,8 +196,9 @@ SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -208,8 +217,9 @@ SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statem
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -228,8 +238,9 @@ SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -248,8 +259,9 @@ SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -268,13 +280,14 @@ SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
 
-SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
+SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function '.{1,128}' expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
     "id:951220,\
     phase:4,\
     block,\
@@ -288,8 +301,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsof
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -313,8 +327,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -338,8 +353,9 @@ SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -358,8 +374,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/J
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -378,8 +395,9 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-SQL',\
     tag:'capec/1000/118/116/54',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
     setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
@@ -387,24 +405,24 @@ SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*S
 SecMarker "END-SQL-ERROR-MATCH-PL1"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf b/wasmplugin/rules/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
index 6f98b93..1a602b7 100644
--- a/wasmplugin/rules/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
+++ b/wasmplugin/rules/crs/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,38 +19,16 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
-#
-# -=[ Java Source Code Leakages ]=-
-#
-SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
-    "id:952100,\
-    phase:4,\
-    block,\
-    capture,\
-    t:none,\
-    msg:'Java Source Code Leakage',\
-    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
-    tag:'application-multi',\
-    tag:'language-java',\
-    tag:'platform-multi',\
-    tag:'attack-disclosure',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/118/116',\
-    tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
-    severity:'ERROR',\
-    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
-
 #
 # -=[ Java Errors ]=-
 #
@@ -70,32 +48,33 @@ SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-JAVA',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf b/wasmplugin/rules/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
index ce0c3ad..5833d89 100644
--- a/wasmplugin/rules/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
+++ b/wasmplugin/rules/crs/RESPONSE-953-DATA-LEAKAGES-PHP.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,11 +19,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -45,9 +46,10 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -70,9 +72,10 @@ SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scan
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -96,15 +99,16 @@ SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -129,23 +133,24 @@ SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-PHP',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf b/wasmplugin/rules/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
index e27ac3b..0a3b924 100644
--- a/wasmplugin/rules/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+++ b/wasmplugin/rules/crs/RESPONSE-954-DATA-LEAKAGES-IIS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,22 +19,23 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:954012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 # IIS default location
-SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
+SecRule RESPONSE_BODY "@rx (?i)[a-z]:[\x5c/]inetpub\b" \
     "id:954100,\
     phase:4,\
     block,\
     capture,\
-    t:none,t:lowercase,\
+    t:none,\
     msg:'Disclosure of IIS install location',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
     tag:'application-multi',\
@@ -44,8 +45,9 @@ SecRule RESPONSE_BODY "@rx [a-z]:\x5cinetpub\b" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -64,9 +66,10 @@ SecRule RESPONSE_BODY "@rx (?:Microsoft OLE DB Provider for SQL Server(?:</font>
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -88,9 +91,10 @@ SecRule RESPONSE_BODY "@pmFromFile iis-errors.data" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
 
@@ -110,9 +114,10 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
     tag:'attack-disclosure',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/DATA-LEAKAGES-IIS',\
     tag:'capec/1000/118/116',\
     tag:'PCI/6.5.6',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'ERROR',\
     chain"
     SecRule RESPONSE_BODY "@rx \bServer Error in.{0,50}?\bApplication\b" \
@@ -122,24 +127,24 @@ SecRule RESPONSE_STATUS "!@rx ^404$" \
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:954014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:954016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:954018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-955-WEB-SHELLS.conf b/wasmplugin/rules/crs/RESPONSE-955-WEB-SHELLS.conf
index 7da573e..db97e66 100644
--- a/wasmplugin/rules/crs/RESPONSE-955-WEB-SHELLS.conf
+++ b/wasmplugin/rules/crs/RESPONSE-955-WEB-SHELLS.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. (not) All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -19,11 +19,12 @@ SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
     pass,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
+    ver:'OWASP_CRS/4.14.0',\
     skipAfter:END-RESPONSE-955-WEB-SHELLS"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:955012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
@@ -36,20 +37,21 @@ SecRule RESPONSE_BODY "@pmFromFile web-shells-php.data" \
     block,\
     capture,\
     t:none,\
-    msg:'Web shell detected',\
+    msg:'PHP Web shell detected',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
     tag:'language-php',\
     tag:'platform-multi',\
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # r57 web shell
-SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>)" \
+SecRule RESPONSE_BODY "@rx <title>r57 Shell Version [0-9.]+</title>|<title>r57 shell</title>" \
     "id:955110,\
     phase:4,\
     block,\
@@ -62,13 +64,14 @@ SecRule RESPONSE_BODY "@rx (<title>r57 Shell Version [0-9.]+</title>|<title>r57
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 # WSO web shell
-SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=Windows-1251'><title>.*? - WSO [0-9.]+</title>" \
+SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content='text/html; charset=(?:Windows-1251|UTF-8)?'><title>.*?(?: -)? W[Ss][Oo] [0-9.]+</title>" \
     "id:955120,\
     phase:4,\
     block,\
@@ -81,8 +84,9 @@ SecRule RESPONSE_BODY "@rx ^<html><head><meta http-equiv='Content-Type' content=
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -100,8 +104,9 @@ SecRule RESPONSE_BODY "@rx B4TM4N SH3LL</title>.*<meta name='author' content='k4
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -119,8 +124,9 @@ SecRule RESPONSE_BODY "@rx <title>Mini Shell</title>.*Developed By LameHacker" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -138,8 +144,9 @@ SecRule RESPONSE_BODY "@rx <title>\.:: .* ~ Ashiyane V [0-9.]+ ::\.</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -157,8 +164,9 @@ SecRule RESPONSE_BODY "@rx <title>Symlink_Sa [0-9.]+</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -176,8 +184,9 @@ SecRule RESPONSE_BODY "@rx <title>CasuS [0-9.]+ by MafiABoY</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -195,8 +204,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<title>GRP WebShell [0-9.]+ " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -214,8 +224,9 @@ SecRule RESPONSE_BODY "@rx <small>NGHshell [0-9.]+ by Cr4sh</body></html>\n$" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -233,8 +244,9 @@ SecRule RESPONSE_BODY "@rx <title>SimAttacker - (?:Version|Vrsion) : [0-9.]+ - "
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -252,8 +264,9 @@ SecRule RESPONSE_BODY "@rx ^<!DOCTYPE html>\n<html>\n<!-- By Artyum .*<title>Web
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -271,8 +284,9 @@ SecRule RESPONSE_BODY "@rx <title>lama's'hell v. [0-9.]+</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -290,8 +304,9 @@ SecRule RESPONSE_BODY "@rx ^ *<html>\n[ ]+<head>\n[ ]+<title>lostDC - " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -309,8 +324,9 @@ SecRule RESPONSE_BODY "@rx ^<title>PHP Web Shell</title>\r\n<html>\r\n<body>\r\n
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -328,8 +344,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<div align=\"left\"><font size=\"1\"
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -349,8 +366,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<head>\n<title>Ru24PostWebShell " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -368,8 +386,9 @@ SecRule RESPONSE_BODY "@rx <title>s72 Shell v[0-9.]+ Codinf by Cr@zy_King</title
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -387,8 +406,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\r\n<head>\r\n<meta http-equiv=\"Content-Type\
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -406,8 +426,9 @@ SecRule RESPONSE_BODY "@rx ^ <html>\n\n<head>\n\n<title>g00nshell v[0-9.]+ " \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -427,8 +448,9 @@ SecRule RESPONSE_BODY "@contains <title>punkholicshell</title>" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -446,8 +468,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n      <head>\n             <title>azrail [0-
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -465,8 +488,9 @@ SecRule RESPONSE_BODY "@rx >SmEvK_PaThAn Shell v[0-9]+ coded by <a href=" \
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -484,8 +508,9 @@ SecRule RESPONSE_BODY "@rx ^<html>\n<title>.*? ~ Shell I</title>\n<head>\n<style
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
@@ -503,15 +528,36 @@ SecRule RESPONSE_BODY "@rx ^ <html><head><title>:: b374k m1n1 [0-9.]+ ::</title>
     tag:'attack-rce',\
     tag:'paranoia-level/1',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+# This rule is intended for ASP web shells.
+SecRule RESPONSE_BODY "@pmFromFile web-shells-asp.data" \
+    "id:955400,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'ASP Web shell detected',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-rce',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
+    tag:'capec/1000/225/122/17/650',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:955014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
@@ -531,21 +577,24 @@ SecRule RESPONSE_BODY "@contains <h1 style=\"margin-bottom: 0\">webadmin.php</h1
     tag:'attack-rce',\
     tag:'paranoia-level/2',\
     tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/WEB-SHELLS',\
     tag:'capec/1000/225/122/17/650',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     severity:'CRITICAL',\
     setvar:'tx.outbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:955016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:955018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-955-WEB-SHELLS"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-959-BLOCKING-EVALUATION.conf b/wasmplugin/rules/crs/RESPONSE-959-BLOCKING-EVALUATION.conf
index 79ce794..67af1b0 100644
--- a/wasmplugin/rules/crs/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/wasmplugin/rules/crs/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -35,7 +35,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -45,7 +45,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -55,7 +55,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -65,7 +65,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -75,7 +75,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -85,7 +85,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -95,7 +95,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -105,7 +105,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 # at start of phase 4, we reset the aggregate scores to 0 to prevent duplicate counting of per-PL scores
@@ -117,7 +117,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=0'"
 
 SecAction \
@@ -127,7 +127,7 @@ SecAction \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=0'"
 
 SecMarker "EARLY_BLOCKING_ANOMALY_SCORING"
@@ -141,7 +141,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
@@ -151,7 +151,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 1" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
@@ -161,7 +161,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
@@ -171,7 +171,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 2" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
@@ -181,7 +181,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
@@ -191,7 +191,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 3" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl3}'"
 
 SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
@@ -201,7 +201,7 @@ SecRule TX:BLOCKING_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
@@ -211,7 +211,7 @@ SecRule TX:DETECTION_PARANOIA_LEVEL "@ge 4" \
     t:none,\
     nolog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.detection_outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl4}'"
 
 #
@@ -227,7 +227,7 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
     msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{tx.blocking_outbound_anomaly_score})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     chain"
     SecRule TX:EARLY_BLOCKING "@eq 1"
 
@@ -240,34 +240,34 @@ SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_thre
     msg:'Outbound Anomaly Score Exceeded (Total Score: %{tx.blocking_outbound_anomaly_score})',\
     tag:'anomaly-evaluation',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:959012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:959014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:959016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:959018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-980-CORRELATION.conf b/wasmplugin/rules/crs/RESPONSE-980-CORRELATION.conf
index 4af3a32..2368b82 100644
--- a/wasmplugin/rules/crs/RESPONSE-980-CORRELATION.conf
+++ b/wasmplugin/rules/crs/RESPONSE-980-CORRELATION.conf
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
@@ -28,7 +28,7 @@ SecAction \
     nolog,\
     noauditlog,\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0',\
+    ver:'OWASP_CRS/4.14.0',\
     setvar:'tx.blocking_anomaly_score=%{tx.blocking_inbound_anomaly_score}',\
     setvar:'tx.blocking_anomaly_score=+%{tx.blocking_outbound_anomaly_score}',\
     setvar:'tx.detection_anomaly_score=%{tx.detection_inbound_anomaly_score}',\
@@ -41,33 +41,33 @@ SecAction \
 #
 
 # -= Reporting Level 0 =- (Skip over reporting when tx.reporting_level is 0)
-SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@eq 0" "id:980041,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REPORTING"
 
 # -= Reporting Level 5 =- (Jump to reporting rule immediately when tx.reporting_level is 5 or greater)
-SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
+SecRule TX:REPORTING_LEVEL "@ge 5" "id:980042,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:LOG-REPORTING"
 
 # -= Zero detection score =- (Skip over reporting when sum of inbound and outbound detection score is equal to 0)
-SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
+SecRule TX:DETECTION_ANOMALY_SCORE "@eq 0" "id:980043,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REPORTING"
 
 # -= Blocking score exceeds threshold =- (Jump to reporting rule immediately if a blocking score exceeds a threshold)
-SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
-SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980044,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980045,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:LOG-REPORTING"
 
 # -= Reporting Level 2 =- (Skip over reporting when tx.reporting_level is less than 2)
-SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@lt 2" "id:980046,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REPORTING"
 
 # -= Detection score exceeds threshold =- (Jump to reporting rule immediately if a detection score exceeds a threshold)
-SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
-SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
+SecRule TX:DETECTION_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" "id:980047,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:LOG-REPORTING"
+SecRule TX:DETECTION_OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" "id:980048,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:LOG-REPORTING"
 
 # -= Reporting Level 3 =- (Skip over reporting when tx.reporting_level is less than 3)
-SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@lt 3" "id:980049,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REPORTING"
 
 # -= Blocking score greater than zero =- (Jump to reporting rule immediately when sum of inbound and outbound blocking score is greater than zero)
-SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:LOG-REPORTING"
+SecRule TX:BLOCKING_ANOMALY_SCORE "@gt 0" "id:980050,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:LOG-REPORTING"
 
 # -= Reporting Level 4 =- (Skip over reporting when tx.reporting_level is less than 4)
-SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-REPORTING"
+SecRule TX:REPORTING_LEVEL "@lt 4" "id:980051,phase:5,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-REPORTING"
 
 # At this point, the reporting level is 4 and there's a non-zero detection
 # score (already established by rule 980043) so fall through to the reporting
@@ -95,37 +95,37 @@ SecAction \
 (SQLI=%{tx.sql_injection_score}, XSS=%{tx.xss_score}, RFI=%{tx.rfi_score}, LFI=%{tx.lfi_score}, RCE=%{tx.rce_score}, PHPI=%{tx.php_injection_score}, HTTP=%{tx.http_violation_score}, SESS=%{tx.session_fixation_score}, COMBINED_SCORE=%{tx.anomaly_score})',\
     tag:'reporting',\
     tag:'OWASP_CRS',\
-    ver:'OWASP_CRS/4.5.0'"
+    ver:'OWASP_CRS/4.14.0'"
 
 SecMarker "END-REPORTING"
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980011,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:980012,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980013,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:980014,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:980016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
 #
 
 
 
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
-SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.5.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980017,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:980018,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.14.0',skipAfter:END-RESPONSE-980-CORRELATION"
 #
 # -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
 #
diff --git a/wasmplugin/rules/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example b/wasmplugin/rules/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
index 3a06235..496421c 100644
--- a/wasmplugin/rules/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
+++ b/wasmplugin/rules/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------
-# OWASP CRS ver.4.5.0
+# OWASP CRS ver.4.14.0
 # Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
-# Copyright (c) 2021-2024 CRS project. All rights reserved.
+# Copyright (c) 2021-2025 CRS project. All rights reserved.
 #
 # The OWASP CRS is distributed under
 # Apache Software License (ASL) version 2
diff --git a/wasmplugin/rules/crs/java-classes.data b/wasmplugin/rules/crs/java-classes.data
index f936a91..4332360 100644
--- a/wasmplugin/rules/crs/java-classes.data
+++ b/wasmplugin/rules/crs/java-classes.data
@@ -1,5 +1,5 @@
 # Java Classes for use with Java RCEs
-# 
+#
 # Used With Rule 944130 in Apache Struts and Oracle Weblogic RCEs Detection:
 #
 # CVE-2017-5638  (2017.01.29) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
diff --git a/wasmplugin/rules/crs/java-code-leakages.data b/wasmplugin/rules/crs/java-code-leakages.data
deleted file mode 100644
index 5ec6205..0000000
--- a/wasmplugin/rules/crs/java-code-leakages.data
+++ /dev/null
@@ -1,17 +0,0 @@
-<jsp:
-javax.servlet
-.addheader
-.createtextfile
-.getfile
-.loadfromfile
-response.binarywrite
-response.write
-scripting.filesystemobject
-server.createobject
-server.execute
-server.htmlencode
-server.mappath
-server.urlencode
-vbscript.encode
-wscript.network
-wscript.shell
diff --git a/wasmplugin/rules/crs/lfi-os-files.data b/wasmplugin/rules/crs/lfi-os-files.data
index 86449c3..ce41e04 100644
--- a/wasmplugin/rules/crs/lfi-os-files.data
+++ b/wasmplugin/rules/crs/lfi-os-files.data
@@ -31,18 +31,28 @@
 .cshrc
 .cups/
 .dbus/
-.docker
+.docker/
 .drush/
-.env
+# .env
+.envrc
 .eslintignore
 .fbcindex
 .forward
 .gem/
+.git/
 .gitattributes
 .gitconfig
-.gnonme/
+.gitignore
+.gitkeep
+.gitmodules
+.gnome/
+.gnome2/
+.gnomerc/
 .gnupg/
+.google_authenticator
 .gsutil/
+.hg/
+.hgignore
 .hplip/hplip.conf
 .htaccess
 .htdigest
@@ -64,6 +74,7 @@
 .netrc
 .node_repl_history
 .npm/
+.npmrc
 .nsconfig
 .nsr
 .nvm/
@@ -82,22 +93,33 @@
 .rediscli_history
 .rhistory
 .rhosts
+.selected_editor
 .sh_history
 .sqlite_history
+.snap/
 .ssh/
 .subversion/
+.svn/
+.svnignore
 .tconn/
 .tcshrc
+.tmux.conf
 .thunderbird/
 .tor/
+.travis.yaml
+.travis.yml
+.vagrant.d/
 .vidalia/
 .vim/
 .viminfo
 .vimrc
+.vscode
 .vmware/
 .www_acl
 .wwwacl
 .xauthority
+.yarnrc
+.zshenv
 .zhistory
 .zsh_history
 .zshrc
@@ -106,6 +128,44 @@
 /php.ini
 /tmp/
 
+# Compressed database dumps
+.sql.001
+.sql.7z
+.sql.bz
+.sql.ace
+.sql.arj
+.sql.cpio
+.sql.gz
+.sql.lha
+.sql.lz
+.sql.pa
+.sql.pea
+.sql.r00
+.sql.r01
+.sql.r02
+.sql.r03
+.sql.r04
+.sql.r05
+.sql.r06
+.sql.r07
+.sql.r08
+.sql.r09
+.sql.rar
+.sql.rev
+.sql.tar
+.sql.taz
+.sql.tbz
+.sql.tgz
+.sql.txz
+.sql.uha
+.sql.xz
+.sql.yz1
+.sql.z
+# AWS cli
+aws.yaml
+aws.yml
+aws-key.yaml
+aws-key.yml
 # Apache httpd entries can be generated with the following command:
 # curl -s https://raw.githubusercontent.com/lightos/Panoptic/master/cases.xml | grep "file value" | cut -d'"' -f2 | awk -F/ '{ { if (length($NF) > 0) {v1 = NF-1; v2 = NF} else {v1 = NF-2; v2 = NF-1} print tolower($v1"/"$v2) }) }' | grep apache | sort | uniq
 apache/access.conf
diff --git a/wasmplugin/rules/crs/php-function-names-933150.data b/wasmplugin/rules/crs/php-function-names-933150.data
index 057a690..d63529b 100644
--- a/wasmplugin/rules/crs/php-function-names-933150.data
+++ b/wasmplugin/rules/crs/php-function-names-933150.data
@@ -41,7 +41,6 @@ fclose
 file_exists
 file_get_contents
 finfo_open
-fopen
 fputs
 fsockopen
 ftp_connect
diff --git a/wasmplugin/rules/crs/restricted-files.data b/wasmplugin/rules/crs/restricted-files.data
index 04919fc..d4b7d15 100644
--- a/wasmplugin/rules/crs/restricted-files.data
+++ b/wasmplugin/rules/crs/restricted-files.data
@@ -3,32 +3,52 @@
 .htaccess
 .htdigest
 .htpasswd
-# home level dotfiles (keep in sync with lfi-os-files.data)
-# grep -E '^\.' lfi-os-files.data
+# home level dotfiles (keep in sync with lfi-os-files.data).
+# Also include commented values (e.g., `# .env`), but not comments.
+# grep -E "^(#\s*)?\.\S+$" lfi-os-files.data | sed 's/^#\s*//'
 .addressbook
+.anydesk/
 .aptitude/config
+.atom/
 .aws/
 .azure/
 .bash_
 .bashrc
+.boto
 .cache/notify-osd.log
 .config/
 .cshrc
-.docker
+.cups/
+.dbus/
+.docker/
 .drush/
 .env
+.envrc
 .eslintignore
 .fbcindex
 .forward
+.gem/
+.git/
 .gitattributes
 .gitconfig
+.gitignore
+.gitkeep
+.gitmodules
+.gnome/
+.gnome2/
+.gnomerc/
 .gnupg/
 .google_authenticator
+.gsutil/
+.hg/
+.hgignore
 .hplip/hplip.conf
 .htaccess
 .htdigest
 .htpasswd
+.java/
 .ksh_history
+.kube/
 .lesshst
 .lftp/
 .lhistory
@@ -36,13 +56,17 @@
 .lldb-history
 .local/share/mc/
 .lynx_cookies
+.minikube/
 .my.cnf
 .mysql_history
 .nano_history
+.netrc
 .node_repl_history
+.npm/
 .npmrc
 .nsconfig
 .nsr
+.nvm/
 .oh-my-
 .password-store
 .pearrc
@@ -64,33 +88,73 @@
 .snap/
 .ssh/
 .subversion/
+.svn/
+.svnignore
 .tconn/
 .tcshrc
 .tmux.conf
+.thunderbird/
 .tor/
+.travis.yaml
+.travis.yml
 .vagrant.d/
 .vidalia/
 .vim/
 .viminfo
 .vimrc
 .vscode
+.vmware/
 .www_acl
 .wwwacl
-.Xauthority
+.xauthority
 .yarnrc
+.zshenv
 .zhistory
 .zsh_history
-.zshenv
 .zshrc
-# Version control
-/.git/
-/.gitignore
-/.hg/
-/.hgignore
-/.svn/
+
+# Compressed database dumps
+.sql.001
+.sql.7z
+.sql.bz
+.sql.ace
+.sql.arj
+.sql.cpio
+.sql.gz
+.sql.lha
+.sql.lz
+.sql.pa
+.sql.pea
+.sql.r00
+.sql.r01
+.sql.r02
+.sql.r03
+.sql.r04
+.sql.r05
+.sql.r06
+.sql.r07
+.sql.r08
+.sql.r09
+.sql.rar
+.sql.rev
+.sql.tar
+.sql.taz
+.sql.tbz
+.sql.tgz
+.sql.txz
+.sql.uha
+.sql.xz
+.sql.yz1
+.sql.z
+# AWS cli
+aws.yaml
+aws.yml
+aws-key.yaml
+aws-key.yml
 # October CMS credentials file
 /auth.json
 # Wordpress
+wp-config.copy
 wp-config.php
 wp-config.bak
 wp-config.old
@@ -180,6 +244,25 @@ BlockCypher.log
 config.inc.php
 config.sample.php
 defaults.inc.php
+# Contains credentials for SendGrid service
+sendgrid.env
+# Fish shell files
+.fish
+fish_variables
+# CVE-2023-5003
+ldap-authentication-report.csv
+# OpenStack-Ansible credentials file
+user_secrets.yml
+# File used by Visual Studio to store sensitive data
+secrets.json
+# Docker definition files, first two are commented out
+# as they are matched by the rest of the files
+#docker-compose.yml
+#docker-compose.yaml
+compose.yml
+compose.yaml
+# cloud-init definition file
+cloud-config.yml
 
 # /proc entries (keep in sync with lfi-os-files.data)
 # grep -E "^proc/" lfi-os-files.data
diff --git a/wasmplugin/rules/crs/restricted-upload.data b/wasmplugin/rules/crs/restricted-upload.data
index fd5850e..0c2647c 100644
--- a/wasmplugin/rules/crs/restricted-upload.data
+++ b/wasmplugin/rules/crs/restricted-upload.data
@@ -5,29 +5,35 @@
 # w
 # q
 # EOF
-# words="$(awk ' !/^#/ {split($0, segments, "/")} {word = segments[length(segments)]} length(word) > 3 {print word}' rules/restricted-files.data | \
-#   sort | uniq)"
+# words="$(awk ' !/^#/ && NF {
+#  n = split($0, segments, "/");
+#  word = segments[n];
+#  if (length(word) > 3) print word
+# }' rules/restricted-files.data | sort | uniq)"
 # while read -r word; do
 #   if [ "$(util/fp-finder/spell.sh -m -e - <<<"${word}")" != "${word}" ]; then
 #     echo "${word}" >> rules/restricted-upload.data
 #   fi
 # done <<<"${words}"
-
-.DS_Store
 .addressbook
 .bash_
 .bashrc
+.boto
 .bowerrc
 .cshrc
-.docker
+.DS_Store
 .env
+.envrc
 .eslintignore
 .eslintrc
 .fbcindex
+.fish
 .forward
 .gitattributes
 .gitconfig
 .gitignore
+.gitkeep
+.gitmodules
 .gitlab-ci.yml
 .google_authenticator
 .hgignore
@@ -45,7 +51,9 @@
 .my.cnf
 .mysql_history
 .nano_history
+.netrc
 .node_repl_history
+.npmrc
 .nsconfig
 .nsr
 .oh-my-
@@ -65,50 +73,64 @@
 .rediscli_history
 .rhistory
 .rhosts
+.selected_editor
 .sh_history
 .sqlite_history
+.svnignore
 .tcshrc
+.tmux.conf
+.travis.yaml
 .travis.yml
 .user.ini
 .viminfo
 .vimrc
+.vscode
 .ws_ftp.ini
 .www_acl
 .wwwacl
 .xauthority
+.yarnrc
 .zhistory
 .zsh_history
+.zshenv
 .zshrc
-Desktop.ini
-Dockerfile
-Thumbs.db
-Web.config
 acpi
 asound
 auth.json
+aws.yaml
+aws.yml
+aws-key.yaml
+aws-key.yml
+BlockCypher.log
 bootconfig
 bower.json
 buddyinfo
 cgroups
+cloud-config.yml
 cmdline
+compose.yaml
+compose.yml
 composer.json
 composer.lock
+config_dev.yml
+config_prod.yml
+config_test.yml
 config.gz
 config.inc.php
 config.php
 config.sample.php
 config.yml
-config_dev.yml
-config_prod.yml
-config_test.yml
 cpuinfo
 database.yml
-defaults.inc.php
 default.settings.php
+defaults.inc.php
+Desktop.ini
 diskstats
+Dockerfile
 dynamic_debug
 execdomains
 filesystems
+fish_variables
 gruntfile.js
 hplip.conf
 hypervisor
@@ -123,6 +145,7 @@ kpagecgroup
 kpagecount
 kpageflags
 latency_stats
+ldap-authentication-report.csv
 loadavg
 local.xml
 mdstat
@@ -138,15 +161,17 @@ packages.json
 pagetypeinfo
 parameters.php
 parameters.yml
-php.ini
 php_error.log
 php_errors.log
+php.ini
 phpcs.xml
 phpcs.xml.dist
 routing.yml
 sched_debug
 schedstat
+secrets.json
 security.yml
+sendgrid.env
 services.yml
 settings.inc.php
 settings.local.php
@@ -159,14 +184,18 @@ sslvpn_websession
 sysrq-trigger
 sysvipc
 thread-self
+Thumbs.db
 timer_list
 timer_stats
 tsconfig.json
+user_secrets.yml
 version_signature
 vmallocinfo
 vmstat
+Web.config
 weblogic.xml
 webpack.config.js
+wp-config.copy
 wp-config.bak
 wp-config.old
 wp-config.php
diff --git a/wasmplugin/rules/crs/unix-shell.data b/wasmplugin/rules/crs/unix-shell.data
index fb6b7f4..c06d8da 100644
--- a/wasmplugin/rules/crs/unix-shell.data
+++ b/wasmplugin/rules/crs/unix-shell.data
@@ -51,6 +51,8 @@ bin/ar
 bin/arch
 bin/aria2c
 bin/arj
+bin/arjdisp
+bin/arj-register
 bin/arp
 bin/as
 bin/ascii-xfr
@@ -95,7 +97,9 @@ bin/bzless
 bin/bzmore
 bin/bzz
 bin/c89
+bin/c89-gcc
 bin/c99
+bin/c99-gcc
 bin/cancel
 bin/capsh
 bin/cat
@@ -111,6 +115,7 @@ bin/check_raid
 bin/check_ssl_cert
 bin/check_statusfile
 bin/chef
+bin/chef-
 bin/chflags
 bin/chgrp
 bin/chmod
@@ -124,6 +129,7 @@ bin/clang
 bin/clang++
 bin/cmp
 bin/cobc
+bin/cobcrun
 bin/column
 bin/comm
 bin/command
@@ -165,6 +171,7 @@ bin/docker
 bin/done
 bin/dosbox
 bin/dpkg
+bin/dpkg-
 bin/du
 bin/dvips
 bin/e2fsck
@@ -193,6 +200,10 @@ bin/export
 bin/expr
 bin/facter
 bin/fc
+bin/fdfind
+bin/fdisk
+bin/fdmount
+bin/fdumount
 bin/fetch
 bin/fg
 bin/fgrep
@@ -207,6 +218,7 @@ bin/fmt
 bin/fold
 bin/foreach
 bin/fping
+bin/fping6
 bin/ftp
 bin/ftpstats
 bin/ftpwho
@@ -223,13 +235,16 @@ bin/HEAD
 bin/POST
 bin/getfacl
 bin/ghc
+bin/ghc-
 bin/ghci
+bin/ghci-
 bin/gimp
 bin/ginsh
 bin/git
 bin/go
 bin/gpg
 bin/grc
+bin/grcat
 bin/grep
 bin/groupmod
 bin/gtester
@@ -259,6 +274,9 @@ bin/ionice
 bin/ip
 bin/ip6tables
 bin/ipconfig
+bin/ippeveprinter
+bin/ippfind
+bin/ipptool
 bin/iptables
 bin/irb
 bin/ispell
@@ -400,6 +418,9 @@ bin/paste
 bin/patch
 bin/pax
 bin/pdb
+bin/pdb2mb
+bin/pdb3
+bin/pdb3.
 bin/pdflatex
 bin/pdftex
 bin/pdksh
@@ -457,6 +478,7 @@ bin/rc
 bin/rcp
 bin/readelf
 bin/realpath
+bin/reboot
 bin/red
 bin/redcarpet
 bin/rename
@@ -476,6 +498,7 @@ bin/rpmdb
 bin/rpmquery
 bin/rpmverify
 bin/rsync
+bin/rsync-ssl
 bin/ruby
 bin/run-mailcap
 bin/run-parts
@@ -522,7 +545,21 @@ bin/strace
 bin/strings
 bin/su
 bin/sudo
+bin/sudoedit
+bin/sudoreplay
+bin/sudo_
 bin/svn
+bin/svnadmin
+bin/svnauthz
+bin/svnbench
+bin/svndumpfilter
+bin/svnfsfs
+bin/svnlook
+bin/svnmucc
+bin/svnrdump
+bin/svnserve
+bin/svnsync
+bin/svnversion
 bin/sysctl
 bin/systemctl
 bin/systemd-resolve
diff --git a/wasmplugin/rules/crs/web-shells-asp.data b/wasmplugin/rules/crs/web-shells-asp.data
new file mode 100644
index 0000000..28faa89
--- /dev/null
+++ b/wasmplugin/rules/crs/web-shells-asp.data
@@ -0,0 +1,23 @@
+# This list contains patterns of various web shells, backdoors and similar
+# software written in ASP language. There is no way how to automatically update
+# this list, so it must be done by hand. Here is a recommended way how to add
+# new malicious software:
+# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
+#     software (ideally in an isolated environment) and catch the output.
+# 2.) In the output, search for static pattern unique enough to match only
+#     the software in question and to not do any FPs. The best pick is usually
+#     a part of HTML code with software name.
+# 3.) Include software name and URL (if available) in the comment above
+#     the pattern.
+#
+# Data comes from multiple places of which some doesn't work anymore. Few are
+# listed below:
+# - https://www.localroot.net/
+# - Google search (keywords like webshells, asp backdoor and similar)
+
+# Akmal archtte id ASPX shell
+<title>Webshell Akmal archtte id</title>
+# ASPYDrv shell
+<html><title>ASPYDrvsInfo</title>
+# RHTOOLS shell
+<html><head><title>RHTOOLS
diff --git a/wasmplugin/rules/crs/web-shells-php.data b/wasmplugin/rules/crs/web-shells-php.data
index 72eaecb..8ac7c39 100644
--- a/wasmplugin/rules/crs/web-shells-php.data
+++ b/wasmplugin/rules/crs/web-shells-php.data
@@ -66,6 +66,8 @@ color=DeepSkyBlue   size=6>    ## ex0 shell
 <p align="center" class="style4">FaTaLSheLL v
 # G-Security Webshell
 <title>G-Security Webshell</title>
+# Gecko web shell
+<title>Gecko [
 # h4ntu shell web shell
 <title>h4ntu shell [powered by tsoi]</title>
 # IDBTEAM SHELLS file manager
@@ -137,6 +139,8 @@ PHPShell by MAX666, Private Exploit, For Server Hacking
 <font face="Wingdings 3" size="5">y</font><b>StresBypass<span lang="en-us">v
 # SyRiAn Sh3ll web shell
 <title>SyRiAn Sh3ll ~
+# Tiny File Manager
+<title>Tiny File Manager</title>
 # Turk Shell web shell
 <head><title>Wardom | Ne Mutlu T
 # Unknown web shell