Topic: mod_security Core Rules updated

[Steffen]

I updated in the mod_security download the core rules to version 2.1-1.4.

Steffen


Change Log:

New Events:

- 970021 - WebLogic information disclosure
Matching of "<title>JSP compile error</title>" in the response body, will trigger this rule, with severity 4 (Warning)
- 950015,950910,950911 - HTTP Response Splitting
Looking for HTTP Response Splitting patterns as described in Amit Klein's excellent article:
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
ModSecurity does not support compressed content at the moment. Thus, the following rules have been added:
- 960902 - Content-Encoding in request not supported
Any incoming compressed request will be denied
- 960903 - Content-Encoding in response not suppoted
An outgoing compressed response will be logged to alert, but ONLY ONCE.

False Positives Fixes:

- Removed <.exe>,<.shtml> from restricted extensions
- Will not be looking for SQL Injection signatures <root@>,<coalesce> in the Via request header
- Excluded Referer header from SQL injection, XSS and command injection rules
- Excluded X-OS-Prefs header from command injection rule
- Will be looking for command injection signatures in
REQUEST_COOKIES|REQUEST_COOKIES_NAMES instead of REQUEST_HEADERS:Cookie.
- Allowing charset specification in the <application/x-www-form-urlencoded> Content-Type

Additional rules logic:

- Corrected match of OPTIONS method in event 960015
- Changed location for event 960014 (proxy access) to REQUEST_URI_RAW
- Moved all rules apart from method inspection from phase 1 to phase 2 -
This will enable viewing content if such a rule triggers as well as setting
exceptions using Apache scope tags.
- Added match for double quote in addition to single quote for <or x=x> signature (SQL Injection)
- Added 1=1 signature (SQL Injection)