Update crs-setup.conf defaults to version 3.3.0

Only comment changes, illustrating the new defaults.

Update crs-setup.conf defaults to version 3.3.0
9e709530 · ale · 7f534803 · 9e709530
Commit 9e709530 authored 2 years ago by ale
--- a/docker/conf/modsecurity/crs/crs-setup.conf
+++ b/docker/conf/modsecurity/crs/crs-setup.conf
 # ------------------------------------------------------------------------
-# OWASP ModSecurity Core Rule Set ver.3.1.0
-# Copyright (c) 2006-2018 Trustwave and contributors. All rights reserved.
+# OWASP ModSecurity Core Rule Set ver.3.3.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
 #
 # The OWASP ModSecurity Core Rule Set is distributed under
 # Apache Software License (ASL) version 2
@@ -88,7 +88,7 @@

 # Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log
 # - By default, offending requests are blocked with an error 403 response.
-# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
+# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
 #   and review section 'Changing the Disruptive Action for Anomaly Mode'.
 # - In Apache, you can use ErrorDocument to show a friendly error page or
 #   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
@@ -98,7 +98,7 @@ SecDefaultAction "phase:2,log,noauditlog,pass"

 # Example: Anomaly Scoring mode, log only to ModSecurity audit log
 # - By default, offending requests are blocked with an error 403 response.
-# - To change the disruptive action, see RESPONSE-999-EXCEPTIONS.conf.example
+# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
 #   and review section 'Changing the Disruptive Action for Anomaly Mode'.
 # - In Apache, you can use ErrorDocument to show a friendly error page or
 #   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
@@ -163,7 +163,7 @@ SecDefaultAction "phase:2,log,noauditlog,pass"
 #   likely produce a very high number of FPs which have to be
 #   treated before the site can go productive.
 #
-# Rules in paranoia level 2 or higher will log their PL to the audit log;
+# All rules will log their PL to the audit log;
 # example: [tag "paranoia-level/2"]. This allows you to deduct from the
 # audit log how the WAF behavior is affected by paranoia level.
 #
@@ -383,9 +383,10 @@ SecAction \
 #  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"

 # Content-Types that a client is allowed to send in a request.
-# Default: application/x-www-form-urlencoded|multipart/form-data|text/xml|\
-# application/xml|application/soap+xml|application/x-amf|application/json|\
-# application/octet-stream|text/plain
+# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
+# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json|
+# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|
+# |application/csp-report| |application/xss-auditor-report| |text/plain|
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900220,\
@@ -393,20 +394,7 @@ SecAction \
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|text/plain'"
-
-# Content-Types charsets that a client is allowed to send in a request.
-# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
-# Uncomment this rule to change the default.
-# Use "|" to separate multiple charsets like in the rule defining
-# tx.allowed_request_content_type.
-#SecAction \
-# "id:900270,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"
+#  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain|'"

 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0
@@ -424,8 +412,8 @@ SecAction \

 # Forbidden file extensions.
 # Guards against unintended exposure of development/configuration files.
-# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
-# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .sql/
+# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/
+# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900240,\
@@ -433,12 +421,12 @@ SecAction \
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+#  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

 # Forbidden request headers.
 # Header names should be lowercase, enclosed by /slashes/ as delimiters.
 # Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org
-# Default: /proxy/ /lock-token/ /content-range/ /translate/ /if/
+# Default: /proxy/ /lock-token/ /content-range/ /if/
 # Uncomment this rule to change the default.
 #SecAction \
 # "id:900250,\
@@ -446,7 +434,7 @@ SecAction \
 #  nolog,\
 #  pass,\
 #  t:none,\
-#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
+#  setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /if/'"

 # File extensions considered static files.
 # Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters.
@@ -461,6 +449,18 @@ SecAction \
 #  t:none,\
 #  setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"

+# Content-Types charsets that a client is allowed to send in a request.
+# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252
+# Uncomment this rule to change the default.
+# Use "|" to separate multiple charsets like in the rule defining
+# tx.allowed_request_content_type.
+#SecAction \
+# "id:900280,\
+#  phase:1,\
+#  nolog,\
+#  pass,\
+#  t:none,\
+#  setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'"

 #
 # -- [[ HTTP Argument/Upload Limits ]] -----------------------------------------
@@ -565,7 +565,7 @@ SecAction \
 # entry in the audit log (for performance reasons), but an error log entry is
 # written.  If you want to disable the error log entry, then issue the
 # following directive somewhere after the inclusion of the CRS
-# (E.g., RESPONSE-999-EXCEPTIONS.conf).
+# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf).
 #
 # SecRuleUpdateActionById 901150 "nolog"
 #
@@ -617,20 +617,49 @@ SecAction \
 #
 # To use geolocation, we make use of the MaxMind GeoIP database.
 # This database is not included with the CRS and must be downloaded.
-# You should also update the database regularly, for instance every month.
-# The CRS contains a tool to download it to util/geo-location/GeoIP.dat:
-#   util/upgrade.py --geoip
 #
-# This product includes GeoLite data created by MaxMind, available from:
-# http://www.maxmind.com.
+# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files),
+# and ModSecurity v3 uses GeoLite2 (.mmdb files).
+#
+# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files,
+# see https://github.com/maxmind/geoipupdate.
+#
+# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/
+# for configuration options.
+#
+# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore.
+# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info.
+#
+# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files
+# from CSV files first.
+#
+# You can achieve this using https://github.com/sherpya/geolite2legacy
+# Pick the zip files from maxmind site:
+# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
+#
+# Follow the guidelines for installing the tool and run:
+# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \
+#                     -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat
+#
+# Update the database regularly, see Step 3 of the configuration link above.
+#
+# By default, when you execute `sudo geoipupdate` on Linux, files from the free database
+# will be downloaded to `/usr/share/GeoIP` (both v1 and v2).
+#
+# Then choose from:
+#   - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3)
+#   - `GeoLiteCountry.dat`    (if you are using ModSecurity v2)
 #
 # Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
 # Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
 #
-# Uncomment this rule to use this feature:
+# Uncomment only one of the next rules here to use this feature.
+# Choose the one depending on the ModSecurity version you are using, and change the path accordingly:
 #
-#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat
-
+# For ModSecurity v3:
+#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb
+# For ModSecurity v2 (points to the converted one):
+#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

 #
 # -=[ Block Countries ]=-
@@ -711,7 +740,7 @@ SecAction \
 # -- [[ Blocking Based on IP Reputation ]] ------------------------------------
 #
 # Blocking based on reputation is permanent in the CRS. Unlike other rules,
-# which look at the indvidual request, the blocking of IPs is based on
+# which look at the individual request, the blocking of IPs is based on
 # a persistent record in the IP collection, which remains active for a
 # certain amount of time.
 #
@@ -775,52 +804,6 @@ SecAction \
 SecCollectionTimeout 600


-#
-# -- [[ Debug Mode ]] ----------------------------------------------------------
-#
-# To enable rule development and debugging, CRS has an optional debug mode
-# that does not block a request, but instead sends detection information
-# back to the HTTP client.
-#
-# This functionality is currently only supported with the Apache web server.
-# The Apache mod_headers module is required.
-#
-# In debug mode, the webserver inserts "X-WAF-Events" / "X-WAF-Score"
-# response headers whenever a debug client makes a request. Example:
-#
-#   # curl -v 'http://192.168.1.100/?foo=../etc/passwd'
-#   X-WAF-Events: TX:930110-OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL-REQUEST_URI,
-#                TX:930120-OWASP_CRS/WEB_ATTACK/FILE_INJECTION-ARGS:foo,
-#                TX:932160-OWASP_CRS/WEB_ATTACK/RCE-ARGS:foo
-#   X-WAF-Score: Total=15; sqli=0; xss=0; rfi=0; lfi=10; rce=5; php=0; http=0; ses=0
-#
-# To enable debug mode, include the RESPONSE-981-DEBUG.conf file.
-# This file resides in a separate folder, as it is not compatible with
-# nginx and IIS.
-#
-# You must specify the source IP address/network where you will be running the
-# tests from. The source IP will BYPASS all CRS blocking, and will be sent the
-# response headers as specified above. Be careful to only list your private
-# IP addresses/networks here.
-#
-# Tip: for regression testing of CRS or your own ModSecurity rules, you may
-# be interested in using the OWASP CRS regression testing suite instead.
-# View the file util/regression-tests/README for more information.
-#
-# Uncomment these rules, filling in your CRS path and the source IP address,
-# to enable debug mode:
-#
-#Include /usr/share/modsecurity-crs/util/debug/RESPONSE-981-DEBUG.conf
-#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
-# "id:900980,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  ctl:ruleEngine=DetectionOnly,\
-#  setvar:tx.crs_debug_mode=1"
-
-
 #
 # -- [[ End of setup ]] --------------------------------------------------------
 #
@@ -838,4 +821,4 @@ SecAction \
  nolog,\
  pass,\
  t:none,\
-  setvar:tx.crs_setup_version=310"
+  setvar:tx.crs_setup_version=330"